New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add systemd service file #12
Conversation
Adds systemd service file to start up foswiki automatically. Note that the user still has to replace the value for 'WorkingDirectory' as that setting does not support variable substitution. A work around could be that we start a script that starts foswiki.fcgi in the right working directory.
Thanks. Your example file has been added to FastCGIEngineContrib. |
The provided systemd service file runs the foswiki FastCGI process as root which is very bad from a security standpoint. A vulnerability in Foswiki could compromize the whole system. Can you add (parametrized) User= and Group= directives to the example service file ? I can make a separate PR for this |
Hi, good find, thanks. I tried adding the parameterized User & Group directives, but the parameters appear to be ignored. At least on Ubuntu 16.04, I could only change the user/group by hardcoding them into the service file. I'm also having a bit of trouble with the PIDFile. The service doesn't create one, where as the traditional init script does. As the traditional foswiki init script appears to work fine on systemd systems, I'm wondering if it might be better to just drop this file. |
Indeed, it looks like User= and Group= cannot take parameters, my bad. The PIDfile issue probably comes from the fact that you don't have write permissions to /var/run as a non-privileged user. The initscript works because it creates and chowns the file as root before dropping privileges.
|
Both of your solutions works fine. I'm not certain which solution to
make the default. The PIDFile can be a parameter, so probably best to
default to /var/run/foswiki/foswiki.pid and add some installation
instructions. It's disappointing that none of User, Group and
WorkingDirectory can use variables.
Digging a little more, the other way to overide which does support
overriding User, Group and WorkingDirectory is to put the overrides in a
"drop-in" file - /etc/systemd/system/foswiki-fcgi.service.d/foswiki.conf
Now to figure out the best way to document all this. I'm not sure it's
worth going to all the effort to create a drop-in and override such a
small service file, rather than just having the user edit it.
Thanks again.
…On 03/20/2017 05:07 AM, Maxime Besson wrote:
Indeed, it looks like User= and Group= cannot take parameters, my bad.
The PIDfile issue probably comes from the fact that you don't have
write permissions to /var/run as a non-privileged user. The initscript
works because it creates and chowns the file as root before dropping
privileges.
I can think of two solutions :
* use /var/run/foswiki/foswiki.pid instead, the user would need to
create /var/run/foswiki/ and chown it to the user running the
foswiki service. Most non privileged services already do something
like this
* use /var/www/foswiki/working/foswiki.pid, as this folder
necessarily has write permission from the foswiki user
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#12 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/AB5z7GVO-6QERopejFk3-L9ZHMeZSSkbks5rnkG5gaJpZM4ItsB->.
|
I've created https://foswiki.org/Tasks/Item14346 to address this issue.
…On 03/20/2017 05:07 AM, Maxime Besson wrote:
Indeed, it looks like User= and Group= cannot take parameters, my bad.
The PIDfile issue probably comes from the fact that you don't have
write permissions to /var/run as a non-privileged user. The initscript
works because it creates and chowns the file as root before dropping
privileges.
I can think of two solutions :
* use /var/run/foswiki/foswiki.pid instead, the user would need to
create /var/run/foswiki/ and chown it to the user running the
foswiki service. Most non privileged services already do something
like this
* use /var/www/foswiki/working/foswiki.pid, as this folder
necessarily has write permission from the foswiki user
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#12 (comment)>, or
mute the thread
<https://github.com/notifications/unsubscribe-auth/AB5z7GVO-6QERopejFk3-L9ZHMeZSSkbks5rnkG5gaJpZM4ItsB->.
|
Adds systemd service file to start up foswiki automatically.
Note that the user still has to replace the value for 'WorkingDirectory' as that setting does not support variable substitution.
A work around could be that we start a script that starts foswiki.fcgi in the right working directory.