Missing permissions when running through ExecStart
Clash Royale CLAN TAG#URR8PPP
up vote
3
down vote
favorite
I've set up shadowsocks-libev and have been running it with the following systemctl service:
[Unit]
Description=Shadowsocks-Libev Manager Service
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=nobody
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks/%i.json
[Install]
WantedBy=multi-user.target
I recently noticed that my shadowsocks config file (/etc/shadowsocks/manager.json) had global read permissions, so I changed it to 600 and made sure the owner was nobody. For some reason this causes the process to fail to read the configuration file when starting up.
systemctl start shadowsocks-libev-manager@manager.service
ss-manager[1357]: 2018-01-05 11:41:00 ERROR: Invalid config path.
This is the same error I see as when I revoke all read privileges for that file.
However, it works fine if I start shadowsocks using the exact same command from the command line:
sudo -u nobody /usr/bin/ss-manager -c /etc/shadowsocks/manager.json
Similarly, I have no trouble reading the file as nobody using cat or less.
When I check the process started by systemctl in ps it shows that it's running as nobody, and when the process outputs files the owner is set to nobody. Why can't it access this file? Why is there a difference between running it through systemctl and running it from the terminal?
My problem seems similar to this question, but I don't have any quotes in my ExecStart so that solution is not applicable in my case.
systemd shadowsocks
edited Jan 5 at 18:50
jasonwryan
46.9k14127176
asked Jan 5 at 17:16
Altay_H
335
add a comment |Â
up vote
3
down vote
favorite
I've set up shadowsocks-libev and have been running it with the following systemctl service:
[Unit]
Description=Shadowsocks-Libev Manager Service
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=nobody
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks/%i.json
[Install]
WantedBy=multi-user.target
I recently noticed that my shadowsocks config file (/etc/shadowsocks/manager.json) had global read permissions, so I changed it to 600 and made sure the owner was nobody. For some reason this causes the process to fail to read the configuration file when starting up.
systemctl start shadowsocks-libev-manager@manager.service
ss-manager[1357]: 2018-01-05 11:41:00 ERROR: Invalid config path.
This is the same error I see as when I revoke all read privileges for that file.
However, it works fine if I start shadowsocks using the exact same command from the command line:
sudo -u nobody /usr/bin/ss-manager -c /etc/shadowsocks/manager.json
Similarly, I have no trouble reading the file as nobody using cat or less.
When I check the process started by systemctl in ps it shows that it's running as nobody, and when the process outputs files the owner is set to nobody. Why can't it access this file? Why is there a difference between running it through systemctl and running it from the terminal?
My problem seems similar to this question, but I don't have any quotes in my ExecStart so that solution is not applicable in my case.
systemd shadowsocks
edited Jan 5 at 18:50
jasonwryan
46.9k14127176
asked Jan 5 at 17:16
Altay_H
335
What are the permissions of/etc/shadowsocks?
– Hauke Laging
Jan 8 at 20:57
/etc/shadowsocks/hasrwxr-xr-xpermissions.
– Altay_H
Jan 8 at 21:10
1
I do not have a good idea what could be the problem but you could use this command instead/usr/bin/strace -o /tmp/nobody.strace -f /usr/bin/ss-manager -c /etc/shadowsocks/manager.jsonand have a look at the file/tmp/nobody.straceafterwards. That might give you some clue.
– Hauke Laging
Jan 8 at 21:27
I like the idea, but when I put that in ExecStart I get/usr/bin/strace: Can't fopen '/tmp/nobody.strace': Permission denied. Running it directly from the terminal (withsudo -u nobody) produces the trace file and behaves as expected. I think the usernobodymust be restricted in some strange way.
– Altay_H
Jan 8 at 21:46
Maybe it helps to runstrace -p 1 -fto understand how this process is modified.
– Hauke Laging
Jan 8 at 22:06
add a comment |Â
up vote
3
down vote
favorite
up vote
3
down vote
favorite
I've set up shadowsocks-libev and have been running it with the following systemctl service:
[Unit]
Description=Shadowsocks-Libev Manager Service
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=nobody
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks/%i.json
[Install]
WantedBy=multi-user.target
I recently noticed that my shadowsocks config file (/etc/shadowsocks/manager.json) had global read permissions, so I changed it to 600 and made sure the owner was nobody. For some reason this causes the process to fail to read the configuration file when starting up.
systemctl start shadowsocks-libev-manager@manager.service
ss-manager[1357]: 2018-01-05 11:41:00 ERROR: Invalid config path.
This is the same error I see as when I revoke all read privileges for that file.
However, it works fine if I start shadowsocks using the exact same command from the command line:
sudo -u nobody /usr/bin/ss-manager -c /etc/shadowsocks/manager.json
Similarly, I have no trouble reading the file as nobody using cat or less.
When I check the process started by systemctl in ps it shows that it's running as nobody, and when the process outputs files the owner is set to nobody. Why can't it access this file? Why is there a difference between running it through systemctl and running it from the terminal?
My problem seems similar to this question, but I don't have any quotes in my ExecStart so that solution is not applicable in my case.
systemd shadowsocks
edited Jan 5 at 18:50
jasonwryan
46.9k14127176
asked Jan 5 at 17:16
Altay_H
335
I've set up shadowsocks-libev and have been running it with the following systemctl service:
[Unit]
Description=Shadowsocks-Libev Manager Service
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=nobody
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ExecStart=/usr/bin/ss-manager -c /etc/shadowsocks/%i.json
[Install]
WantedBy=multi-user.target
I recently noticed that my shadowsocks config file (/etc/shadowsocks/manager.json) had global read permissions, so I changed it to 600 and made sure the owner was nobody. For some reason this causes the process to fail to read the configuration file when starting up.
systemctl start shadowsocks-libev-manager@manager.service
ss-manager[1357]: 2018-01-05 11:41:00 ERROR: Invalid config path.
This is the same error I see as when I revoke all read privileges for that file.
However, it works fine if I start shadowsocks using the exact same command from the command line:
sudo -u nobody /usr/bin/ss-manager -c /etc/shadowsocks/manager.json
Similarly, I have no trouble reading the file as nobody using cat or less.
When I check the process started by systemctl in ps it shows that it's running as nobody, and when the process outputs files the owner is set to nobody. Why can't it access this file? Why is there a difference between running it through systemctl and running it from the terminal?
My problem seems similar to this question, but I don't have any quotes in my ExecStart so that solution is not applicable in my case.
systemd shadowsocks
edited Jan 5 at 18:50
jasonwryan
46.9k14127176
asked Jan 5 at 17:16
Altay_H
335
edited Jan 5 at 18:50
jasonwryan
46.9k14127176
edited Jan 5 at 18:50
jasonwryan
46.9k14127176
edited Jan 5 at 18:50
jasonwryan
46.9k14127176
46.9k14127176
asked Jan 5 at 17:16
Altay_H
335
asked Jan 5 at 17:16
Altay_H
335
asked Jan 5 at 17:16
Altay_H
335
335
What are the permissions of/etc/shadowsocks?
– Hauke Laging
Jan 8 at 20:57
/etc/shadowsocks/hasrwxr-xr-xpermissions.
– Altay_H
Jan 8 at 21:10
1
I do not have a good idea what could be the problem but you could use this command instead/usr/bin/strace -o /tmp/nobody.strace -f /usr/bin/ss-manager -c /etc/shadowsocks/manager.jsonand have a look at the file/tmp/nobody.straceafterwards. That might give you some clue.
– Hauke Laging
Jan 8 at 21:27
I like the idea, but when I put that in ExecStart I get/usr/bin/strace: Can't fopen '/tmp/nobody.strace': Permission denied. Running it directly from the terminal (withsudo -u nobody) produces the trace file and behaves as expected. I think the usernobodymust be restricted in some strange way.
– Altay_H
Jan 8 at 21:46
Maybe it helps to runstrace -p 1 -fto understand how this process is modified.
– Hauke Laging
Jan 8 at 22:06
add a comment |Â
What are the permissions of/etc/shadowsocks?
– Hauke Laging
Jan 8 at 20:57
/etc/shadowsocks/hasrwxr-xr-xpermissions.
– Altay_H
Jan 8 at 21:10
1
I do not have a good idea what could be the problem but you could use this command instead/usr/bin/strace -o /tmp/nobody.strace -f /usr/bin/ss-manager -c /etc/shadowsocks/manager.jsonand have a look at the file/tmp/nobody.straceafterwards. That might give you some clue.
– Hauke Laging
Jan 8 at 21:27
I like the idea, but when I put that in ExecStart I get/usr/bin/strace: Can't fopen '/tmp/nobody.strace': Permission denied. Running it directly from the terminal (withsudo -u nobody) produces the trace file and behaves as expected. I think the usernobodymust be restricted in some strange way.
– Altay_H
Jan 8 at 21:46
Maybe it helps to runstrace -p 1 -fto understand how this process is modified.
– Hauke Laging
Jan 8 at 22:06
What are the permissions of
/etc/shadowsocks?– Hauke Laging
Jan 8 at 20:57
What are the permissions of
/etc/shadowsocks?– Hauke Laging
Jan 8 at 20:57
/etc/shadowsocks/ has rwxr-xr-x permissions.– Altay_H
Jan 8 at 21:10
/etc/shadowsocks/ has rwxr-xr-x permissions.– Altay_H
Jan 8 at 21:10
1
1
I do not have a good idea what could be the problem but you could use this command instead
/usr/bin/strace -o /tmp/nobody.strace -f /usr/bin/ss-manager -c /etc/shadowsocks/manager.json and have a look at the file /tmp/nobody.strace afterwards. That might give you some clue.– Hauke Laging
Jan 8 at 21:27
I do not have a good idea what could be the problem but you could use this command instead
/usr/bin/strace -o /tmp/nobody.strace -f /usr/bin/ss-manager -c /etc/shadowsocks/manager.json and have a look at the file /tmp/nobody.strace afterwards. That might give you some clue.– Hauke Laging
Jan 8 at 21:27
I like the idea, but when I put that in ExecStart I get
/usr/bin/strace: Can't fopen '/tmp/nobody.strace': Permission denied. Running it directly from the terminal (with sudo -u nobody) produces the trace file and behaves as expected. I think the user nobody must be restricted in some strange way.– Altay_H
Jan 8 at 21:46
I like the idea, but when I put that in ExecStart I get
/usr/bin/strace: Can't fopen '/tmp/nobody.strace': Permission denied. Running it directly from the terminal (with sudo -u nobody) produces the trace file and behaves as expected. I think the user nobody must be restricted in some strange way.– Altay_H
Jan 8 at 21:46
Maybe it helps to run
strace -p 1 -f to understand how this process is modified.– Hauke Laging
Jan 8 at 22:06
Maybe it helps to run
strace -p 1 -f to understand how this process is modified.– Hauke Laging
Jan 8 at 22:06
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
I was able to fix the problem, which stemmed from something unique to the user nobody. I'm still not entirely sure what makes that user unique though.
When run as nobody I see the following output in journald:
Started Shadowsocks-Libev Manager Service.
ERROR: Invalid config path.
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is indicative of it being unable to access the config file despite having the necessary permissions.
When run as a different user I newly created (with no home directory) I see the following output in journald instead:
Started Shadowsocks-Libev Manager Service.
ERROR: mkdir: No such file or directory
ERROR: unable to create working directory
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is because it attempts to write to the user's home directory which does not exist.
I then created a new user named shadowsocks with its own home directory:
# useradd -m -s /usr/bin/nologin shadowsocks
Running as this user I encounter no problems.
answered Jan 23 at 4:34
Altay_H
335
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
I was able to fix the problem, which stemmed from something unique to the user nobody. I'm still not entirely sure what makes that user unique though.
When run as nobody I see the following output in journald:
Started Shadowsocks-Libev Manager Service.
ERROR: Invalid config path.
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is indicative of it being unable to access the config file despite having the necessary permissions.
When run as a different user I newly created (with no home directory) I see the following output in journald instead:
Started Shadowsocks-Libev Manager Service.
ERROR: mkdir: No such file or directory
ERROR: unable to create working directory
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is because it attempts to write to the user's home directory which does not exist.
I then created a new user named shadowsocks with its own home directory:
# useradd -m -s /usr/bin/nologin shadowsocks
Running as this user I encounter no problems.
answered Jan 23 at 4:34
Altay_H
335
add a comment |Â
up vote
1
down vote
accepted
I was able to fix the problem, which stemmed from something unique to the user nobody. I'm still not entirely sure what makes that user unique though.
When run as nobody I see the following output in journald:
Started Shadowsocks-Libev Manager Service.
ERROR: Invalid config path.
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is indicative of it being unable to access the config file despite having the necessary permissions.
When run as a different user I newly created (with no home directory) I see the following output in journald instead:
Started Shadowsocks-Libev Manager Service.
ERROR: mkdir: No such file or directory
ERROR: unable to create working directory
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is because it attempts to write to the user's home directory which does not exist.
I then created a new user named shadowsocks with its own home directory:
# useradd -m -s /usr/bin/nologin shadowsocks
Running as this user I encounter no problems.
answered Jan 23 at 4:34
Altay_H
335
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
I was able to fix the problem, which stemmed from something unique to the user nobody. I'm still not entirely sure what makes that user unique though.
When run as nobody I see the following output in journald:
Started Shadowsocks-Libev Manager Service.
ERROR: Invalid config path.
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is indicative of it being unable to access the config file despite having the necessary permissions.
When run as a different user I newly created (with no home directory) I see the following output in journald instead:
Started Shadowsocks-Libev Manager Service.
ERROR: mkdir: No such file or directory
ERROR: unable to create working directory
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is because it attempts to write to the user's home directory which does not exist.
I then created a new user named shadowsocks with its own home directory:
# useradd -m -s /usr/bin/nologin shadowsocks
Running as this user I encounter no problems.
answered Jan 23 at 4:34
Altay_H
335
I was able to fix the problem, which stemmed from something unique to the user nobody. I'm still not entirely sure what makes that user unique though.
When run as nobody I see the following output in journald:
Started Shadowsocks-Libev Manager Service.
ERROR: Invalid config path.
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is indicative of it being unable to access the config file despite having the necessary permissions.
When run as a different user I newly created (with no home directory) I see the following output in journald instead:
Started Shadowsocks-Libev Manager Service.
ERROR: mkdir: No such file or directory
ERROR: unable to create working directory
Main process exited, code=exited, status=255/n/a
Failed with result 'exit-code'.
This is because it attempts to write to the user's home directory which does not exist.
I then created a new user named shadowsocks with its own home directory:
# useradd -m -s /usr/bin/nologin shadowsocks
Running as this user I encounter no problems.
answered Jan 23 at 4:34
Altay_H
335
answered Jan 23 at 4:34
Altay_H
335
answered Jan 23 at 4:34
Altay_H
335
answered Jan 23 at 4:34
Altay_H
335
335
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f415034%2fmissing-permissions-when-running-through-execstart%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
What are the permissions of
/etc/shadowsocks?– Hauke Laging
Jan 8 at 20:57
/etc/shadowsocks/hasrwxr-xr-xpermissions.– Altay_H
Jan 8 at 21:10
1
I do not have a good idea what could be the problem but you could use this command instead
/usr/bin/strace -o /tmp/nobody.strace -f /usr/bin/ss-manager -c /etc/shadowsocks/manager.jsonand have a look at the file/tmp/nobody.straceafterwards. That might give you some clue.– Hauke Laging
Jan 8 at 21:27
I like the idea, but when I put that in ExecStart I get
/usr/bin/strace: Can't fopen '/tmp/nobody.strace': Permission denied. Running it directly from the terminal (withsudo -u nobody) produces the trace file and behaves as expected. I think the usernobodymust be restricted in some strange way.– Altay_H
Jan 8 at 21:46
Maybe it helps to run
strace -p 1 -fto understand how this process is modified.– Hauke Laging
Jan 8 at 22:06