CRUX-Contrib

Contributed ports (contrib collection)
Tasklist

FS#1741 - avahi-daemon quits due to dbus, init issues,pid changed location.

Attached to Project: CRUX-Contrib
Opened by Richard Dunbar (cardinal) - Sunday, 16 June 2019, 18:55 GMT
Last edited by Tim Biermann (tb) - Tuesday, 25 June 2019, 08:08 GMT
Task Type Bug Report
Category ports - contrib
Status Closed
Assigned To Tim Biermann (tb)
Operating System CRUX
Severity Medium
Priority Normal
Reported Version 3.5
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

[root@crux:/home/rj]# avahi-daemon --debug
Found user 'avahi' (UID 80) and group 'avahi' (GID 80).
Successfully dropped root privileges.
avahi-daemon 0.7 starting up.
chroot.c: chroot() helper started
dbus_bus_request_name(): Connection ":1.5" is not allowed to own the service "org.freedesktop.Avahi" due to security policies in the configuration file
WARNING: Failed to contact D-Bus daemon.
chroot.c: chroot() helper got command 0d
avahi-daemon 0.7 exiting.
chroot.c: chroot() helper got command 0c
[root@crux:/home/rj]# chroot.c: chroot() helper exiting with return value 0

Dbus is running.
[rj@crux:~]$ pgrep dbus
326
567
Edit /usr/etc/avahi/avahi-daemon.conf, change #enable-dbus=yes to enable-dbus=no and avahi-daemon will run.

[root@crux:/home/rj]# avahi-daemon --debug
Found user 'avahi' (UID 80) and group 'avahi' (GID 80).
Successfully dropped root privileges.
avahi-daemon 0.7 starting up.
chroot.c: chroot() helper started
Successfully called chroot().
Successfully dropped remaining capabilities.
chroot.c: chroot() helper got command 02
Loading service file /services/sftp-ssh.service.
Loading service file /services/ssh.service.
socket() failed: Address family not supported by protocol
Failed to create IPv6 socket, proceeding in IPv4 only mode
socket() failed: Address family not supported by protocol
Joining mDNS multicast group on interface eth0.IPv4 with address 192.168.1.2.
New relevant interface eth0.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for 192.168.1.2 on eth0.IPv4.
Server startup complete. Host name is crux.local. Local service cookie is 1561580491.
Service "crux" (/services/ssh.service) successfully established.
Service "crux" (/services/sftp-ssh.service) successfully established.

The avahi-daemon.pid has moved and there are permission issues with using the init file while booted into crux to stop,check status:

[rj@crux:~]$ ls -la /run/avahi-daemon
total 4
drwxr-xr-x 2 avahi avahi 80 Jun 16 14:23 .
drwxr-xr-x 6 root root 240 Jun 16 13:52 ..
-rw-r--r-- 1 avahi avahi 5 Jun 16 14:23 pid
srwxrwxrwx 1 avahi avahi 0 Jun 16 14:23 socket

[rj@crux:~]$ sudo /etc/rc.d/avahi-daemon stop
/sbin/start-stop-daemon: matching only on non-root pidfile /run/avahi-daemon/pid is insecure
[rj@crux:~]$ sudo /etc/rc.d/avahi-daemon status
/sbin/start-stop-daemon: matching only on non-root pidfile /run/avahi-daemon/pid is insecure
Unable to determine the program status

After editing avahi-daemon.conf and /etc/rc.d/avahi-daemon PID= it will start on boot when avahi-daemon is added to /etc/rc.conf SERVICES array.








This task depends upon

Closed by  Tim Biermann (tb)
Tuesday, 25 June 2019, 08:08 GMT
Reason for closing:  Fixed
Additional comments about closing:  https://crux.nu/gitweb/?p=ports/contrib. git;a=commit;h=ec7048fbf5af1b12cc2d14394 dbfb388bc5e9e60
fixed, thanks!
Comment by Tim Biermann (tb) - Sunday, 16 June 2019, 22:49 GMT
Hey, thanks for the report!
I made some changes to the port, can you try rebuilding it? Also I am unable to reproduce the error with dbus on my end, it works fine no matter what I try to do.

https://crux.nu/gitweb/?p=ports/contrib.git;a=commit;h=886962feba1d711b0f59fe7c411bab3278f3dd8f
Comment by Richard Dunbar (cardinal) - Monday, 17 June 2019, 16:42 GMT
Thank you for the quick response.
The dbus issue is solved, avahi-daemon runs on my crux-3.5 without disabling dbus in avahi-daemon.conf.
PID path in /etc/rc.d/avahi-daemon is correct.

The problem remains with pid insecure error message from new restrictive start-stop-daemon when using stop,restart, or status commands.
The new version of start-stop-daemon in crux 3.5 requires pid to be owned by root.
https://crux.nu/gitweb/?p=tools/start-stop-daemon.git;a=summary

My workaround:
Stop,restart,status commands work without error if avahi-daemon pid owner is changed to root after it has started with "chown root:root $PID 2>/dev/null"

case $1 in
start)
$SSD --start --pidfile $PID --exec $PROG -- $OPTS
chown root:root $PID 2>/dev/null
;;
Comment by Tim Biermann (tb) - Monday, 17 June 2019, 18:25 GMT
Thanks for trying out the changes and good to know that this fixed most of it for you!
I can confirm that ssd behaves like that and I have no idea if changing the owner of the pid file is a valid way to go, to be honest. Maybe somebody else can shed some light on that topic?
Comment by Juergen Daubert (jue) - Thursday, 20 June 2019, 10:10 GMT
FTR, it's not a good idea to change the owner of the pid file. The new behaviour of start-stop-daemon just means that you have to add an additional match criterion if the owner of the pid file is not root. SSD will only stop/status the daemon if both criterions matches.

I'd suggest to use the --name option together with --pidfile, see e.g. the rc-script of opt/dnsmasq or opt/mariadb.
Comment by Tim Biermann (tb) - Thursday, 20 June 2019, 17:49 GMT
>The new behaviour of start-stop-daemon just means that you have to add an additional match criterion if the owner of the pid file is not root.
Thanks a lot for the clarification! I pushed the changes to the rc file with commit e4c6d157f30cddcc49d64cc86fdd58ed6902dc93

https://crux.nu/gitweb/?p=ports/contrib.git;a=blobdiff;f=avahi/avahi-daemon.rc;h=e3fc4eabad8cefc61fd2a591dffdd4258087ab62;hp=794772c962c462bdc19347a2ec1e9af8f1531eb7;hb=e4c6d157f30cddcc49d64cc86fdd58ed6902dc93;hpb=359c3f3509c70d44c113673dce950524cfdcd4b4
Comment by Richard Dunbar (cardinal) - Thursday, 20 June 2019, 22:59 GMT
Hostname resolution with mDNS is broken, glibc can't find /var/run/avahi-daemon/socket
Reversing avahi_runtime_path back to /var/run from /run fixed this.
Need "--name avahi-daemon" for stop too, otherwise I get error:
/sbin/start-stop-daemon: matching only on non-root pidfile /var/run/avahi-daemon/pid is insecure

avahi/Pkgfile http://ix.io/1MkQ
avahi/reverse-move-to-run.patch http://ix.io/1MkS
avahi/avahi-daemon.rc http://ix.io/1MkT



Comment by Tim Biermann (tb) - Friday, 21 June 2019, 07:34 GMT
That's a very good catch, thanks a lot! I will push these changes, apologies for the big mess that avahi was O:)

Loading...