[Freedombox-pkg-team] Bug#910028: pagekite: Stopped logging to /var/log/pagekite/ when using systemd

Petter Reinholdtsen pere at hungry.com
Mon Oct 1 17:27:24 BST 2018 

Package: pagekite
Version: 0.5.9.3-2
Severity: wishlist
Tags: patch

When trying to figure out why some of my pagekite tunnels fail to work,
I had a look in /var/log/pagekite/ on my Freedombox, only to discover
nothing has been logged there since april.  I tried to figure out where
the log went, and finally tracked it down to the content of
/lib/systemd/system/pagekite.service, which simply do not specify the
--logfile command line option to pagekite.  Using it fail because of the
hardening enabled.  The following patch get the logging working again.
I have no idea why the CapabilityBoundingSet value block logging, but it
will as long as /var/log/pagekite/pagekit.log is owned by
daemon:daemon.  If the file is owned by root:root, it work.

Anyway, I was able to find the log using "journalctl -f -u pagekite",
but believe it is setting up for a rather bad user experience to simply
stop logging to the old log files without any messages in the directory
that the logging is now done elsewhere.  Note, the pagekite log also
seem to go into /var/log/syslog.

May I suggest the logging to /var/log/pagekite/ is reenabled?

diff --git a/debian/pagekite.service b/debian/pagekite.service
index cbb1c18..c7cd74d 100644
--- a/debian/pagekite.service
+++ b/debian/pagekite.service
@@ -10,7 +10,7 @@ ConditionPathExists=/etc/pagekite.d/10_account.rc
 
 [Service]
 Type=simple
-ExecStart=/usr/bin/pagekite --clean --runas=daemon:daemon --optdir=/etc/pagekite.d
+ExecStart=/usr/bin/pagekite --clean --runas=daemon:daemon --optdir=/etc/pagekite.d --logfile=/var/log/pagekite/pagekite.log
 TimeoutStopSec=5
 KillMode=mixed
 
@@ -21,13 +21,15 @@ LimitNOFILE=65536
 WorkingDirectory=/tmp
 
 # Hardening
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID
+# Enabling CapabilityBoundingSet break logging
+#CapabilityBoundingSet=CAP_SETUID CAP_SETGID
 SystemCallFilter=~@clock @debug @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=yes
 ProtectSystem=strict
+ReadWritePaths=-/var/log/pagekite
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 
-- 
Happy hacking
Petter Reinholdtsen

More information about the Freedombox-pkg-team mailing list