Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1040954: inspircd: PID and Logging have broken permissions
163 views
Skip to first unread message
Victor Coss
Jul 12, 2023, 11:30:05 PM7/12/23
to
Package: inspircd
Version: 3.15.0-1
Severity: normal
Dear Maintainer,
The systemd service file starts InspIRCd with the --nopid flag, however the module sslrehashsignal requires there to be a PID. Please remove this argument from the ExecStart line. I have edited the inspircd.service file temporarily using systemctl edit --full inspircd.service
However I believe due to the AppArmor profile that is shipped, the PID cannot write. You should allow the PID to be at /var/run/inspircd/inspircd.pid which is what I have configured as the location in my InspIRCd configuration file.
I however get the following error and InspIRCd fails to start:
Failed to write PID-file '/var/run/inspircd/inspircd.pid', exiting.
The permissions are as follows,
root@radium:~# ls -lah /var/run/inspircd/
total 0
drwxr-xr-x 2 irc irc 40 Jul 12 15:21 .
drwxr-xr-x 20 root root 600 Jul 12 15:49 ..
That appears to be correct? However I do a dmesg and see that inspircd is being blocked under audit, I suppose this is from AppArmor?
[611682.465180] audit: type=1400 audit(1689212777.973:26): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/core" pid=7703 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612769.233201] audit: type=1400 audit(1689213864.742:27): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7968 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612769.478807] audit: type=1400 audit(1689213864.986:28): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7969 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612769.730910] audit: type=1400 audit(1689213865.238:29): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7971 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612769.990731] audit: type=1400 audit(1689213865.498:30): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7973 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612770.231224] audit: type=1400 audit(1689213865.738:31): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7974 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
Also logging is broken too. The default log file location of /var/log/inspircd.log doesn't write. The file exists however when I cat the file out, it remains empty. I have inspircd configured to log to that file as well.
In dmesg you can see the log file is being blocked.
[599993.814582] audit: type=1400 audit(1689201089.349:15): apparmor="DENIED" operation="open" profile="/usr/sbin/inspircd" name="/var/log/inspircd.log" pid=7525 comm="inspircd" requested_mask="ac" denied_mask="ac" fsuid=39 ouid=39
[601900.436898] inspircd[7525]: segfault at 7f865dc02060 ip 00007f865dc02060 sp 00007ffe3832d388 error 14 in m_filter.so[7f865de0c000+7000] likely on CPU 2 (core 0, socket 0)
[601900.436959] audit: type=1400 audit(1689202995.964:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/core" pid=7525 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[601949.800182] audit: type=1400 audit(1689203045.328:17): apparmor="DENIED" operation="open" profile="/usr/sbin/inspircd" name="/var/log/inspircd.log" pid=7586 comm="inspircd" requested_mask="ac" denied_mask="ac" fsuid=39 ouid=39
[605077.481347] inspircd[7586]: segfault at 7fb4b546d060 ip 00007fb4b546d060 sp 00007ffd3d7c7768 error 14 in m_filter.so[7fb4b5677000+7000] likely on CPU 1 (core 1, socket 0)
[605077.481416] audit: type=1400 audit(1689206173.006:18): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/core" pid=7586 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[605212.549953] audit: type=1400 audit(1689206308.073:19): apparmor="DENIED" operation="open" profile="/usr/sbin/inspircd" name="/var/log/inspircd.log" pid=7637 comm="inspircd" requested_mask="ac" denied_mask="ac" fsuid=39 ouid=39
The permissions for the log file are as follows:
root@radium:~# ls -lah /var/log/inspircd.log
-rw-r----- 1 irc adm 0 Jul 12 15:21 /var/log/inspircd.log
root@radium:~# cat /var/log/inspircd.log
root@radium:~#
As you can see the log file remains empty. However if I use journalctl -u inspircd.service I can see the log messages from inspircd.
In my inspircd config file I have a <log target="/var/log/inspircd.log"> so it should be writing there and appears to be attempting to according to dmesg.
Also there is a new upstream version of InspIRCd, 3.16.1 which quite a few bug fixes. Can you please package it?
Kindest Regards,
Victor Coss
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages inspircd depends on:
pn gnutls-bin <none>
ii init-system-helpers 1.65.2
ii libargon2-1 0~20171227-0.3+deb12u1
ii libc6 2.36-9
ii libgcc-s1 12.2.0-14
ii libgnutls30 3.7.9-2
pn libhttp-parser2.9 <none>
ii libio-socket-ssl-perl 2.081-2
ii libldap-2.5-0 2.5.13+dfsg-5
ii libmariadb3 1:10.11.3-1
ii libmaxminddb0 1.7.1-1
ii libpcre2-8-0 10.42-1
pn libpq5 <none>
pn libre2-9 <none>
ii libsqlite3-0 3.40.1-2
ii libstdc++6 12.2.0-14
pn libtre5 <none>
ii lsb-base 11.6
ii perl 5.36.0-7
ii sysvinit-utils [lsb-base] 3.06-4
inspircd recommends no packages.
Versions of packages inspircd suggests:
pn default-mysql-server <none>
pn ldap-server <none>
pn postgresql <none>
pn sqlite3 <none>
Version: 3.15.0-1
Severity: normal
Dear Maintainer,
The systemd service file starts InspIRCd with the --nopid flag, however the module sslrehashsignal requires there to be a PID. Please remove this argument from the ExecStart line. I have edited the inspircd.service file temporarily using systemctl edit --full inspircd.service
However I believe due to the AppArmor profile that is shipped, the PID cannot write. You should allow the PID to be at /var/run/inspircd/inspircd.pid which is what I have configured as the location in my InspIRCd configuration file.
I however get the following error and InspIRCd fails to start:
Failed to write PID-file '/var/run/inspircd/inspircd.pid', exiting.
The permissions are as follows,
root@radium:~# ls -lah /var/run/inspircd/
total 0
drwxr-xr-x 2 irc irc 40 Jul 12 15:21 .
drwxr-xr-x 20 root root 600 Jul 12 15:49 ..
That appears to be correct? However I do a dmesg and see that inspircd is being blocked under audit, I suppose this is from AppArmor?
[611682.465180] audit: type=1400 audit(1689212777.973:26): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/core" pid=7703 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612769.233201] audit: type=1400 audit(1689213864.742:27): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7968 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612769.478807] audit: type=1400 audit(1689213864.986:28): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7969 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612769.730910] audit: type=1400 audit(1689213865.238:29): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7971 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612769.990731] audit: type=1400 audit(1689213865.498:30): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7973 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[612770.231224] audit: type=1400 audit(1689213865.738:31): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/run/inspircd/inspircd.pid" pid=7974 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
Also logging is broken too. The default log file location of /var/log/inspircd.log doesn't write. The file exists however when I cat the file out, it remains empty. I have inspircd configured to log to that file as well.
In dmesg you can see the log file is being blocked.
[599993.814582] audit: type=1400 audit(1689201089.349:15): apparmor="DENIED" operation="open" profile="/usr/sbin/inspircd" name="/var/log/inspircd.log" pid=7525 comm="inspircd" requested_mask="ac" denied_mask="ac" fsuid=39 ouid=39
[601900.436898] inspircd[7525]: segfault at 7f865dc02060 ip 00007f865dc02060 sp 00007ffe3832d388 error 14 in m_filter.so[7f865de0c000+7000] likely on CPU 2 (core 0, socket 0)
[601900.436959] audit: type=1400 audit(1689202995.964:16): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/core" pid=7525 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[601949.800182] audit: type=1400 audit(1689203045.328:17): apparmor="DENIED" operation="open" profile="/usr/sbin/inspircd" name="/var/log/inspircd.log" pid=7586 comm="inspircd" requested_mask="ac" denied_mask="ac" fsuid=39 ouid=39
[605077.481347] inspircd[7586]: segfault at 7fb4b546d060 ip 00007fb4b546d060 sp 00007ffd3d7c7768 error 14 in m_filter.so[7fb4b5677000+7000] likely on CPU 1 (core 1, socket 0)
[605077.481416] audit: type=1400 audit(1689206173.006:18): apparmor="DENIED" operation="mknod" profile="/usr/sbin/inspircd" name="/core" pid=7586 comm="inspircd" requested_mask="c" denied_mask="c" fsuid=39 ouid=39
[605212.549953] audit: type=1400 audit(1689206308.073:19): apparmor="DENIED" operation="open" profile="/usr/sbin/inspircd" name="/var/log/inspircd.log" pid=7637 comm="inspircd" requested_mask="ac" denied_mask="ac" fsuid=39 ouid=39
The permissions for the log file are as follows:
root@radium:~# ls -lah /var/log/inspircd.log
-rw-r----- 1 irc adm 0 Jul 12 15:21 /var/log/inspircd.log
root@radium:~# cat /var/log/inspircd.log
root@radium:~#
As you can see the log file remains empty. However if I use journalctl -u inspircd.service I can see the log messages from inspircd.
In my inspircd config file I have a <log target="/var/log/inspircd.log"> so it should be writing there and appears to be attempting to according to dmesg.
Also there is a new upstream version of InspIRCd, 3.16.1 which quite a few bug fixes. Can you please package it?
Kindest Regards,
Victor Coss
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages inspircd depends on:
pn gnutls-bin <none>
ii init-system-helpers 1.65.2
ii libargon2-1 0~20171227-0.3+deb12u1
ii libc6 2.36-9
ii libgcc-s1 12.2.0-14
ii libgnutls30 3.7.9-2
pn libhttp-parser2.9 <none>
ii libio-socket-ssl-perl 2.081-2
ii libldap-2.5-0 2.5.13+dfsg-5
ii libmariadb3 1:10.11.3-1
ii libmaxminddb0 1.7.1-1
ii libpcre2-8-0 10.42-1
pn libpq5 <none>
pn libre2-9 <none>
ii libsqlite3-0 3.40.1-2
ii libstdc++6 12.2.0-14
pn libtre5 <none>
ii lsb-base 11.6
ii perl 5.36.0-7
ii sysvinit-utils [lsb-base] 3.06-4
inspircd recommends no packages.
Versions of packages inspircd suggests:
pn default-mysql-server <none>
pn ldap-server <none>
pn postgresql <none>
pn sqlite3 <none>
Victor Coss
Jul 13, 2023, 10:01:31 AM7/13/23
to
Hello, I have an update. I have talked to the head developer of InspIRCd, Sadie and figured out a few things.
Firstly, the PID is not required for the sslrehashsignal module as you can send the required signal using systemd, systemctl kill --signal=SIGUSR1 inspircd.service. So you can keep the --nopid flag in the systemd service, that is not an issue.
However, the logging is broken because you do not pass --system at configure. Instead you define directories which logdir is not accounted for so it ends up as /usr/lib/inspircd/logs/ instead of /var/log/inspircd/ in the AppArmor profile, as this profile is automatically generated at compile time based on the directories that are defined.
In ./configure do not pass prefix, config-dir, module-dir, example-dir, data-dir, and binary-dir. Just pass --system and it will account for these system-wide directories. Please see https://docs.inspircd.org/packaging/ for more information on how to package inspircd.
Also FYI, the <power> and <channels> configuration options in the /etc/inspircd/inspircd.conf you ship are deprecated, you should probably remove those to prevent issues in the future when InspIRCd is updated.
Thank you,
Victor Coss
On 7/12/2023 11:21 PM, Debian Bug
Tracking System wrote:
Thank you for filing a new Bug report with Debian. You can follow progress on this Bug here: 1040954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040954. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Filippo Giunchedi <fil...@debian.org> If you wish to submit further information on this problem, please send it to 104...@bugs.debian.org. Please do not send mail to ow...@bugs.debian.org unless you wish to report a problem with the Bug-tracking system.
Victor Coss
Jul 18, 2023, 9:00:05 PM7/18/23
to
Hello, I have another update to provide. I was able to temporarily fix
file logging until you can fix the package. I had to create a logs
folder in /usr/lib/inspircd/ and change it's permissions accordingly and
change ownership and group to irc:irc with read and write permissions so
InspIRCd can write various log files in that directory. As stated before
the correct location should be /var/log/inspircd/ for log files instead.
You may need to have the package create this directory on install and
give the proper permissions for the irc user to read and write to it.
Also as a side note so you are aware, any segfaults you see in dmesg,
are not actually segmentation faults; this is caused by InspIRCd not
using standard exit codes. This can be fixed in v3 of InspIRCd by adding
-DINSPIRCD_BINARY_EXIT to CXXFLAGS in the environment to disable the
custom exit codes that InspIRCd uses. In v4 (not released yet) this has
been resolved completely and InspIRCd will use standard exit codes.
As stated previously, please feel free to check out
https://docs.inspircd.org/packaging/ on how to best package InspIRCd and
avoid these kinds of issues. Also feel free to join us anytime on IRC at
irc.chatspike.net #inspircd. You will find me, along with the head
developer of InspIRCd, Sadie. We are willing to answer any questions you
may have.
I would greatly appreciate it if you can get this resolved and also
appreciate it if you can ship the new upstream version 3.16.1. There are
no breaking changes since 3.15.0. It would be nice to see this update
for the upcoming Bookworm point release (12.1) that will take place on
Saturday June 22.
Thank you,
Victor Coss
On 7/13/2023 9:51 AM, Debian Bug Tracking System wrote:
> Thank you for the additional information you have supplied regarding
> this Bug report.
file logging until you can fix the package. I had to create a logs
folder in /usr/lib/inspircd/ and change it's permissions accordingly and
change ownership and group to irc:irc with read and write permissions so
InspIRCd can write various log files in that directory. As stated before
the correct location should be /var/log/inspircd/ for log files instead.
You may need to have the package create this directory on install and
give the proper permissions for the irc user to read and write to it.
Also as a side note so you are aware, any segfaults you see in dmesg,
are not actually segmentation faults; this is caused by InspIRCd not
using standard exit codes. This can be fixed in v3 of InspIRCd by adding
-DINSPIRCD_BINARY_EXIT to CXXFLAGS in the environment to disable the
custom exit codes that InspIRCd uses. In v4 (not released yet) this has
been resolved completely and InspIRCd will use standard exit codes.
As stated previously, please feel free to check out
https://docs.inspircd.org/packaging/ on how to best package InspIRCd and
avoid these kinds of issues. Also feel free to join us anytime on IRC at
irc.chatspike.net #inspircd. You will find me, along with the head
developer of InspIRCd, Sadie. We are willing to answer any questions you
may have.
I would greatly appreciate it if you can get this resolved and also
appreciate it if you can ship the new upstream version 3.16.1. There are
no breaking changes since 3.15.0. It would be nice to see this update
for the upcoming Bookworm point release (12.1) that will take place on
Saturday June 22.
Thank you,
Victor Coss
On 7/13/2023 9:51 AM, Debian Bug Tracking System wrote:
> Thank you for the additional information you have supplied regarding
> this Bug report.
Filippo Giunchedi
Jan 26, 2024, 6:20:05 AM1/26/24
to
Hello Victor,
my apologies for the late reply and thank you for the extensive bug report and research!
On Tue, Jul 18, 2023 at 08:52:38PM -0400, Victor Coss wrote:
> Hello, I have another update to provide. I was able to temporarily fix file
> logging until you can fix the package. I had to create a logs folder in
> /usr/lib/inspircd/ and change it's permissions accordingly and change
> ownership and group to irc:irc with read and write permissions so InspIRCd
> can write various log files in that directory. As stated before the correct
> location should be /var/log/inspircd/ for log files instead. You may need to
> have the package create this directory on install and give the proper
> permissions for the irc user to read and write to it.
I have uploaded 3.17.0-1 just now, and allowed apparmor access to
/var/log/inspircd.log as a short term fix for this issue. I'm happy to switch
to /var/log/inspircd for the default log location as a followup though.
> Also as a side note so you are aware, any segfaults you see in dmesg, are
> not actually segmentation faults; this is caused by InspIRCd not using
> standard exit codes. This can be fixed in v3 of InspIRCd by adding
> -DINSPIRCD_BINARY_EXIT to CXXFLAGS in the environment to disable the custom
> exit codes that InspIRCd uses. In v4 (not released yet) this has been
> resolved completely and InspIRCd will use standard exit codes.
Thank you for this report too, I was not aware!
best,
Filippo
my apologies for the late reply and thank you for the extensive bug report and research!
On Tue, Jul 18, 2023 at 08:52:38PM -0400, Victor Coss wrote:
> Hello, I have another update to provide. I was able to temporarily fix file
> logging until you can fix the package. I had to create a logs folder in
> /usr/lib/inspircd/ and change it's permissions accordingly and change
> ownership and group to irc:irc with read and write permissions so InspIRCd
> can write various log files in that directory. As stated before the correct
> location should be /var/log/inspircd/ for log files instead. You may need to
> have the package create this directory on install and give the proper
> permissions for the irc user to read and write to it.
/var/log/inspircd.log as a short term fix for this issue. I'm happy to switch
to /var/log/inspircd for the default log location as a followup though.
> Also as a side note so you are aware, any segfaults you see in dmesg, are
> not actually segmentation faults; this is caused by InspIRCd not using
> standard exit codes. This can be fixed in v3 of InspIRCd by adding
> -DINSPIRCD_BINARY_EXIT to CXXFLAGS in the environment to disable the custom
> exit codes that InspIRCd uses. In v4 (not released yet) this has been
> resolved completely and InspIRCd will use standard exit codes.
best,
Filippo
0 new messages