Closed userdeveloper98 closed 6 years ago
@userdeveloper98 Thanks very much for your hint. Old topic, but not unimportant from my point of view, thus good that someone pushes it. Your help in this of course is highly appreciated.
The work should not be too much to directly apply this to more/all affected software titles. The higher effort will be to test those software titles, their internal e.g. update functions etc. Best is to check their official installation instructions and see if anyway an own user is recommended or there is some clear reason for using root.
applications
group to allow another non-root user access, by adding it as well to this group? If we want to do that, I would vote for using e.g. gogs:gogs
respectively, to really limit access to the application itself and root/sudo. If for sure cross-access between applications is needed (www-data
access redis
server to use for own-/Nextcloud transactional file locking), than just add the accessing application to the servers group directly: usermod -a -G redis www-data
. Or do you have another reason for applications
group?dietpi
user for all applications. But this only makes sense if it is removed from sudoers, which then might break other tasks of dietpi
I guess, as the plan is to use this for more and more DietPi scripts, instead of root.A bid off-topic, but as we already have this users topic:
sudoers
without sudo password requirement.sudo
to have full root access anyway.I would just skip all APT repo installed software, including Lighttpd.
Totally agree.
I guess you suggest applications group to allow another non-root user access, by adding it as well to this group?
Yes that was the idea. locally I made it as gogs:gogs
. For wider changes I was thinking to group more strategically, but this need to be configured individually as you mentioned.
I guess for most of those application users we could just skip home directory completely?
Sure, but with gogs I didn't managed to get rid of this even after extensive playing with gogs configurations :( It want .gitconfig file in home dir. A good approach will be to modify working dir from systemd, by default it is user home.
An alternative would be to use the dietpi user for all applications.
I would agree to leave everything being installed as root
or dietpi
user because installation time is limited, don't see any major security issues as long as you trust the script author :)
Using non-root users is a good practice if an account is compromised or misused, the affect will be isolated.
Ideally application users (or 'system users') don't have login capabilities.
Ex: messagebus:x:105:109::/var/run/dbus:/bin/false
.
after doing su messagebus
nothing will happen.
Or: sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
try su sshd
you will get: This account is currently not available.
One of major concerns that I have related to application running as root user is that if application can be exploited via some security vulnerabilities it potentially can get control to user under it is running.
Strong passwords will not secure you from buffer overflows in applications and remote code execution because it will bypass the authentication and may get direct access to user under it is running.
Also taking into consideration that we are installing software that are maintained sometimes by single person, it may be that they will don't care or don't have time to fix security issues, or security flaws will be misused for a long time before public announcements.
There are lot of others reasons, hope that's enough.
BTW. I am planing to add fail2ban rules (will share once I test it) for applications so it will be impossible to brute-force Gogs account for instance. But as I can see https://github.com/gogs/gogs/issues/2384 they don't have yet implemented proper logs for that, let's see if we have some workarounds.
@MichaIng
Agree π
@userdeveloper98
Commit for gogs to change to its own user, also cleaned up the service: https://github.com/Fourdee/DietPi/commit/e915354689d2c4953a459761d4e496b39d127dce EDIT: Yes it needs a home dir, resolved with latest commit
root@DietPi:~# systemctl status gogs
β gogs.service - DietPi Gogs service
Loaded: loaded (/etc/systemd/system/gogs.service; disabled; vendor preset: en
abled)
Active: active (running) since Wed 2018-06-27 14:45:45 BST; 8s ago
Main PID: 8224 (bash)
CGroup: /system.slice/gogs.service
ββ8224 /bin/bash -c /etc/gogs/gogs web &> /var/log/gogs_daemon.log
ββ8226 /etc/gogs/gogs web
Jun 27 14:45:45 DietPi systemd[1]: Started DietPi Gogs service.
root@DietPi:~# cat /var/log/gogs_daemon.log
2018/06/27 14:45:45 [ WARN] Custom config '/etc/gogs/custom/conf/app.ini' not found, ignore this if you're running first time
2018/06/27 14:45:45 [TRACE] Custom path: /etc/gogs/custom
2018/06/27 14:45:45 [TRACE] Log path: /etc/gogs/log
2018/06/27 14:45:45 [TRACE] Log Mode: Console (Trace)
2018/06/27 14:45:45 [ INFO] Gogs: Go Git Service 0.9.141.0211
2018/06/27 14:45:45 [ INFO] Cache Service Enabled
2018/06/27 14:45:45 [ INFO] Session Service Enabled
2018/06/27 14:45:45 [ INFO] SQLite3 Supported
2018/06/27 14:45:45 [ INFO] Run Mode: Development
2018/06/27 14:45:47 [ INFO] Listen: http://0.0.0.0:3000
&> /var/log/gogs_daemon.log
we could probably remove that, leave the info in the service for dietpi-services status
use?
Gogs run under root. Googs get exploited and get root account which can do virtually anything on your system. Gogs run under limited gogs user. Googs get exploited but the impact will be minimal, it probably will get access to gogs files and repositories but it will not be able to do any major changes in system. Ex: read passwd file or remove all backups etc.. Taking into consideration that user don't even have access to shell, the chances that it will break something will be dramatically low.
Some good points, although personally, I believe we shouldn't have to live in a world where we don't grant any trust in the program. Either way, no harm in limiting permissions.
@Fourdee Nice, that was quick π.
@userdeveloper98 Just to clarify my argumentation:
dietpi
user (then without sudo permissions) as shared application user would be an alternative, but would break some of the benefits of individual users, as an exploited application allows then at least to access/control all other installed software, which is bad enough, even without root permissions. If we do this, then really, from my point of view.dietpi
user as it is currently used (not for applications, but as an alternative for terminal/SSH login and owner of some of our script/settings/data locations) and against how most distributions by default have such a non-root user (RPi => "pi") for login, which then has sudo permissions without password need. Of course this still allows proper function of ext4 reserved blocks etc. but all this is more towards protecting the user from itself. If someone hacks this user, the password-free sudo access renders all security efforts about root user obsolete. For this reason, if there is no other good argument, I don't see, I would remove dietpi
and stay with root as only initial unix user. Our end users are as always still free in creating their own user with permissions as they wish. But yeah, this is another topic, not related to application users π.root
:Legend
mpd
ympd
mopidy
minidlna
airsonic
root
access to avoid password prompts and permissions issues during end user usage.ubooquity
cuberite
qbittorrent
sickrage
tonido
koel
sonarr
radarr
plexpy
nzbget
roon
gmrender
deluge
I'll update this list.
@Fourdee
What do you think about making dietpi
a system user only (new images only), to run software that needs shared data access? Otherwise as in fact it has root permissions via sudo without password, there is no security benefit in comparison to root. And users, that want to access terminal/SSH not as root, will create their own user anyway, as they do already now.
Alternative:
dietpi_userdata
access need, still run as their own users, but usermod -a -G dietpi mpd
to add user mpd
to group dietpi
to allow dietpi_userdata r/w access:
root@VM-Jessie:~# l /mnt/dietpi_userdata/
total 16
drwxrwxr-x 2 dietpi dietpi 4096 May 20 18:59 downloads
drwxrwxr-x 2 dietpi dietpi 4096 May 20 18:59 Music
drwxrwxr-x 2 dietpi dietpi 4096 May 20 18:59 Pictures
drwxrwxr-x 2 dietpi dietpi 4096 May 20 18:59 Video
@MichaIng
Let software with dietpi_userdata access need, still run as their own users, but usermod -a -G dietpi mpd to add user mpd to group dietpi to allow dietpi_userdata r/w access:
Yep, lets try it π
@MichaIng @Fourdee Great work guys !! π
I would prefer to be even more specific.
Ex: minidlna
can have read-only access to media files, because it will stream files but will not change it.
QbitTorrent
should have read/write access to files, because it will modify/read files.
etc..
@userdeveloper98 Jep, good point. If we already have separate software users, then limit their permissions to what is really needed.
Hmm but via groups currently not sure how to achieve.
If dietpi_userdata/Music
is dietpi:dietpi 640 and software user is in dietpi group, then software can just read
660: software can always write as well
664: everyone can read and just software within dietpi group can write as well, the only solution with above result and since it is "just" Music, public read permissions is properly okay?
qBitTorrent requires a local user account with login creds, as it uses:
Group require in service for file saves: User=qbittorrent Group=dietpi
Son/rad arr, require home user dir?
Jul 09 21:18:30 DietPi mono[30099]: [v2.0.0.5235] NzbDrone.Common.Exceptions.Son
arrStartupException: Sonarr failed to start: Cannot create AppFolder, Access to
the path /home/sonarr/.config/NzbDrone is denied
https://github.com/Sonarr/Sonarr/wiki/Command-Line-Options
π―οΈ Fixed by setting -data=/mnt/dietpi_userdata/PRORGAM
@Fourdee
Son/rad arr, require home user dir?
We can use the same trick as I did for gogs and Jackett https://github.com/Fourdee/DietPi/pull/1895
in Service file write:
WorkingDirectory=/opt/jackett
Environment=USER=jackett HOME=/opt/jackett
You will need to replace /opt/jackett
with actual install path of the application
It will make them think that the home folder is the folder where the app is installed. Nice and compact.
Sonarr/Radarr/Sickrage patch enable:
Mmm, where is the config saved, pre--data=/mnt/dietpi_userdata/PRORGAM
?
root@DietPi:~# ls -lha /mnt/dietpi_userdata/sonarr/
total 1.4M
drwxrwxr-x 3 sonarr dietpi 4.0K Jul 10 16:25 .
drwxrwxr-x 9 dietpi dietpi 4.0K Jul 10 16:24 ..
-rw-r--r-- 1 sonarr dietpi 280 Jul 10 16:24 config.xml
drwxr-xr-x 2 sonarr dietpi 4.0K Jul 10 16:24 logs
π―οΈ
/root/.config/NzbDrone/config.xml
/root/.config/Radarr/config.xml
pre--data=/mnt/dietpi_userdata/PRORGAM
root@DietPi:~# ls -lha /opt/NzbDrone/
total 9.1M
drwxr-xr-x 3 root root 4.0K Jul 10 15:54 .
drwxr-xr-x 5 root root 4.0K Jul 10 15:56 ..
-rw-r--r-- 1 root root 23K Jul 7 10:14 antlr.runtime.dll
-rw-r--r-- 1 root root 13K Jul 7 10:14 antlr.runtime.dll.mdb
-rw-r--r-- 1 root root 120K Jul 7 10:14 CookComputing.XmlRpcV2.dll
-rw-r--r-- 1 root root 50K Jul 7 10:14 CurlSharp.dll
-rw-r--r-- 1 root root 338 Jul 7 10:14 CurlSharp.dll.config
-rw-r--r-- 1 root root 20K Jul 7 10:14 CurlSharp.dll.mdb
-rw-r--r-- 1 root root 106K Jul 7 10:14 FluentMigrator.dll
-rw-r--r-- 1 root root 62K Jul 7 10:14 FluentMigrator.dll.mdb
-rw-r--r-- 1 root root 252K Jul 7 10:14 FluentMigrator.Runner.dll
-rw-r--r-- 1 root root 119K Jul 7 10:14 FluentMigrator.Runner.dll.mdb
-rw-r--r-- 1 root root 145K Jul 7 10:14 FluentValidation.dll
-rw-r--r-- 1 root root 59K Jul 7 10:14 FluentValidation.dll.mdb
-rw-r--r-- 1 root root 50K Jul 7 10:14 Growl.Connector.dll
-rw-r--r-- 1 root root 17K Jul 7 10:14 Growl.CoreLibrary.dll
-rw-r--r-- 1 root root 20K Jul 7 10:14 Ical.Net.Collections.dll
-rw-r--r-- 1 root root 6.6K Jul 7 10:14 Ical.Net.Collections.dll.mdb
-rw-r--r-- 1 root root 170K Jul 7 10:14 Ical.Net.dll
-rw-r--r-- 1 root root 87K Jul 7 10:14 Ical.Net.dll.mdb
-rw-r--r-- 1 root root 196K Jul 7 10:14 ICSharpCode.SharpZipLib.dll
-rw-r--r-- 1 root root 205K Jul 7 10:14 ImageResizer.dll
-rw-r--r-- 1 root root 15K Jul 7 10:14 LogentriesCore.dll
-rw-r--r-- 1 root root 3.6K Jul 7 10:14 LogentriesCore.dll.mdb
-rw-r--r-- 1 root root 31K Jul 7 10:14 LogentriesNLog.dll
-rw-r--r-- 1 root root 12K Jul 7 10:14 LogentriesNLog.dll.mdb
-rw-r--r-- 1 root root 106K Jul 7 10:14 Marr.Data.dll
-rw-r--r-- 1 root root 55K Jul 7 10:14 Marr.Data.dll.mdb
-rw-r--r-- 1 root root 250K Jul 7 10:14 Microsoft.AspNet.SignalR.Core.dll
-rw-r--r-- 1 root root 117K Jul 7 10:14 Microsoft.AspNet.SignalR.Core.dll.mdb
-rw-r--r-- 1 root root 42K Jul 7 10:14 Microsoft.AspNet.SignalR.Owin.dll
-rw-r--r-- 1 root root 15K Jul 7 10:14 Microsoft.AspNet.SignalR.Owin.dll.mdb
-rw-r--r-- 1 root root 79K Jul 7 10:14 Microsoft.Owin.dll
-rw-r--r-- 1 root root 93K Jul 7 10:14 Microsoft.Owin.Host.HttpListener.dll
-rw-r--r-- 1 root root 64K Jul 7 10:14 Microsoft.Owin.Hosting.dll
-rw-r--r-- 1 root root 48K Jul 7 10:14 MonoTorrent.dll
-rw-r--r-- 1 root root 27K Jul 7 10:14 MonoTorrent.dll.mdb
-rw-r--r-- 1 root root 8.5K Jul 7 10:14 Nancy.Authentication.Basic.dll
-rw-r--r-- 1 root root 14K Jul 7 10:14 Nancy.Authentication.Forms.dll
-rw-r--r-- 1 root root 879K Jul 7 10:14 Nancy.dll
-rw-r--r-- 1 root root 6.0K Jul 7 10:14 Nancy.Owin.dll
-rw-r--r-- 1 root root 437K Jul 7 10:14 Newtonsoft.Json.dll
-rw-r--r-- 1 root root 667K Jul 7 10:14 NLog.dll
-rw-r--r-- 1 root root 404K Jul 7 10:14 NodaTime.dll
-rw-r--r-- 1 root root 234K Jul 7 10:14 NzbDrone.Api.dll
-rw-r--r-- 1 root root 95K Jul 7 10:14 NzbDrone.Api.dll.mdb
-rw-r--r-- 1 root root 232K Jul 7 10:14 NzbDrone.Common.dll
-rw-r--r-- 1 root root 102K Jul 7 10:14 NzbDrone.Common.dll.mdb
-rw-r--r-- 1 root root 1.4M Jul 7 10:14 NzbDrone.Core.dll
-rw-r--r-- 1 root root 367 Jul 7 10:14 NzbDrone.Core.dll.config
-rw-r--r-- 1 root root 605K Jul 7 10:14 NzbDrone.Core.dll.mdb
-rw-r--r-- 1 root root 25K Jul 7 10:14 NzbDrone.exe
-rw-r--r-- 1 root root 1.7K Jul 7 10:14 NzbDrone.exe.config
-rw-r--r-- 1 root root 834 Jul 7 10:14 NzbDrone.exe.mdb
-rw-r--r-- 1 root root 34K Jul 7 10:14 NzbDrone.Host.dll
-rw-r--r-- 1 root root 11K Jul 7 10:14 NzbDrone.Host.dll.mdb
-rw-r--r-- 1 root root 21K Jul 7 10:14 NzbDrone.Mono.dll
-rw-r--r-- 1 root root 7.2K Jul 7 10:14 NzbDrone.Mono.dll.mdb
-rw-r--r-- 1 root root 9.0K Jul 7 10:14 NzbDrone.SignalR.dll
-rw-r--r-- 1 root root 2.8K Jul 7 10:14 NzbDrone.SignalR.dll.mdb
-rw-r--r-- 1 root root 24K Jul 7 10:14 OAuth.dll
-rw-r--r-- 1 root root 7.6K Jul 7 10:14 OAuth.dll.mdb
-rw-r--r-- 1 root root 29K Jul 7 10:14 Org.Mentalis.dll
-rw-r--r-- 1 root root 4.5K Jul 7 10:14 Owin.dll
-rw-r--r-- 1 root root 14K Jul 7 10:14 Prowlin.dll
-rw-r--r-- 1 root root 165K Jul 7 10:14 RestSharp.dll
-rw-r--r-- 1 root root 63K Jul 7 10:14 SharpRaven.dll
-rw-r--r-- 1 root root 18K Jul 7 10:14 SharpRaven.dll.mdb
-rw-r--r-- 1 root root 11K Jul 7 10:14 SocksWebProxy.dll
-rw-r--r-- 1 root root 268K Jul 7 10:14 System.Data.SQLite.dll
-rw-r--r-- 1 root root 676K Jul 7 10:14 System.Data.SQLite.xml
drwxr-xr-x 3 root root 4.0K Jul 10 15:54 UI
root@DietPi:~# ls -lha /opt/Radarr/
total 9.1M
drwxr-xr-x 4 root root 4.0K Jul 10 15:56 .
drwxr-xr-x 5 root root 4.0K Jul 10 15:56 ..
-rwx------ 1 root root 23K May 27 21:41 antlr.runtime.dll
-rwx------ 1 root root 13K May 27 21:41 antlr.runtime.dll.mdb
-rwx------ 1 root root 120K May 27 21:41 CookComputing.XmlRpcV2.dll
-rwx------ 1 root root 50K May 27 21:41 CurlSharp.dll
-rwx------ 1 root root 338 May 27 21:41 CurlSharp.dll.config
-rwx------ 1 root root 20K May 27 21:41 CurlSharp.dll.mdb
-rwx------ 1 root root 106K May 27 21:41 FluentMigrator.dll
-rwx------ 1 root root 62K May 27 21:41 FluentMigrator.dll.mdb
-rwx------ 1 root root 252K May 27 21:41 FluentMigrator.Runner.dll
-rwx------ 1 root root 119K May 27 21:41 FluentMigrator.Runner.dll.mdb
-rwx------ 1 root root 145K May 27 21:41 FluentValidation.dll
-rwx------ 1 root root 59K May 27 21:41 FluentValidation.dll.mdb
-rwx------ 1 root root 50K May 27 21:41 Growl.Connector.dll
-rwx------ 1 root root 17K May 27 21:41 Growl.CoreLibrary.dll
-rwx------ 1 root root 20K May 27 21:41 Ical.Net.Collections.dll
-rwx------ 1 root root 6.6K May 27 21:41 Ical.Net.Collections.dll.mdb
-rwx------ 1 root root 170K May 27 21:41 Ical.Net.dll
-rwx------ 1 root root 87K May 27 21:41 Ical.Net.dll.mdb
-rwx------ 1 root root 196K May 27 21:41 ICSharpCode.SharpZipLib.dll
-rwx------ 1 root root 205K May 27 21:41 ImageResizer.dll
-rwx------ 1 root root 22K May 27 21:41 Interop.NetFwTypeLib.dll
-rwx------ 1 root root 15K May 27 21:41 LogentriesCore.dll
-rwx------ 1 root root 3.6K May 27 21:41 LogentriesCore.dll.mdb
-rwx------ 1 root root 31K May 27 21:41 LogentriesNLog.dll
-rwx------ 1 root root 12K May 27 21:41 LogentriesNLog.dll.mdb
-rwx------ 1 root root 107K May 27 21:41 Marr.Data.dll
-rwx------ 1 root root 55K May 27 21:41 Marr.Data.dll.mdb
-rwx------ 1 root root 251K May 27 21:41 Microsoft.AspNet.SignalR.Core.dll
-rwx------ 1 root root 115K May 27 21:41 Microsoft.AspNet.SignalR.Core.dll.mdb
-rwx------ 1 root root 42K May 27 21:41 Microsoft.AspNet.SignalR.Owin.dll
-rwx------ 1 root root 14K May 27 21:41 Microsoft.AspNet.SignalR.Owin.dll.mdb
-rwx------ 1 root root 79K May 27 21:41 Microsoft.Owin.dll
-rwx------ 1 root root 93K May 27 21:41 Microsoft.Owin.Host.HttpListener.dll
-rwx------ 1 root root 64K May 27 21:41 Microsoft.Owin.Hosting.dll
-rwx------ 1 root root 48K May 27 21:41 MonoTorrent.dll
-rwx------ 1 root root 27K May 27 21:41 MonoTorrent.dll.mdb
-rwx------ 1 root root 8.5K May 27 21:41 Nancy.Authentication.Basic.dll
-rwx------ 1 root root 14K May 27 21:41 Nancy.Authentication.Forms.dll
-rwx------ 1 root root 879K May 27 21:41 Nancy.dll
-rwx------ 1 root root 6.0K May 27 21:41 Nancy.Owin.dll
-rwx------ 1 root root 424K May 27 21:41 Newtonsoft.Json.dll
-rwx------ 1 root root 655K May 27 21:41 NLog.dll
-rwx------ 1 root root 404K May 27 21:41 NodaTime.dll
-rwx------ 1 root root 239K May 27 21:41 NzbDrone.Api.dll
-rwx------ 1 root root 96K May 27 21:41 NzbDrone.Api.dll.mdb
-rwx------ 1 root root 252K May 27 21:41 NzbDrone.Common.dll
-rwx------ 1 root root 110K May 27 21:41 NzbDrone.Common.dll.mdb
-rwx------ 1 root root 1.4M May 27 21:41 NzbDrone.Core.dll
-rwx------ 1 root root 367 May 27 21:41 NzbDrone.Core.dll.config
-rwx------ 1 root root 590K May 27 21:41 NzbDrone.Core.dll.mdb
-rwx------ 1 root root 16K May 27 21:41 NzbDrone.Mono.dll
-rwx------ 1 root root 4.4K May 27 21:41 NzbDrone.Mono.dll.mdb
-rwx------ 1 root root 9.0K May 27 21:41 NzbDrone.SignalR.dll
-rwx------ 1 root root 2.7K May 27 21:41 NzbDrone.SignalR.dll.mdb
drwxr-xr-x 2 root root 4.0K Jul 10 15:56 NzbDrone.Update
-rwx------ 1 root root 24K May 27 21:41 OAuth.dll
-rwx------ 1 root root 7.6K May 27 21:41 OAuth.dll.mdb
-rwx------ 1 root root 29K May 27 21:41 Org.Mentalis.dll
-rwx------ 1 root root 4.5K May 27 21:41 Owin.dll
-rwx------ 1 root root 14K May 27 21:41 Prowlin.dll
-rwx------ 1 root root 89K May 27 21:41 Radarr.exe
-rwx------ 1 root root 1.7K May 27 21:41 Radarr.exe.config
-rwx------ 1 root root 695 May 27 21:41 Radarr.exe.mdb
-rwx------ 1 root root 115K May 27 21:41 Radarr.Host.dll
-rwx------ 1 root root 11K May 27 21:41 Radarr.Host.dll.mdb
-rwx------ 1 root root 165K May 27 21:41 RestSharp.dll
-rwx------ 1 root root 11K May 27 21:41 SocksWebProxy.dll
-rwx------ 1 root root 268K May 27 21:41 System.Data.SQLite.dll
-rwx------ 1 root root 676K May 27 21:41 System.Data.SQLite.xml
drwxr-xr-x 3 root root 4.0K Jul 10 15:56 UI
π―οΈ We need to purge mono from /tmp
after its installed.
/DietPi/dietpi/func/dietpi-globals: line 1179: echo: write error: No space left on device
[FAILED] DietPi-Software | Unable to continue, DietPi-Software will now terminate.
root@DietPi:~# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/root 15G 1.2G 13G 9% /
devtmpfs 943M 0 943M 0% /dev
tmpfs 1008M 0 1008M 0% /dev/shm
tmpfs 1008M 8.4M 999M 1% /run
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 1008M 0 1008M 0% /sys/fs/cgroup
tmpfs 1023M 1023M 0 100% /tmp
tmpfs 20M 104K 20M 1% /var/log
tmpfs 10M 1.4M 8.7M 14% /DietPi
/dev/mmcblk1p1 63M 8.6M 55M 14% /boot
root@DietPi:~# dietpi-backup -1; reboot^C
root@DietPi:~# ls -lha /tmp
total 1022M
drwxrwxrwt 13 root root 1.2K Jul 10 16:04 .
drwxr-xr-x 23 root root 4.0K Jun 28 16:27 ..
-rw-r--r-- 1 root root 98 Jul 9 19:20 dietpi-available_cpu_freqs
drwxrwxrwt 2 root root 40 Jul 8 17:43 .font-unix
drwxr-xr-x 2 999 997 40 Jul 9 19:24 hsperfdata_airsonic
drwxr-xr-x 2 root root 40 Jul 9 19:28 hsperfdata_root
drwxr-xr-x 2 999 997 40 Jul 9 19:50 hsperfdata_ubooquity
drwxrwxrwt 2 root root 40 Jul 8 17:43 .ICE-unix
drwxrwxrwx 2 999 997 40 Jul 9 19:50 JarClassLoader
-rw------- 1 root root 32M Jul 9 21:18 mono_aot_0DC35Q
Hmm:
[ OK ] DietPi-Update | Patch 6.12 completed
1 SUBVERSION_CURRENT=12
2 SUBVERSION_CURRENT=12
3 SUBVERSION_CURRENT=11
SUBVERSION_CURRENT=11
[ OK ] DietPi-Survey | Connection test: dietpi.com
[ OK ] DietPi-Survey | Successfully sent survey data
3=straight after Run_Update
π―οΈ Run_Update | tee -a $FP_LOG
is causing this, removing tee
resolves.
[ OK ] DietPi-Survey | Successfully sent survey data
SUBVERSION_CURRENT=12
SUBVERSION_CURRENT=12
SUBVERSION_CURRENT=12
[ INFO ] DietPi-Update | Current Version : 6.12
SUBVERSION_CURRENT=12
π΄ Works, but roughly twice the performance hit during script exec
Run_Update > >(tee -a $FP_LOG) 2>&1
rtorrent requires access to:
Jul 10 18:47:39 DietPi systemd[29208]: rtorrent.service: Failed at step CHROOT spawning /usr/bin/screen: No such file or directory
chmod 755 /usr/bin/screen /usr/bin/rtorrent
Jul 10 18:58:20 DietPi systemd[1]: Failed to start rTorrent.
Directory '/run/screen' must have mode 777.
@MichaIng
Great work keeping the DietPi ship running while I was away π π₯ Really appreciate it.
My new glasses are on, -10.25 and -9.75 lol. I'll try and get this wrapped today. Once done, all items need install testing again just in-case.
Ok done.
π―οΈ Reinstalls of all items + patch testing passed
I'am not going to touch Docker, do not have enough experience with it, or even use it.
@Fourdee Yey, you resolved the wrong version number issue. I also wanted to open an issue about that since I just faced it again. Leads also to wrong https://dietpi.com/survey statistics, I believe.
Creating a bug report/issue:
Hi there ! I have noticed that most of the apps installed by dietpi scripts are ruining as root user which is not recommended of sure. I am happy to support migration of all applications to run under non-root user. I did it already for almost all my software pack but it will be nice if we have this out of the box because most of the users may not be aware of this. I will start with Gogs as it was the easiest to migrate application.
Required Information:
Additional Information (if applicable):
Steps to reproduce:
Expected behaviour:
Gogs should run under non root user. ex: gogs user.
Actual behaviour:
Security issue. Gogs run under root user. Exploiting Gogs vulnerability allow full root access to server.
Extra details:
This is the simplest app to migrate I would like to be added as reviewer to PR. (this will facilitate learning the source code :) ) After this I believe I will be able to create my own PR-s and support migration of other apps. Including but not limited to:
Thanks !