Bug#854252: biboumi: systemd unit file references non-existant group

Jonas Smedegaard jonas at jones.dk
Sun Feb 5 15:25:33 UTC 2017


Hi Jonas (name brother :-) )

Quoting Jonas Wielicki (2017-02-05 14:50:02)
> systemctl start biboumi fails because the group "nobody" does not exist:
> 
> --- 8< ---
> root at biboumi:~# systemctl restart biboumi
> Job for biboumi.service failed. See 'systemctl status biboumi.service' and
> 'journalctl -xn' for details.
> 
> root at biboumi:~# systemctl status biboumi
> ● biboumi.service - Biboumi, XMPP to IRC gateway
>    Loaded: loaded (/lib/systemd/system/biboumi.service; disabled)
>    Active: failed (Result: start-limit) since Sun 2017-02-05 10:20:43 UTC;
> 547ms ago
>      Docs: man:biboumi(1)
>            https://biboumi.louiz.org
>   Process: 12981 ExecStart=/usr/bin/biboumi /etc/biboumi/biboumi.cfg
> (code=exited, status=216/GROUP)
>  Main PID: 12981 (code=exited, status=216/GROUP)
> 
> root at biboumi:~# systemctl cat biboumi
> # /lib/systemd/system/biboumi.service
> [Unit]
> Description=Biboumi, XMPP to IRC gateway
> Documentation=man:biboumi(1) https://biboumi.louiz.org
> After=network.target
> 
> [Service]
> Type=notify
> ExecStart=/usr/bin/biboumi /etc/biboumi/biboumi.cfg
> ExecReload=/bin/kill -s USR1 $MAINPID
> WatchdogSec=20
> Restart=always
> User=nobody
> Group=nobody
> 
> [Install]
> WantedBy=multi-user.target
> --- >8 ---
> 
> 
> A workaround is to place the following in
> /etc/systemd/system/biboumi.service.d/override.conf:
> 
> --- 8< ---
> [Service]
> Group=nogroup
> --- >8 ---
> 
> Even better would be to provide a separate user and group for biboumi. This
> allows to harden the configuration file making it readable only for the biboumi
> user. This is relevant because the configuration file contains secrets.

Thanks for the bugreport, and the proposed workaround.

It sounds like you are more familiar with systemd than me, so would you 
mind proposing a hardened systemd service file?

Also, you are quite welcome to join us in maintaining biboumi packaging 
for Debian, if you are interested. (you need not be a formal Debian 
developer).


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-voip-maintainers/attachments/20170205/9ff82d3e/attachment.sig>


More information about the Pkg-voip-maintainers mailing list