roflmao
commented
4 years ago @rkarlsba Can you give us more info about what permissions the directory have?
Closed rkarlsba closed 4 years ago
roflmao
commented
4 years ago @rkarlsba Can you give us more info about what permissions the directory have?
rkarlsba
commented
4 years ago just standard 755. works well otherwise, also when started manually as the user, as I wrote
Vennlig hilsen
roy -- Roy Sigurd Karlsbakk (+47) 98013356 http://blogg.karlsbakk.net/ GPG Public key: http://karlsbakk.net/roysigurdkarlsbakk.pubkey.txt -- Hið góða skaltu í stein höggva, hið illa í snjó rita.
From: "Marc A. Bonsels" notifications@github.com To: "jotta/jotta-cli-issues" jotta-cli-issues@noreply.github.com Cc: "Roy Sigurd Karlsbakk" roy@karlsbakk.net, "Mention" mention@noreply.github.com Sent: Monday, 6 January, 2020 10:25:14 Subject: Re: [jotta/jotta-cli-issues] Permission errors with NFS (#101)
[ https://github.com/rkarlsba | @rkarlsba ] Can you give us more info about what permissions the directory have?
— You are receiving this because you were mentioned. Reply to this email directly, [ https://github.com/jotta/jotta-cli-issues/issues/101?email_source=notifications&email_token=ABAOLW2ECLWXKWSVZXACSGLQ4L2HVA5CNFSM4KBCXNV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIE4R7Q#issuecomment-571066622 | view it on GitHub ] , or [ https://github.com/notifications/unsubscribe-auth/ABAOLW2PORXF6MSPFWPRYXTQ4L2HVANCNFSM4KBCXNVQ | unsubscribe ] .
roflmao
commented
4 years ago @rkarlsba If the directory has execute, read on both group/world and execute on the parent /smilla then all users should be able to do readdir which is the call that is failing. Could you do ls -la on /smilla/empetre from jottad user?
rkarlsba
commented
4 years ago Sorry. The dir has 750 and the user jotta is a member (primary member) of the group owning the dir. As I wrote, everything works when I run this manually, but not through systemd. If there were permission issues, the problem would have persisted in both cases.
Vennlig hilsen
roy -- Roy Sigurd Karlsbakk (+47) 98013356 http://blogg.karlsbakk.net/ GPG Public key: http://karlsbakk.net/roysigurdkarlsbakk.pubkey.txt -- Hið góða skaltu í stein höggva, hið illa í snjó rita.
From: "Marc A. Bonsels" notifications@github.com To: "jotta" jotta-cli-issues@noreply.github.com Cc: "Roy Sigurd Karlsbakk" roy@karlsbakk.net, "Mention" mention@noreply.github.com Sent: Monday, 6 January, 2020 10:49:47 Subject: Re: [jotta/jotta-cli-issues] Permission errors with NFS (#101)
[ https://github.com/rkarlsba | @rkarlsba ] If the directory has execute, read on both group/world and execute on the parent /smilla then all users should be able to do readdir which is the call that is failing. Could you do ls -la on /smilla/empetre from jottad user?
— You are receiving this because you were mentioned. Reply to this email directly, [ https://github.com/jotta/jotta-cli-issues/issues/101?email_source=notifications&email_token=ABAOLW6QKOWX764XKUOS2ODQ4L5DXA5CNFSM4KBCXNV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIE6P4Y#issuecomment-571074547 | view it on GitHub ] , or [ https://github.com/notifications/unsubscribe-auth/ABAOLW6NBYOLIEKPFK2LDQTQ4L5DXANCNFSM4KBCXNVQ | unsubscribe ] .
roflmao
commented
4 years ago Can't see why it should behave differently with systemd. Can you do a strace -p
rkarlsba
commented
4 years ago http://karlsbakk.net/tmp/strace-fp-1188.xz
Vennlig hilsen
roy -- Roy Sigurd Karlsbakk (+47) 98013356 http://blogg.karlsbakk.net/ GPG Public key: http://karlsbakk.net/roysigurdkarlsbakk.pubkey.txt -- Hið góða skaltu í stein höggva, hið illa í snjó rita.
From: "Marc A. Bonsels" notifications@github.com To: "jotta" jotta-cli-issues@noreply.github.com Cc: "Roy Sigurd Karlsbakk" roy@karlsbakk.net, "Mention" mention@noreply.github.com Sent: Monday, 6 January, 2020 14:06:18 Subject: Re: [jotta/jotta-cli-issues] Permission errors with NFS (#101)
Can't see why it should behave differently with systemd. Can you do a strace -p while doing a scan?
— You are receiving this because you were mentioned. Reply to this email directly, [ https://github.com/jotta/jotta-cli-issues/issues/101?email_source=notifications&email_token=ABAOLW3WLYHCU6ZAXKO3IATQ4MUEVA5CNFSM4KBCXNV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIFMJ3I#issuecomment-571131117 | view it on GitHub ] , or [ https://github.com/notifications/unsubscribe-auth/ABAOLW3VQZRJNJ4VYTYI4MTQ4MUEVANCNFSM4KBCXNVQ | unsubscribe ] .
existemi
commented
4 years ago User-group inheritance does not work like a regular shell with systemd.
When setting jottad to run as a specific user or group, the directories it can access has to be directly owned by either that user or group.
Adding the user to another group does not grant the service access to that group.
If this is a required use-case, systemd has a SupplementaryGroups option for running the service as multiple groups, and enabling access to directories group-owned by all specified users.
$ systemctl edit jottadadd the following:
[Service]
SupplementaryGroups=comma,separated,list,of,groups$ systemctl daemon-reload
$ systemctl restart jottadThen rem and add the directory to make sure it works.
Documentation: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups=
rkarlsba
commented
4 years ago user-group inheritance doesn't work like shell with nfs either, so I've set the jottad user's primary group (as in /etc/passwd) to the group owning the files. No change after this systemdctl edit either
Vennlig hilsen
roy -- Roy Sigurd Karlsbakk (+47) 98013356 http://blogg.karlsbakk.net/ GPG Public key: http://karlsbakk.net/roysigurdkarlsbakk.pubkey.txt -- Hið góða skaltu í stein höggva, hið illa í snjó rita.
From: "Marc A. Bonsels" notifications@github.com To: "jotta" jotta-cli-issues@noreply.github.com Cc: "Roy Sigurd Karlsbakk" roy@karlsbakk.net, "Mention" mention@noreply.github.com Sent: Monday, 6 January, 2020 14:42:29 Subject: Re: [jotta/jotta-cli-issues] Permission errors with NFS (#101)
User-group inheritance does not work like a regular shell with systemd. When setting jottad to run as a specific user or group, the directories it can access has to be directly owned by either that user or group. Adding the user to another group does not grant the service access to that group.
If this is a required use-case, systemd has a SupplementaryGroups option for running the service as multiple groups, and enabling access to directories group-owned by all specified users. $ systemctl edit jottad
add the following: [Service] SupplementaryGroups=comma,separated,list,of,groups $ systemctl daemon-reload $ systemctl restart jottad
Then rem and add the directory to make sure it works.
Documentation: [ https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups= | https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SupplementaryGroups= ]
— You are receiving this because you were mentioned. Reply to this email directly, [ https://github.com/jotta/jotta-cli-issues/issues/101?email_source=notifications&email_token=ABAOLW5I4HGMELOAGIHPC53Q4MYMLA5CNFSM4KBCXNV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIFPCMY#issuecomment-571142451 | view it on GitHub ] , or [ https://github.com/notifications/unsubscribe-auth/ABAOLWYEJPEQILVWHM7IAUDQ4MYMLANCNFSM4KBCXNVQ | unsubscribe ] .
existemi
commented
4 years ago To make sure, are jottad running (in systemd) as this user you talk of, or have you just adjusted the jottad user primary group?
Can you paste us the output of systemctl show jottad | egrep '(UID|GID|SupplementaryGroups)'?
rkarlsba
commented
4 years ago I guess you can close this. I didn't realize that the group to use was hardcoded in the service definition. I thought it just use whatever primary group the user had as defined. After changing the group in /etc/systemd/system/jottad.service, this now works.
Vennlig hilsen
roy -- Roy Sigurd Karlsbakk (+47) 98013356 http://blogg.karlsbakk.net/ GPG Public key: http://karlsbakk.net/roysigurdkarlsbakk.pubkey.txt -- Hið góða skaltu í stein höggva, hið illa í snjó rita.
From: "Marc A. Bonsels" notifications@github.com To: "jotta" jotta-cli-issues@noreply.github.com Cc: "Roy Sigurd Karlsbakk" roy@karlsbakk.net, "Mention" mention@noreply.github.com Sent: Monday, 6 January, 2020 15:06:03 Subject: Re: [jotta/jotta-cli-issues] Permission errors with NFS (#101)
To make sure, are jottad running (in systemd) as this user you talk of, or have you just adjusted the jottad user primary group?
Can you paste us the output of systemctl show jottad | egrep '(UID|GID|SupplementaryGroups)' ?
— You are receiving this because you were mentioned. Reply to this email directly, [ https://github.com/jotta/jotta-cli-issues/issues/101?email_source=notifications&email_token=ABAOLW74DGJYH2JUCLXJ3ZDQ4M3EXA5CNFSM4KBCXNV2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIFQ5CY#issuecomment-571149963 | view it on GitHub ] , or [ https://github.com/notifications/unsubscribe-auth/ABAOLW3WW4TX26ZU3H7DJ4TQ4M3EXANCNFSM4KBCXNVQ | unsubscribe ] .
existemi
commented
4 years ago OK, great you got it working. Just remember to make an override.conf instead of editing the service-file directly, so as to not lose any changes via an upgrade.
Make sure you are running the latest version of jotta-cli before reporting an issue.
jotta-cli release (
jotta-cli version):jottad executable : jottad appdata : /var/lib/jottad jottad version : 0.6.21799 jotta-cli version : 0.6.21799
OK
Description of problem:
If jottad is started with systemd, as it should, it fails to read data across NFS. If started manually as the same user (jottad), it works. NFS works apart from this, using SysV "security" with the same UID/GID on both client (where jottad runs) and server.
Expected:
Works
jotta-cli status (
jotta-cli status):Relevant logs for the issue (
cat ~/.jottad/jottabackup.log)Traceback
Additional info: