On Thu, 03 Oct 2019, Aaron M. Ucko wrote:
> sslh fails to start on my system, on which I merged the new stock
> "--user sslh" option into /etc/default/sslh:
>
> Oct 3 20:23:01 his-pc sslh-select[11576]: /var/run/sslh/sslh.pid:
> Permission denied
>
> As the message shows, I'm using sslh-select rather than regular sslh,
> as specified in the attached systemd override.conf (whose Requires
> setting should apparently become a .requires symlink, but that's
> another matter).
[...]
> -- Configuration Files:
> /etc/default/sslh changed:
> DAEMON=/usr/sbin/sslh
> DAEMON_OPTS="--user sslh --transparent --listen 192.168.1.2:443 --ssh
> 192.168.1.2:22 --ssl 192.168.1.2:443 --pidfile /var/run/sslh/sslh.pid"
>
> /etc/logcheck/ignore.d.server/sslh [Errno 13] Permission denied:
> '/etc/logcheck/ignore.d.server/sslh'
>
> -- debconf information:
> * sslh/inetd_or_standalone: standalone
> [Service]
>
> # Replace the start command and make it use sslh-select
> ExecStart=
> ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS
>
> # Run sslh as an user and use capabilities to bind ports
> User=sslh
> AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
So I think this is the issue; you're running it as sslh, not root, so it
can't actually drop privileges or write to its pidfile.
The default is for it to run as root, open sockets, write its pidfile,
and then drop permissions:
if (pid_file)
write_pid_file(pid_file);
/* Open syslog connection before we drop privs/chroot */
setup_syslog(argv[0]);
if (user_name || chroot_path)
drop_privileges(user_name, chroot_path);
if (verbose)
printcaps();
main_loop(listen_sockets, num_addr_listen);
--
Don Armstrong https://www.donarmstrong.com
That's the wonderful thing about crayons. They can take you to more
places than a starship.
-- Guinan "Star Trek: The Next Generation: Rascals (#6.7)"
