Yeah... I'm just realizing this after seeing the -discuss post.<div><br></div><div>:/ -- my bad.</div><div><br></div><div>So... I'm a bit perplexed as to why this doesn't work.</div><div><br></div><div>I've modified upstart to start the baron process as baron/barons, as confirmed with strace:</div>
<div><br></div><div><div>`--> sudo strace -ff -q -e trace=fork,execve,setgid,setuid -p 1</div><div>[pid 18236] setgid(124) = 0</div><div>[pid 18236] setuid(31516) = 0</div><div>[pid 18236] execve("/usr/local/share/baron/noisebridge-baron/baron.py", ["/usr/local/share/baron/noisebrid"..., "--codefile", "/usr/local/share/baron/codes.txt", "--port", "/dev/ttyS5", "--logfile", "/usr/local/share/baron/baron.log"], [/* 4 vars */]) = 0</div>
<div>--- SIGCHLD (Child exited) @ 0 (0) ---</div><div><br></div><div>But this is then logging that:</div><div><br></div><div>ERROR Serial port setup failed: /dev/ttyS5: <class 'serial.serialutil.SerialException'>: could not open port /dev/ttyS5: [Errno 13] Permission denied: '/dev/ttyS5'</div>
<div><br></div><div>I think that user "baron" should have access to this by being in the "dialout" group.</div><div><br></div><div><div>`--> id baron</div><div>uid=31516(baron) gid=100(users) groups=100(users),20(dialout),124(barons)</div>
</div><div><br></div><div><div>`--> ls -l /dev/ttyS5 </div><div>crw-rw---- 1 root dialout 4, 69 Jan 22 11:37 /dev/ttyS5</div></div><div><br></div><div><br></div><div>I was going to say that maybe init / upstart needs to be re-started, but minotaur rebooted while I wrote this mail! :p</div>
<div><br></div><div><div>`--> uptime</div><div> 11:39:51 up 2 min, 3 users, load average: 0.21, 0.17, 0.07</div></div><br><div class="gmail_quote">On Tue, Jan 22, 2013 at 11:19 AM, Danny O'Brien <span dir="ltr"><<a href="mailto:danny@spesh.com" target="_blank">danny@spesh.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Aha!<br><br>Jof, could you fix your thing? It is borken -- the script doesn't have enough permissions to write to its own log (fixed) and ttySwhatever (which still needs to be fixed)<br>
<br>d.<br><br><br><div class="gmail_quote"><div><div class="h5">
On Tue, Jan 22, 2013 at 1:57 AM, Jonathan Lassoff <span dir="ltr"><<a href="mailto:jof@thejof.com" target="_blank">jof@thejof.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div class="h5">
I was looking at baron on minotaur tonight and thought that some of the permissions were a bit too open for the codes and log file.<div><br></div><div>Maybe we should rotate or truncate the log after a while? Seems like we're collecting info on users' comings and goings, and there's no real reason to keep that forever.</div>
<div><br></div><div><br></div><div>I think we should use the existing "barons" group for allowing access to modify the daemons state.</div><div><br></div><div>So, I did:</div><div><br></div><div>sudo chmod 0660 /usr/local/share/baron/codes.txt (owned by root / barons)</div>
<div>sudo chmod 0640 /usr/local/share/baron/baron.log (owned by root / root)</div><div><br></div><div>The daemon is already running as root (lulz)</div><div><br></div><div><div>`--> ps aux ...</div><div>USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND</div>
<div>root 1 0.0 0.1 24596 2556 ? Ss Jan09 0:08 /sbin/init</div><div>[...snip...]</div><div>root 1637 0.0 0.5 56724 10656 ? Ss Jan09 0:27 /usr/bin/python /usr/local/share/baron/noisebridge-baron/baron.py --codefile /usr/local/share/baron/codes.txt --port /dev/ttyS5 --logfile /usr/local/share/baron/baron.log</div>
</div><div><br></div><div>I added a baron user:</div><div><br></div><div>sudo useradd -G barons --shell /bin/sh --home-dir /nonexistant --no-create-home --no-user-group baron</div><div><br></div><div>and then added a "setuid baron" and "setgid barons" line to /etc/init/baron.conf</div>
<div><br></div><div><br></div><div><br></div><div>I pushed this change and a readme to github as well:</div><div><br></div><div><a href="https://github.com/noisebridge/noisebridge-baron/commit/29f4dc6003bdc876dd7b50c8c6ee2df75e1478a1" target="_blank">https://github.com/noisebridge/noisebridge-baron/commit/29f4dc6003bdc876dd7b50c8c6ee2df75e1478a1</a></div>
<div><br></div><div><br></div><div>Now, I just need to figure out how to handle getting the daemon to reopen logfiles in response to a signal, so logrotate can truncate cleanly.</div><span><font color="#888888"><div>
<br></div><div>--j</div>
</font></span><br></div></div>_______________________________________________<br>
Rack mailing list<br>
<a href="mailto:Rack@lists.noisebridge.net" target="_blank">Rack@lists.noisebridge.net</a><br>
<a href="https://www.noisebridge.net/mailman/listinfo/rack" target="_blank">https://www.noisebridge.net/mailman/listinfo/rack</a><br>
<br></blockquote></div><br>
</blockquote></div><br></div>