[Pkg-mpd-maintainers] Bug#887834: Bug#887834: Bug#887834: mpd installation fails, cannot open /var/lib/mpd/tag_cache, /run/mpd/pid

Max Kellermann max at blarg.de
Fri Nov 5 05:10:43 GMT 2021 

On 2021/11/05 05:55, Florian Schlichting <fsfs at debian.org> wrote:
> However, Max: behind this hides another problem, which is why I asked
> Ryan to delete the pid_file configuration: as part of 0.23.3 you added
> the "RuntimeDirectory=mpd" directive to both mpd.service units. In the
> absence of User and Group directives, this causes /run/mpd to change
> ownership from mpd:audio (as created by our
> /usr/lib/tmpfiles.d/mpd.conf) to root:root, which means that mpd would
> have to be run as root in order to be able to create a socket or a
> pidfile (yes, legacy) there. I think that's broken from an upstream
> perspective as well, and only works when running mpd as user.

True, and the real fix would be to finally cease launching MPD as
root, which is an anachronism.

> I suppose the best way forward is to specify User=mpd and Group=audio
> in the system unit, however this immediately hits a snag when mpd tries
> to open its log file /var/log/mpd/mpd.log, which up to now is created as
> root. This we could probably work around in Debian, and defaulting to
> log to syslog/journal also feels sensible, but I'm not sure if there may
> be other things that mpd might want to be root for when starting up as a
> system service?

The right way to have a writable /var/log/mpd is "LogsDirectory=mpd",
but I don't want to do that.  Per-daemon log files are an anachronism,
too.  Just like starting daemons as root, PID files, per-daemon
daemonization code and so on ... all the good stuff that systemd can
do for us, stuff which in ancient times every daemon had unnecessary
duplicate code for.

Another thing that MPD could fail if we don't launch MPD as root is
binding to "privileged ports" (another anachronism).  For example, a
httpd streaming output could be bound to a low port.  People who do
that could add a drop-in with
"AmbientCapabilities=CAP_NET_BIND_SERVICE" to give MPD permission for
that.

More information about the Pkg-mpd-maintainers mailing list