ez-ipupdate has a feature where it can run as low-privilege user (username ez-ipupdate as created by the gentoo ebuild). This is configured in the /etc/ez-ipupdate.conf file with the following directive: [code] run-as-user=ez-ipupdate [/code] However, attempting to use this functionality results in a silent failure due to the permissions on /var/run (0755 root:root) - the ez-ipupdate user cannot write the pid file and silently exits (unless run the foreground where one can see the error). It does not log this failure to syslog (to my knowledge). This leaves the service in the started-but-not-running state that has to be cleared by zapping the service. Reproducible: Always Steps to Reproduce: 1. install ez-ipupdate, configure, and add run-as-user directive to the /etc/ez-ipupdate.conf 2. attempt to start: /etc/init.d/ezipupdate start 3. Note that startup is "successful", but pid file is not in /var/run Actual Results: service is in started-but-not-running state, ez-ipupdate is not running, pid file is not written. Expected Results: service starts normally and pid file is written to /var/run
Re-assign, this package needs a maintainer.
Created attachment 66684 [details, diff] adds /var/run/ez-ipupdate via ebuild, tweaks init file to compensate diff -u patch to the ebuild file to add the /var/run/ez-ipupdate directory, chown it, modify the init control script, and remove it on uninstall. Used diff-u because the other patch currently in portage also uses that format.
while patching probably need to update the HOMEPAGE and SRC_URI as well: http://ez-ipupdate.com http://ez-ipupdate.com/dist/${PN}-${MY_PV}.tar.gz
Er, according to the einfo... einfo "Please do not use the 'run-as-user', 'run-as-euser'," einfo "'cache-file' and 'pidfile' options, since these are" einfo "handled internally by the init-script!" Does this not occur? The initscripts look like they are correct in this behavior.
I didn't see the einfo warning. The stable ebuild (beta8-r1) init script handles the problem by running as root - BUT you're right, the ~x86 ebuild fixes the init script. Should I close this when that build gets stabilized? Hmm, would this actually qualify as a security issue? The daemon probably shouldn't be running as root.
(In reply to comment #5) > I didn't see the einfo warning. The stable ebuild (beta8-r1) init script > handles the problem by running as root - BUT you're right, the ~x86 ebuild > fixes the init script. Should I close this when that build gets stabilized? > > Hmm, would this actually qualify as a security issue? The daemon probably > shouldn't be running as root. > offhand no; nothing prevents you from running apache as root (other than the fact that it doesn't come that way by default). However if you are concerned feel free to CC security@gentoo.org to this bug.
Works on x86-fbsd without "run-as-user" option
arches, please stabilize 3.0.11_beta8-r4 so that we can finally close this...
Sparc done.
x86 stable
ppc stable
@amd64 herd: please stabilize, because I want to remove *-r1 asap. thanks!
It's having a problem executing "missing" with this one.... make[1]: Entering directory `/var/tmp/portage/net-dns/ez-ipupdate-3.0.11_beta8-r4/work/ez-ipupdate-3.0.11b8' cd . && /var/tmp/portage/net-dns/ez-ipupdate-3.0.11_beta8-r4/work/ez-ipupdate-3.0.11b8/missing aclocal-1.4 /bin/sh: /var/tmp/portage/net-dns/ez-ipupdate-3.0.11_beta8-r4/work/ez-ipupdate-3.0.11b8/missing: Permission denied make[1]: *** [aclocal.m4] Error 126 make[1]: Leaving directory `/var/tmp/portage/net-dns/ez-ipupdate-3.0.11_beta8-r4/work/ez-ipupdate-3.0.11b8' * * ERROR: net-dns/ez-ipupdate-3.0.11_beta8-r4 failed. * Call stack: * ebuild.sh, line 1654: Called dyn_compile * ebuild.sh, line 990: Called qa_call 'src_compile' * ebuild.sh, line 44: Called src_compile * ez-ipupdate-3.0.11_beta8-r4.ebuild, line 37: Called die * * emake failed * If you need support, post the topmost build error, and the call stack if relevant. * A complete build log is located at '/var/tmp/portage/net-dns/ez-ipupdate-3.0.11_beta8-r4/temp/build.log'. * * Messages for package net-dns/ez-ipupdate-3.0.11_beta8-r4: * * ERROR: net-dns/ez-ipupdate-3.0.11_beta8-r4 failed. * Call stack: * ebuild.sh, line 1654: Called dyn_compile * ebuild.sh, line 990: Called qa_call 'src_compile' * ebuild.sh, line 44: Called src_compile * ez-ipupdate-3.0.11_beta8-r4.ebuild, line 37: Called die * * emake failed * If you need support, post the topmost build error, and the call stack if relevant. * A complete build log is located at '/var/tmp/portage/net-dns/ez-ipupdate-3.0.11_beta8-r4/temp/build.log'. * make: *** [/usr/src/log/net-dns/ez-ipupdate] Error 1
Looking at the permissions of missing and it doesn't have execute permissions.
huh? It works here. But perhaps the autoconf/automake stuff is quite too old, so I should play around with eautoreconf... stay tuned!
@Alan Hourihane: can you please post your "emerge --info"?
Portage 2.1.3.9 (selinux/2007.0/x86/hardened, gcc-4.1.1, glibc-2.5-r4, 2.6.22-gentoo-r9 i686) ================================================================= System uname: 2.6.22-gentoo-r9 i686 Intel(R) Pentium(R) M processor 1.86GHz Timestamp of tree: Fri, 12 Oct 2007 16:30:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r5 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.61-r1 sys-devel/automake: 1.10 sys-devel/binutils: 2.17-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -fomit-frame-pointer -march=i486 -mtune=pentium -pipe -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-Os -fomit-frame-pointer -march=i486 -mtune=pentium -pipe -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distcc distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="activefilter adsl apache2 atm berkdb bitmap-fonts cli cracklib crypt cups dhcp dri eap-tls fortran gdbm gpm hardened iconv ipppd ipv6 isdnlog ldap midi minimal mpm-prefork mppe-mppc mschap mudflap ncurses netboot nls nptl nptlonly openmp pam pcre perl pic pppd python radius readline reflection selinux session spl ssl tcpd truetype-fonts type1-fonts unicode usb x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
hmm, that is strange. On all my systems, it just works. I can not reproduce it. That 'missing' part isn't executed at all. can you please post the /var/tmp/portage/net-dns/ez-ipupdate-3.0.11_beta8-r4/temp/build.log thanks!
Created attachment 136356 [details] build log Here's the complete build log
O.k. The problem is this line.... am__api_version="1.4" in the configure script. Because my installed copy of aclocal is 1.10 which translate to aclocal-1.10 and the configure script in this package expects aclocal-1.4. So it runs the missing script to re-configure itself. The easy fix is to chmod +x missing in the ebuild.
if this works, then I add the chmod in src_unpack().
Yes, it does work. Please add chmod +x missing to the src_unpack script.
Is there any chance that this extra chmod will get added ?
there is, if I can't find a better solution. But the chmod hack is ugly. Please gimme 2 further days, ok?
Well, the missing file should be executable anyway, so I don't think it is a hack. The fact is that configure will try to execute missing to sort things out.
ok, fixed within -r4.
thanks. this can be closed now.
