Re: [GNUnet-developers] service files

gnunet-developers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [GNUnet-developers] service files

From:	ng0
Subject:	Re: [GNUnet-developers] service files
Date:	Mon, 25 Mar 2019 19:15:29 +0000

Mx. ng0 paging all GNUnet hackers :) This is the last major bit
which prevents a merge of gnunet into pkgsrc proper.

Anything helps. Expected environment of the arm process.
access levels. pgid etc. Anything.

Thanks!

address@hidden transcribed 5.6K bytes:
> address@hidden transcribed 5.1K bytes:
> > Christian Grothoff transcribed 3.8K bytes:
> > > On 3/7/19 4:48 PM, Schanzenbach, Martin wrote:
> > > > Hi,
> > > > 
> > > >> On 7. Mar 2019, at 15:28, address@hidden wrote:
> > > >>
> > > >> I just learned about a couple more specific systemd settings.
> > > >> The ones I think which could be useful to extend our systemd
> > > >> example service with are below.
> > > >>
> > > >>> PrivateTmp:
> > > >>> Use private /tmp and /var/tmp folders inside a new file system 
> > > >>> namespace, which are discarded after the process stops.
> > > > 
> > > > GNUnet has lots of things that need persistance. Like cryptographic 
> > > > keys.
> > > 
> > > Rifhr, but ever anything in /tmp. So this should be fine.
> > > 
> > > >>
> > > >>> ProtectHome:
> > > >>> The /home, /root, and /run/user folders can not be accessed by this 
> > > >>> service anymore. If your Pleroma user has its home folder in one of 
> > > >>> the restricted places, or use one of these folders as its working 
> > > >>> directory, you have to set this to false.
> > > >>
> > > 
> > > This breaks file-sharing indexing. So this should (with the current
> > > implementation of FS) not be done for gnunet-service-fs by default.
> > > Note that my planned (for 2030...) re-design of FS would lift this
> > > restriction and enable setting ProtectHome.
> > > 
> > > > See above. /home/<user>/.config/gnunet et al.
> > > > 
> > > >>> ProtectSystem:
> > > >>> Mount /usr, /boot, and /etc as read-only for processes invoked by 
> > > >>> this service.
> > > >>
> > > > This might be interesting wrt hardening? Idk.
> > > 
> > > Yes, and GNUnet by design respects /usr, /boot and /etc being read-only.
> > > So it would be a good thing for security to enforce this on platforms
> > > where this is easily done.
> > > 
> > > 
> > 
> > This follow-up is not systemd, but I guess that you can help.
> > The rc.d script I have[0] keeps failing with weird errors.
> > Previously it was just https://bugs.gnunet.org/view.php?id=5632,
> > but with this more recent configuration I can not get normal
> > users in group gnunet to start their own gnunet-arm:
> > 
> > Mar 11 09:29:46-674528 util-service-321 WARNING `bind' failed for 
> > `/tmp/gnunet-ng0-runtime//gnunet-service-arm.sock': address already in use
> > Mar 11 09:29:46-674980 arm-321 ERROR `bind' failed at service.c:1847 with 
> > error: Address already in use
> > Mar 11 09:29:46-675072 arm-321 ERROR Could not bind to any of the ports I 
> > was supposed to, refusing to run!
> 
> Magically this no longer is a problem (I changed nothing but it works!),
> but the original problem remains.
>  
> > so /var/chroot/ for gnunet folder:
> > 
> > drwx------   6 gnunet    gnunet    1024 Mar 11 09:29 gnunet
> > 
> > inside gnunet:
> > 
> > drwxr-xr-x   3 gnunet  gnunetdns   512 Feb 28 21:34 .cache
> > drwxr-xr-x   3 gnunet  gnunetdns   512 Mar  1 10:52 .config
> > drwxr-xr-x   3 gnunet  gnunetdns   512 Mar  1 10:52 .local
> > drwxr-xr-x   7 gnunet  gnunetdns   512 Mar 11 00:43 data
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-ats.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-cadet.sock
> > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-consensus.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-core.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-datastore.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-dht.sock
> > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-dns.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-fs.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-namecache.sock
> > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-nat-auto.sock
> > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-nat.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-nse.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-peerinfo.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-peerstore.sock
> > srwxrwxrwx   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-regex.sock
> > srwxrwxrwx   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-resolver.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-revocation.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-scalarproduct-alice.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-scalarproduct-bob.sock
> > srwx------   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-set.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-statistics.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 
> > gnunet-service-transport.sock
> > srwxrwx---   1 gnunet  gnunet        0 Mar 11 09:29 gnunet-service-vpn.sock
> > 
> > while at least .config and .local are remains from previous configurations.
> > When I did not set GNUNET_DATA_HOME, GNUNET_RUNTIME_DIR, and GNUNET_HOME
> > (so against our own recommendations for distributors ;)) it worked but
> > #5632 occured.
> > 
> > perms on /usr/pkg/etc/gnunet and its contained config file:
> > 
> > drwxr-xr-x   2 root  wheel     512 Mar 10 23:33 gnunet
> > 
> > -rw-r--r--   1 root  wheel  1858 Mar 10 23:33 gnunet.conf
> > 
> > 
> > Is there an obvious mistake somewhere? 
> > 
> > 0: 
> > https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=tree;f=gnunet;h=f36cec375236bb80d621681d4f958483848be396;hb=HEAD
> >    in "files"
> > 
> > _______________________________________________
> > GNUnet-developers mailing list
> > address@hidden
> > https://lists.gnu.org/mailman/listinfo/gnunet-developers
> > 
> 
> _______________________________________________
> GNUnet-developers mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/gnunet-developers
>

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-developers] service files, ng0, 2019/03/07
- Re: [GNUnet-developers] service files, Schanzenbach, Martin, 2019/03/07
  - Re: [GNUnet-developers] service files, Christian Grothoff, 2019/03/07
    - Re: [GNUnet-developers] service files, ng0, 2019/03/11
    - Re: [GNUnet-developers] service files, ng0, 2019/03/12
    - Re: [GNUnet-developers] service files, ng0 <=
    - Re: [GNUnet-developers] service files, ng0, 2019/03/26

Prev by Date: Re: [GNUnet-developers] A Graph Database for secushare
Next by Date: Re: [GNUnet-developers] gnunet-cadet information about a specific tunnel
Previous by thread: Re: [GNUnet-developers] service files
Next by thread: Re: [GNUnet-developers] service files
Index(es):
- Date
- Thread