Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
[Julien Cristau] So how about creating a dedicated user for xfs, and moving logs to a /var/log/xfs/ directory where this user can write? Please send the messages to syslog instead of a separate log file. It make it easier to track issues with xfs across several machines, and solve the problem with log rotation. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
On Fri, May 16, 2008 at 21:52:58 +0200, Sven Joachim wrote: On 2008-05-16 13:07 +0200, Julien Cristau wrote: On Fri, May 16, 2008 at 08:16:20 +0200, Sven Joachim wrote: Just FYI, I've been running xfs with this patch for the last few days and don't have any problems. Could this be uploaded to unstable to get xfs back into testing? One question though: how can xfs reopen its log file when running as nobody Not at all, good catch. I just didn't know it even has a log file. How about compiling with -DUSE_SYSLOG? (CloneMyself() calls InitErrors() currently, and we may want to have xfs reopen its log file for logrotate, too)? If it is worth to rotate the log file, which is currently not done. So how about creating a dedicated user for xfs, and moving logs to a /var/log/xfs/ directory where this user can write? Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
On 2008-05-16 23:43 +0200, Petter Reinholdtsen wrote: [Sven Joachim] Not at all, good catch. I just didn't know it even has a log file. How about compiling with -DUSE_SYSLOG? I must admit, I would prefer xfs logging to syslog. When debugging the segfault in #148650, the first place I looked was /var/log/syslog. When Nothing showed up there, I started searching for the logs and discovered /var/log/xfs.log. So I would be less surprised if it used syslog. :) Actually, in the default /etc/X11/fs/config there are the following lines: , | # log errors using syslog | use-syslog = on ` which could be useful if only xfs were compiled with syslog support. :-) But we need to deal with the error-file anyway, since that setting is not mandatory. Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
On 2008-05-12 08:15 +0200, Petter Reinholdtsen wrote: Ah, right. This work better. Now the xfs process is running as user nobody. This is the patch. diff -ur xfs-1.0.6/debian/xfs.init xfs-1.0.6.pere/debian/xfs.init --- xfs-1.0.6/debian/xfs.init 2008-05-12 08:13:32.0 +0200 +++ xfs-1.0.6.pere/debian/xfs.init 2008-05-12 08:10:45.0 +0200 @@ -89,7 +89,7 @@ start) set_up_socket_dir echo -n Starting X font server: xfs -start-stop-daemon --start --quiet $SSD_START_ARGS -- -daemon \ +start-stop-daemon --start --quiet $SSD_START_ARGS -- -daemon -user nobody -droppriv \ || echo -n already running echo . ;; Just FYI, I've been running xfs with this patch for the last few days and don't have any problems. Could this be uploaded to unstable to get xfs back into testing? Regards, Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
[Sven Joachim] Just FYI, I've been running xfs with this patch for the last few days and don't have any problems. Could this be uploaded to unstable to get xfs back into testing? I can NMU if the maintainers do not have time to work on in soon. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
On Fri, May 16, 2008 at 08:16:20 +0200, Sven Joachim wrote: Just FYI, I've been running xfs with this patch for the last few days and don't have any problems. Could this be uploaded to unstable to get xfs back into testing? One question though: how can xfs reopen its log file when running as nobody (CloneMyself() calls InitErrors() currently, and we may want to have xfs reopen its log file for logrotate, too)? Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
On 2008-05-16 13:07 +0200, Julien Cristau wrote: On Fri, May 16, 2008 at 08:16:20 +0200, Sven Joachim wrote: Just FYI, I've been running xfs with this patch for the last few days and don't have any problems. Could this be uploaded to unstable to get xfs back into testing? One question though: how can xfs reopen its log file when running as nobody Not at all, good catch. I just didn't know it even has a log file. How about compiling with -DUSE_SYSLOG? (CloneMyself() calls InitErrors() currently, and we may want to have xfs reopen its log file for logrotate, too)? If it is worth to rotate the log file, which is currently not done. Regards, Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
[Sven Joachim] Not at all, good catch. I just didn't know it even has a log file. How about compiling with -DUSE_SYSLOG? I must admit, I would prefer xfs logging to syslog. When debugging the segfault in #148650, the first place I looked was /var/log/syslog. When Nothing showed up there, I started searching for the logs and discovered /var/log/xfs.log. So I would be less surprised if it used syslog. :) Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
tags 50859 + patch thanks [Julien Cristau] Add -user nobody -droppriv to the xfs command line arguments. Ah, right. This work better. Now the xfs process is running as user nobody. This is the patch. diff -ur xfs-1.0.6/debian/xfs.init xfs-1.0.6.pere/debian/xfs.init --- xfs-1.0.6/debian/xfs.init 2008-05-12 08:13:32.0 +0200 +++ xfs-1.0.6.pere/debian/xfs.init 2008-05-12 08:10:45.0 +0200 @@ -89,7 +89,7 @@ start) set_up_socket_dir echo -n Starting X font server: xfs -start-stop-daemon --start --quiet $SSD_START_ARGS -- -daemon \ +start-stop-daemon --start --quiet $SSD_START_ARGS -- -daemon -user nobody -droppriv \ || echo -n already running echo . ;; -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Processed: Re: Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
Processing commands for [EMAIL PROTECTED]: tags 50859 + patch Bug#50859: xfs: daemon runs as root There were no tags set. Bug#202096: xfs: plan for running as non-root user and better FPE handling Tags added: patch thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
Julien Cristau wrote: Yes, I think we shouldn't have xfs running as root in lenny. Can't this bug now be dealt with simply by using start-stop-daemon --chuid (not sure which user. Will nobody do ? Or daemon? If not xfs) ? Or is there some subtlety preventing this from solving the problem? Drew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
On Mon, May 12, 2008 at 00:42:10 +1000, Drew Parsons wrote: Julien Cristau wrote: Yes, I think we shouldn't have xfs running as root in lenny. Can't this bug now be dealt with simply by using start-stop-daemon --chuid (not sure which user. Will nobody do ? Or daemon? If not xfs) ? Or is there some subtlety preventing this from solving the problem? You'll need to add a new system user in postinst, too. The bug log for #202096 has some discussion about the needed steps. Some of it may be obsolete though. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
[Julien Cristau] You'll need to add a new system user in postinst, too. Why must it have a new system user? I would expect nobody to be a user with no privileges, and thus perfectly usable for this purpose? Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
On Sun, May 11, 2008 at 17:14:39 +0200, Petter Reinholdtsen wrote: [Julien Cristau] You'll need to add a new system user in postinst, too. Why must it have a new system user? I would expect nobody to be a user with no privileges, and thus perfectly usable for this purpose? If you tested that and are confident that it works, sure. I never used xfs myself, so I don't know. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
[Julien Cristau] If you tested that and are confident that it works, sure. I never used xfs myself, so I don't know. I am quite confident that user nobody will have the required acces to the font files. But I just tested modifying /etc/init.d/xfs to include --chuid nobody, and it fail to start because it did not get write access to /var/run/xfs.pid. The /var/run/ directory is only writable by user root. There is also the case with /tmp/.font-unix/ needing to be writable by the xfs process. So I guess the patch to solve this is a but more than just modifying the call to start-stop-daemon. :) Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#50859: xfs Bug #50859: use start-stop-daemon --chuid ?
On Mon, May 12, 2008 at 00:22:29 +0200, Petter Reinholdtsen wrote: [Julien Cristau] If you tested that and are confident that it works, sure. I never used xfs myself, so I don't know. I am quite confident that user nobody will have the required acces to the font files. But I just tested modifying /etc/init.d/xfs to include --chuid nobody, and it fail to start because it did not get write access to /var/run/xfs.pid. The /var/run/ directory is only writable by user root. There is also the case with /tmp/.font-unix/ needing to be writable by the xfs process. So I guess the patch to solve this is a but more than just modifying the call to start-stop-daemon. :) Add -user nobody -droppriv to the xfs command line arguments. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]