Bug#931366: krb5-admin-server nor krb5-kdc service cannot write their log files

Wed, 03 Jul 2019 02:39:46 -0700 

Package: src:krb5
Severity: important
Version: 1.17-3
User: debian-...@lists.debian.org
Usertags: debian-edu
X-Debbugs-Cc: debian-...@lists.debian.org

Hi Sam et al,
When restarting krb5-kdc or krb5-admin-server on a fresh Debian Edu buster main server, I see the following logs lines in syslog:
Jul 3 11:08:16 tjener krb5kdc[22684]: Couldn't open log file /var/log/kdc.log: Das Dateisystem ist nur lesbar 
[...]
Jul 3 11:10:06 tjener kadmind[23272]: Couldn't open log file /var/log/krb5.log: Das Dateisystem ist nur lesbar 

(Translation: Das Dateisystem ist nur lesbar: The file system is read-only)

As expected by the error message, not log output gets produced.
The following two systemd service file patches fix the issue (appending /var/log to ReadWriteDirectories= key): 

```
root@tjener:~/fixes-buster# diff -u krb5-admin-server.service.orig krb5-admin-server.service 
--- krb5-admin-server.service.orig      2019-07-03 11:26:51.607417138 +0200
+++ krb5-admin-server.service   2019-07-03 11:25:37.843418670 +0200
@@ -8,7 +8,7 @@
 EnvironmentFile=-/etc/default/krb5-admin-server
 InaccessibleDirectories=-/etc/ssh -/etc/ssl/private  /root
 ReadOnlyDirectories=/
-ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run
+ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run /var/log
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 Restart=on-abnormal

```

```
root@tjener:~/fixes-buster# diff -u krb5-kdc.service.orig krb5-kdc.service
--- krb5-kdc.service.orig       2019-07-03 11:26:57.275417080 +0200
+++ krb5-kdc.service    2019-07-03 11:25:45.183417900 +0200
@@ -10,7 +10,7 @@
 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS
 InaccessibleDirectories=-/etc/ssh -/etc/ssl/private  /root
 ReadOnlyDirectories=/
-ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run
+ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run /var/log
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 Restart=on-abnormal


```

Can you make sure that these fixes make it into Debian 10.1? Thanks,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpdK7NPK7Rsk.pgp
Description: Digitale PGP-Signatur

Reply via email to