Bug#854252: biboumi: systemd unit file references non-existant group

Sun, 05 Feb 2017 07:27:22 -0800 

Hi Jonas (name brother :-) )

Quoting Jonas Wielicki (2017-02-05 14:50:02)
> systemctl start biboumi fails because the group "nobody" does not exist:
> 
> --- 8< ---
> root@biboumi:~# systemctl restart biboumi
> Job for biboumi.service failed. See 'systemctl status biboumi.service' and
> 'journalctl -xn' for details.
> 
> root@biboumi:~# systemctl status biboumi
> ● biboumi.service - Biboumi, XMPP to IRC gateway
>    Loaded: loaded (/lib/systemd/system/biboumi.service; disabled)
>    Active: failed (Result: start-limit) since Sun 2017-02-05 10:20:43 UTC;
> 547ms ago
>      Docs: man:biboumi(1)
>            https://biboumi.louiz.org
>   Process: 12981 ExecStart=/usr/bin/biboumi /etc/biboumi/biboumi.cfg
> (code=exited, status=216/GROUP)
>  Main PID: 12981 (code=exited, status=216/GROUP)
> 
> root@biboumi:~# systemctl cat biboumi
> # /lib/systemd/system/biboumi.service
> [Unit]
> Description=Biboumi, XMPP to IRC gateway
> Documentation=man:biboumi(1) https://biboumi.louiz.org
> After=network.target
> 
> [Service]
> Type=notify
> ExecStart=/usr/bin/biboumi /etc/biboumi/biboumi.cfg
> ExecReload=/bin/kill -s USR1 $MAINPID
> WatchdogSec=20
> Restart=always
> User=nobody
> Group=nobody
> 
> [Install]
> WantedBy=multi-user.target
> --- >8 ---
> 
> 
> A workaround is to place the following in
> /etc/systemd/system/biboumi.service.d/override.conf:
> 
> --- 8< ---
> [Service]
> Group=nogroup
> --- >8 ---
> 
> Even better would be to provide a separate user and group for biboumi. This
> allows to harden the configuration file making it readable only for the 
> biboumi
> user. This is relevant because the configuration file contains secrets.

Thanks for the bugreport, and the proposed workaround.

It sounds like you are more familiar with systemd than me, so would you 
mind proposing a hardened systemd service file?

Also, you are quite welcome to join us in maintaining biboumi packaging 
for Debian, if you are interested. (you need not be a formal Debian 
developer).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: signature

Reply via email to