Unable to run liquidsoap as root

[amavarick]

The package appears to install liquidsoap as root:

[root@stream 1.2.1]# ls -ltr
total 92
-rw-r--r-- 1 root root  2844 Aug  9 03:53 video.liq
-rw-r--r-- 1 root root 26017 Aug  9 03:53 utils.liq
-rw-r--r-- 1 root root  2376 Aug  9 03:53 shoutcast.liq
-rw-r--r-- 1 root root   180 Aug  9 03:53 pervasives.liq
-rw-r--r-- 1 root root  6945 Aug  9 03:53 lastfm.liq
-rw-r--r-- 1 root root 13437 Aug  9 03:53 http_codes.liq
-rw-r--r-- 1 root root  1031 Aug  9 03:53 http.liq
-rw-r--r-- 1 root root  2039 Aug  9 03:53 gstreamer.liq
-rw-r--r-- 1 root root  3356 Aug  9 03:53 flows.liq
-rwxr-xr-x 1 root root  1543 Aug  9 03:53 extract-replaygain
-rw-r--r-- 1 root root 11065 Aug  9 03:53 externals.liq

Yet when I try to run the liquidsoap script I get an error that it won't run under root

[root@stream liquidsoap]# ./radio.liq
init: security exit, root euid (user).

The liq file has correct permissions to run

[root@stream liquidsoap]# ls -ltr
total 8
-rw-r--r-- 1 root root 1153 Aug  9 03:53 radio.liq.example
-rwxr--r-- 1 root root  637 Aug  9 16:57 radio.liq

Based on other blogs, it appears as though liquidsoap must run under a different user than root. For me to get this to work, do I need to create a user/group and then chown all of the liquidsoap files? Would it be easier if you configure your package to create a user/group and then install under the new user?

Thank you so much for your time.

[hairmare]

All the tests I did had liquidsoap being called by another user (www-data as used by airtime) and I didn't run into any issues there.

I'll have to look into this and do plan on adding a default user at some time. I haven't done anything yet since we are still figuring out how we would like to manage service users at @radiorabe.

[hairmare]

I added dynamic user allocation for the liquidsoap user so you can now assume that the user exists like suggested on the mailinglist. You might still need to mkdir /var/log/liquidsoap && chown liquidsoap /var/log/liquidsoap/ for it to work though.

[hairmare]

Also, you won't need to chown the scripts or the binary. At runtime the user liquidsoap only needs to be able to access and/or execute the files and this is already given by the permissions from the package.

[amavarick]

I wiped my VPS and restarted to clean the slate. I used your library to install and I now see the liquidsoap user. However, the liquidsoap files and folders still show as owned by root. I su liquidsoap and tried to run and received permissions issue.

I know the script is good because I: chmod u+x /etc/liquidsoap/radio.liq

So I chown all liquidsoap directories that I am aware of...

chown -R liquidsoap:liquidsoap /etc/liquidsoap /usr/lib/liquidsoap /usr/bin/liquidsoap /var/lib/liquidsoap /etc/logrotate.d/liquidsoap /tmp/liquidsoap.log

Then I ran the script ./radio.liq and it actually started. I was able to see the stream in icecast and connect.

Problems:

Looking at the log files, the following stuck out...

2016/08/10 10:19:26 [dynamic.loader:3] Could not find dynamic module for fdkaac encoder.
2016/08/10 10:19:26 [dynamic.loader:3] Could not find dynamic module for aacplus encoder.
2016/08/10 10:19:26 [dynamic.loader:2] Could not load plugins in directory /usr/lib/liquidsoap/1.2.1/plugins.

Upon further analysis, there are no plugins folders under /usr/lib/liquidsoap/

Nor is there a plugins folder that I could find any other plugins folders relating to Liquidsoap on the server

[root@stream 1.2.1]# find / -name plugins
/usr/lib/python2.7/site-packages/tuned/plugins
/usr/lib64/krb5/plugins

I don't know about the dynamic module encoders, I'm using mp3 so I probably don't need them but others may. If this is a separate issue from the root, please feel free to fork the issues.

Regarding root... would you consider altering the necessary folders/files to be owned by liquidsoap:liquidsoap from the install and providing basic instruction for how to start liquidsoap as liquidsoap user in a manner that doesn't require the terminal to remain open?

[hairmare]

I didn't compile aac stuff into the package yet, so I would not expect that to work. That would also explain why the plugins are missing.

I plan on providing a systemd service for starting liquidsoap.

Are you sure that you really need all the files to belong to the liquidsoap user? I don't think they should since the runtime user should not be able to make changes on the installed binary.

[amavarick]

No I am not sure... I welcome your recommendation as to exactly what files/folders to chown.... or to have your installer automatically chown the proper files/folders. I think I made an atomic option, at least I didn't 777 like some boards advised!!! ;-)

[hairmare]

Revision 39 contains a systemd service file. The service can be started with systemctl enable liquidsoap && systemctl start liquidsoap. You should then be able to tail it's log with journalctl -fn -u nginx.service.

I haven't been able to test it yet since my local CentOS is on docker and doesn't do systemd.

[amavarick]

So if I wanted to run two liquidsoap streams to icecast, would the command you provided work for that? Does liquidsoap automatically look at /etc/liquidsoap for *.liq files or do I need to define them somehow?

[hairmare]

I think my service file was unuseable. You can edit the service using systemctl edit liquidsoap.service. You probably need to replace the ExecStart line with ExecStart=/usr/bin/liquidsoap -v /etc/liquidsoap/radio.liq.

For the service to support multiple instances you will have to copy the file to /etc/systemd/system. You should be able to just cp /usr/lib/systemd/system/liquidsoap.service /etc/systemd/systemd/liquidsoap-stream0.service and then enable/start those.

[amavarick]

After your changes, I was able to perform the install on a new server instance to test your new liquidsoap user changes to the package.

I created the liq file as radio.liq and included the following on the first line of the file. This entry allows for me to run the liq script directly by ./liqscriptname.liq #!/usr/bin/liquidsoap

Then I set permissions and ownership of the liq file:

chmod u+x /etc/liquidsoap/radio.liq
chown liquidsoap:liquidsoap /etc/liquidsoap/radio.liq

I am able to execute two scripts at the same time using the following command. I replaced radio.liq with the name of the other script:

liquidsoap /etc/liquidsoap/radio.liq &
liquidsoap /etc/liquidsoap/test.liq &

Thank you so much for your time and very prompt responses with the issues.

[hairmare]

I just added an instantiatable systemd service so starting multiple instances should be easy now. It won't automatically check the /etc/liquidsoap/ folder though.

To run your examples through systemd you would execute the following commands:

# enable services on boot (creates proper symlinks)
systemctl enable liquidsoap@radio
systemctl enable liquidsoap@test

# start them in the running system
systemctl start liquidsoap@radio
systemctl start liquidsoap@test

If you use the service you won't need to add a shebang to the scripts and I'm also pretty sure that the chown is not needed as well. Just make sure to chmod o+r the files (this should be the default but it depends on your umask).

I'm closing this since I feel that the root and systemd issues should be solved by now. Feel free to reopen this or create more issues if anything is still unclear.