Trying to bindmount a directory writeable
43 views
Skip to first unread message
Elliot Cooper
Apr 15, 2019, 1:23:40 PM4/15/19
to mini...@chromium.org
Hi Everyone,
I have been trying to use minijail to sandbox a lighttpd server but I have been hitting the problem that lighttpd needs to write a pid file to:
/var/run/lighttpd.pid
The minijail command I am currently using is:
minijail0 -u lighttpd -g users --profile=minimalistic-mountns -b /var/run/,/var/run/,writeable -c 'cap_net_bind_service,cap_setgid,cap_setuid+eip' -- /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
Which fails with the following error:
2019-04-15 18:19:08: (server.c.925) opening pid-file failed: /var/run/lighttpd.pid Read-only file system
I am at a loss as to how to mount /var/run as writeable.
Any assistance would be greatly appreciated!
Thanks for your excellent work.
Elliot
Jorge Lucangeli Obes
Apr 15, 2019, 3:20:11 PM4/15/19
to Elliot Cooper, mini...@chromium.org
Ostensibly, that should work. Are you double-triple sure that /var/run is writable on that system?
--
You received this message because you are subscribed to the Google Groups "minijail" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/CAJ%3D%2B9HQ5dYNvu7YZoBPA4k-ALE02B%3DpQw%2Bw7V_-Y5k-1P6qLGw%40mail.gmail.com.
David Coles
Jun 13, 2019, 2:46:51 PM6/13/19
to minijail, m...@elliotcooper.com
On Monday, April 15, 2019 at 10:23:40 AM UTC-7, Elliot Cooper wrote:
The minijail command I am currently using is:minijail0 -u lighttpd -g users --profile=minimalistic-mountns -b /var/run/,/var/run/,writeable -c 'cap_net_bind_service,cap_setgid,cap_setuid+eip' -- /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
You need to supply `1` rather than `writable` to make a bind-mount writable. For example `-b /var/run,,1`.
A good way of checking mounts is by running `/bin/cat /proc/mounts`.
David Coles
Jun 13, 2019, 2:58:22 PM6/13/19
to minijail, m...@elliotcooper.com
Also watch out if /var/run is just a symlink to /run. The bind mount will fail silently.
Easy workaround is to bind mount /run instead.
David Coles
Jun 13, 2019, 5:52:37 PM6/13/19
to Elliot Cooper, mini...@chromium.org
Glad to help!
Yeah, I only worked that out after digging through the source code
when I ran into a similar issue. I agree better error logging would
have helped.
(I'm not an actual Chromium developer, just another prospective
minijail user, but I'll see if I can prepare some patches)
On Thu, Jun 13, 2019 at 2:27 PM Elliot Cooper <m...@elliotcooper.com> wrote:
>
> Hi David,
>
> Thanks for getting back to me! That really helped to get everything to work.
>
> BTW, I was guessing what the <writable> flag implied on the man page because it doesn't appear to be mentioned anywhere in any documentation. Nor indeed does using "-b /var/run/,/var/run/,writeable" cause an error or prompt an informative error message. It would be really helpful to include that information on the man page.
>
> Thanks for your help.
> Elliot
David Coles
デイビッド·コールズ
CGEI - Sony Interactive Entertainment
Yeah, I only worked that out after digging through the source code
when I ran into a similar issue. I agree better error logging would
have helped.
(I'm not an actual Chromium developer, just another prospective
minijail user, but I'll see if I can prepare some patches)
On Thu, Jun 13, 2019 at 2:27 PM Elliot Cooper <m...@elliotcooper.com> wrote:
>
> Hi David,
>
> Thanks for getting back to me! That really helped to get everything to work.
>
> BTW, I was guessing what the <writable> flag implied on the man page because it doesn't appear to be mentioned anywhere in any documentation. Nor indeed does using "-b /var/run/,/var/run/,writeable" cause an error or prompt an informative error message. It would be really helpful to include that information on the man page.
>
> Thanks for your help.
> Elliot
>
>
>
> On Thu, 13 Jun 2019 at 13:58, David Coles <dco...@gaikai.com> wrote:
>>
>> Also watch out if /var/run is just a symlink to /run. The bind mount will fail silently.
>>
>> Easy workaround is to bind mount /run instead.
--
>
>
> On Thu, 13 Jun 2019 at 13:58, David Coles <dco...@gaikai.com> wrote:
>>
>> Also watch out if /var/run is just a symlink to /run. The bind mount will fail silently.
>>
>> Easy workaround is to bind mount /run instead.
David Coles
デイビッド·コールズ
CGEI - Sony Interactive Entertainment
Jorge Lucangeli Obes
Jun 14, 2019, 9:29:51 AM6/14/19
to David Coles, Elliot Cooper, mini...@chromium.org
On Thu, Jun 13, 2019 at 5:52 PM David Coles <dco...@gaikai.com> wrote:
Glad to help!
Yeah, I only worked that out after digging through the source code
when I ran into a similar issue. I agree better error logging would
have helped.
(I'm not an actual Chromium developer, just another prospective
minijail user, but I'll see if I can prepare some patches)
On Thu, Jun 13, 2019 at 2:27 PM Elliot Cooper <m...@elliotcooper.com> wrote:
>
> Hi David,
>
> Thanks for getting back to me! That really helped to get everything to work.
>
> BTW, I was guessing what the <writable> flag implied on the man page because it doesn't appear to be mentioned anywhere in any documentation. Nor indeed does using "-b /var/run/,/var/run/,writeable" cause an error or prompt an informative error message. It would be really helpful to include that information on the man page.
>
These are all great suggestions, thanks! I've filed https://crbug.com/974204 for tracking.
> Thanks for your help.
> Elliot
>
>
>
> On Thu, 13 Jun 2019 at 13:58, David Coles <dco...@gaikai.com> wrote:
>>
>> Also watch out if /var/run is just a symlink to /run. The bind mount will fail silently.
>>
>> Easy workaround is to bind mount /run instead.
--
David Coles
デイビッド·コールズ
CGEI - Sony Interactive Entertainment
--
You received this message because you are subscribed to the Google Groups "minijail" group.
To unsubscribe from this group and stop receiving emails from it, send an email to minijail+u...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/minijail/CADMadxnsjP1AZzjs%2BhZ24A2JUy%2B6E1zEM9gJpi0Q8HD%2B5MW-VQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages