Summary: | sys-apps/openrc: start-stop-daemon should use system-services PAM stack (was: emacsclient cannot find emacs-daemon socket) | ||
---|---|---|---|
Product: | Gentoo Hosted Projects | Reporter: | Göktürk Yüksek <gokturk> |
Component: | OpenRC | Assignee: | OpenRC Team <openrc> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dschridde+gentoobugs, emacs, gokturk, pam-bugs+disabled, pchrist, swegener |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 347301, 374183, 381463 | ||
Attachments: | emerge --info |
Description
Göktürk Yüksek
2011-04-28 03:52:35 UTC
Created attachment 271411 [details]
emerge --info
This worked as a workaround for me: --- a/emacs-wrapper.sh 2011-04-28 00:48:00.000000000 -0400 +++ b/emacs-wrapper.sh 2011-04-28 00:47:53.000000000 -0400 @@ -3,6 +3,10 @@ # Distributed under the terms of the GNU General Public License v2 # $Id: emacs-wrapper.sh 1430 2009-10-04 22:55:33Z ulm $ +if [ -z "${TMPDIR}" ]; then + export TMPDIR="/tmp/.private/${USER}"; +fi + # Save output in a temporary file and display in case of error logfile=$(mktemp ${TMPDIR:-/tmp}/emacs.log.XXXXXX) trap "rm -f '${logfile}'" EXIT emacs-wrapper.sh executes the user's login shell, i.e. does "exec -l ${SHELL}". I don't know what your configuration is. But if you make sure that TMPDIR is set for a login shell then it should work. Maybe pam_mktemp isn't called for some reason? CCing PAM team. Could you please post your /etc/pam.d/start-stop-daemon file? (In reply to comment #2) > This worked as a workaround for me: > > --- a/emacs-wrapper.sh 2011-04-28 00:48:00.000000000 -0400 > +++ b/emacs-wrapper.sh 2011-04-28 00:47:53.000000000 -0400 > @@ -3,6 +3,10 @@ > # Distributed under the terms of the GNU General Public License v2 > # $Id: emacs-wrapper.sh 1430 2009-10-04 22:55:33Z ulm $ > > +if [ -z "${TMPDIR}" ]; then > + export TMPDIR="/tmp/.private/${USER}"; > +fi > + > # Save output in a temporary file and display in case of error > logfile=$(mktemp ${TMPDIR:-/tmp}/emacs.log.XXXXXX) > trap "rm -f '${logfile}'" EXIT I'd like to note that this doesn't work if you add emacs into default runlevel as ${USER} is not visible in this scope. (In reply to comment #4) > Could you please post your /etc/pam.d/start-stop-daemon file? auth required pam_permit.so account required pam_permit.so password required pam_deny.so session optional pam_limits.so (In reply to comment #5) > > +if [ -z "${TMPDIR}" ]; then > > + export TMPDIR="/tmp/.private/${USER}"; > > +fi > > I'd like to note that this doesn't work if you add emacs into default runlevel > as ${USER} is not visible in this scope. We won't add such a workaround to emacs-wrapper.sh anyway. OpenRC should set the TMPDIR variable (possibly via PAM) when start-stop-daemon is called with the --user option. (In reply to comment #6) > > Could you please post your /etc/pam.d/start-stop-daemon file? > > auth required pam_permit.so > account required pam_permit.so > password required pam_deny.so > session optional pam_limits.so I believe that there should be a line like the following: session optional pam_mktemp.so @openrc, swegener: Could such a line be added to the default configuration, or would this cause other problems? OpenRC should use system-services PAM stack. Or in alternative emacs should use a file in $HOME for the socket. (In reply to comment #7) > I believe that there should be a line like the following: > > session optional pam_mktemp.so > > @openrc, swegener: Could such a line be added to the default configuration, or > would this cause other problems? Yep adding that line solved the problem. Furthermore, the ebuild actually prints out: * Messages for package sys-auth/pam_mktemp-1.0.3: * To enable pam_mktemp put something like * * session optional pam_mktemp.so * * into /etc/pam.d/system-auth! I guess I missed that or forgot to add the line. It would be better if it becomes a part of the default configuration though, assuming that it doesn't cause any security issues. USE=mktemp emerge -1 pambase That should be enough. But OpenRC should include system-services, NOT only run pam_limits. (In reply to comment #10) > USE=mktemp emerge -1 pambase > > That should be enough. > > But OpenRC should include system-services, NOT only run pam_limits. Well I already have: sys-auth/pambase-20101024 USE="cracklib mktemp pam_ssh sha512" I deleted the pam_mktemp line in /etc/pam.d/start-stop-daemon and did: # emerge -1 pambase and it didn't fix the problem. Read to the end of my comment please. (In reply to comment #12) > Read to the end of my comment please. Do you mean adding session include system-services to /etc/pam.d/start-stop-daemon? (In reply to comment #10) > But OpenRC should include system-services, NOT only run pam_limits. Reassigning, since there's nothing that the Emacs team could do to improve the situation. (In reply to comment #10) > USE=mktemp emerge -1 pambase > That should be enough. > But OpenRC should include system-services, NOT only run pam_limits. If I do that in the upstream source code, we break openrc for other distributions, so I would not want to do it there. One option would be to overwrite /etc/pam.d/stop-start-daemon at the ebuild level. If I do that, what should the s-s-d file contain? (In reply to comment #15) > One option would be to overwrite /etc/pam.d/stop-start-daemon at the ebuild > level. If I do that, what should the s-s-d file contain? Diego tells me that the file should just consist of the following two lines: account required pam_permit.so session include system-services All, this is fixed in the openrc live ebuild and will be included in the next release of openrc as shown on the tracker this bug now blocks. I don't know of any reason to keep this bug open, but feel free to reopen if you disagree. Requesting to reopen, since I still get problems with TMPDIR and nobody in e.g. Apache. Apache seems to see TMPDIR=/tmp/.private/nobody, but runs as user apache, which is not allowed to write to that TMPDIR. Several webapps fail in non obvious ways, because they do not expect this. # cat /etc/pam.d/start-stop-daemon account required pam_permit.so session include system-services # cat /etc/pam.d/system-services auth sufficient pam_permit.so account include system-auth session optional pam_loginuid.so session required pam_limits.so session required pam_env.so session optional pam_mktemp.so session required pam_unix.so session optional pam_permit.so These are (iirc) the default files that come with pam_mktemp and openrc. (In reply to comment #18) > Requesting to reopen, since I still get problems with TMPDIR and nobody in e.g. > Apache. Apache seems to see TMPDIR=/tmp/.private/nobody, but runs as user > apache, which is not allowed to write to that TMPDIR. Several webapps fail in > non obvious ways, because they do not expect this. This will not be reopened; the purpose of this bug was to fix the pam file for start-stop-daemon to include system services. The information for the fix of the new issue is on bug #386623. |