| superm1 | james_w said that this upstart script causes problems with shutdown: http://bazaar.launchpad.net/~ubuntu-mythtv/mythtv/mythtv-trunk-022/annotate/head%3A/debian/mythtv-backend.upstart | 16:36 |
|---|---|---|
| superm1 | because /bin/su opens a pam session. if not via /bin/su, what's the right way to run an upstart started system daemon as a diff user? | 16:37 |
| Keybuk | why is su not the right way? | 16:58 |
| Keybuk | is mythtv-backend supposed to run as a user | 16:59 |
| Keybuk | or as a different uid | 16:59 |
| Keybuk | (they're different things :p) | 16:59 |
| superm1 | i'm not sure why james_w said that su wasn't the right way, let me have him pop in here to indicate why he was thinking | 17:00 |
| superm1 | different user (i think), because want to have the right $HOME etc as that user | 17:01 |
| james_w | hey | 17:05 |
| superm1 | james_w, "<Keybuk> why is su not the right way?" | 17:06 |
| Keybuk | there's a difference between | 17:06 |
| james_w | bug https://bugs.launchpad.net/ubuntu/+source/mythtv/+bug/445953 | 17:07 |
| Keybuk | "foo service needs to run as user bar" | 17:07 |
| Keybuk | and | 17:07 |
| Keybuk | "foo service needs to run as uid bar" | 17:07 |
| Keybuk | which do you want? :) | 17:07 |
| Keybuk | james_w: isn't that a bug in whatever's asking for the passphrase? it should ignore non-interactive logins, surely? | 17:08 |
| james_w | I don't know | 17:08 |
| james_w | well | 17:08 |
| james_w | this is something that has been in flux | 17:08 |
| superm1 | Keybuk, what characteristics would come with running as a different user versus differ uid? | 17:08 |
| james_w | previously there was no way for it to know whether a login was interactive | 17:08 |
| Keybuk | yes ther eis | 17:09 |
| Keybuk | there's been a way for 30-40 years | 17:09 |
| james_w | then we got the /etc/pam.d/common-session{,-noninteractive} split | 17:09 |
| Keybuk | it's called utmp | 17:09 |
| Keybuk | superm1: well, for a start, having a PAM session ;-) | 17:09 |
| james_w | ok, given its architecture it didn't know | 17:10 |
| Keybuk | superm1: that implies having the environment of that user, e.g. $HOME set right and stuff | 17:10 |
| james_w | this split makes it work in the common case | 17:10 |
| Keybuk | james_w: that's still a consolekit bug though | 17:10 |
| superm1 | Keybuk, okay then definitely we want it running as a user. it does make reference to stuff in $HOME | 17:10 |
| james_w | but it is assumed that /bin/su is an interactive login | 17:10 |
| Keybuk | (or a pam bug) | 17:10 |
| Keybuk | james_w: why? su is only a *login* if run with -, -l or --login | 17:10 |
| james_w | consolekit has a narrow interface to this | 17:11 |
| james_w | pam-ck-connector creates a consolekit session from the pam stack when it is included the pam config for that service | 17:11 |
| Keybuk | so? :) | 17:12 |
| Keybuk | it's still a bug at that end | 17:12 |
| Keybuk | superm1's upstart job *does not* create a login shell | 17:12 |
| james_w | I'm not arguing that this is the correct way to do things | 17:12 |
| Keybuk | so no login shell or interactiveness should be assumed | 17:12 |
| james_w | I'm telling you the status quo | 17:12 |
| Keybuk | :) | 17:16 |
| james_w | if you know how to fix pam-ck-connector so that we can not create sessions for non-interactive sessions that would be useful | 17:17 |
| james_w | this is the first time we have hit this with upstart jobs. | 17:17 |
| Keybuk | I don't know enough about PAM | 17:18 |
| james_w | with init scripts the fix is easy as start-stop-daemon has --chuid | 17:18 |
| Keybuk | or CK | 17:18 |
| Keybuk | james_w: that's why I asked right at the top | 17:18 |
| Keybuk | is mythtv-backend supposed to run as a user | 17:18 |
| Keybuk | or as a different uid | 17:18 |
| james_w | and I don't know enough about anything | 17:18 |
| james_w | it sounds like it would be useful to have you, pitti and slangasek locked in a room for 30 minutes to work out the best solution | 17:20 |
| === notting_ is now known as notting | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!