Mailing List Archive

On Wed, 13 Mar 2024 17:47:00 -0400, you wrote:

>I have the mythfrontendpre.sh script setup fine and discovering my two
>hdhomerun devices before starting the backend. However, I'm getting
>permission denied on writing /var/log/mythtv/mythbackendpre.log file.
>
>A lack of sleep has shot my Linux brain today. I figure I need to touch to
>create an empty file. The other logs in the dir are syslog:adm but what's
>the proper chmod?
>
>[reaches for second coffee]

The syslog:adm permissions on the log files works because the log
messages are being sent to syslog (rsyslogd) on port 514 and the
rsyslogd daemon receives the messages and sorts out where to write
them to, in accordance with its /etc/rsyslog.conf and /etc/rsyslog.d/*
config files. So the actual file writing is being done by a program
running under user syslog.

Unfortunately, unless you do something to send messages to rsyslogd in
your script instead of writing directly to a log file, the script
needs access to the /var/log directories and the log file it is
writing to under its own user or group. This is a complex permissions
problem, depending usually on group memberships. Your frontend user
will usually belong to the syslog and adm groups, which helps, but
your mythtv user will not.

So what user and group are being used to run mythfrontendpre.sh? Is
it run under user mythtv, or your frontend user?

In practical terms, doing commands like this:

sudo touch /var/log/mythtv/mylogfile.log
sudo chown syslog:adm /var/log/mythtv/mylogfile.log
sudo chmod a+w /var/log/mythtv/mylogfile.log

normally works, but it is less than ideal as it allows universal write
access to the log file. Or running your script as root will always
work. Or putting your log files in /tmp. Or writing an "sudoers"
helper script that has the right permissions, and calling that script
from your actual script. I have done all of the above at various
times for various reasons. And also written scripts in Python instead
of bash, so I can use Python's excellent logging capabilities, which
includes the ability to send things to syslog.

It is always possible to use ACLs (Access Control Lists) instead of
the ordinary permissions mechanisms, which allows fine grained access.
See the setfacl and getfacl commands and also "man acl". Most Linux
distros have ACLs enabled in the kernel now, and the system does use
them in various places, but you normally do not notice as the usual
listing tools like ls do not show the ACLs. As an example, I run a
mosquitto server (running under user mosquitto), which needs to use my
Let's Encrypt certificates to allow encrypted connections. So in the
script I run when the certificates are automatically updated, I have
this:

setfacl -R -m u:mosquitto:rX /etc/letsencrypt/{live,archive}

which gives the mosquitto user read access to the directory where the
links to the current certificates are (live) and to the directory
where the actual certificate files are (archive). So to allow
programs running as the mythtv user to write to a log file, this might
work:

sudo touch /var/log/mythtv/mylogfile.log
sudo chown syslog:adm /var/log/mythtv/mylogfile.log
sudo setfacl -m u:mythtv:rwx /var/log/mythtv/mylogfile.log

I have not actually tried that setfacl command though - I might have
missed something.
_______________________________________________
mythtv-users mailing list
mythtv-users@mythtv.org
http://lists.mythtv.org/mailman/listinfo/mythtv-users
http://wiki.mythtv.org/Mailing_List_etiquette
MythTV Forums: https://forum.mythtv.org

On Wed, Mar 13, 2024, 9:31?p.m. Stephen Worthington <
stephen_agent@jsw.gen.nz> wrote:

> On Wed, 13 Mar 2024 17:47:00 -0400, you wrote:
>
> >I have the mythfrontendpre.sh script setup fine and discovering my two
> >hdhomerun devices before starting the backend. However, I'm getting
> >permission denied on writing /var/log/mythtv/mythbackendpre.log file.
> >
> >A lack of sleep has shot my Linux brain today. I figure I need to touch to
> >create an empty file. The other logs in the dir are syslog:adm but what's
> >the proper chmod?
> >
> >[reaches for second coffee]
>
> The syslog:adm permissions on the log files works because the log
> messages are being sent to syslog (rsyslogd) on port 514 and the
> rsyslogd daemon receives the messages and sorts out where to write
> them to, in accordance with its /etc/rsyslog.conf and /etc/rsyslog.d/*
> config files. So the actual file writing is being done by a program
> running under user syslog.
>
> Unfortunately, unless you do something to send messages to rsyslogd in
> your script instead of writing directly to a log file, the script
> needs access to the /var/log directories and the log file it is
> writing to under its own user or group. This is a complex permissions
> problem, depending usually on group memberships. Your frontend user
> will usually belong to the syslog and adm groups, which helps, but
> your mythtv user will not.
>
> So what user and group are being used to run mythfrontendpre.sh? Is
> it run under user mythtv, or your frontend user?
>
> In practical terms, doing commands like this:
>
> sudo touch /var/log/mythtv/mylogfile.log
> sudo chown syslog:adm /var/log/mythtv/mylogfile.log
> sudo chmod a+w /var/log/mythtv/mylogfile.log
>
> normally works, but it is less than ideal as it allows universal write
> access to the log file. Or running your script as root will always
> work. Or putting your log files in /tmp. Or writing an "sudoers"
> helper script that has the right permissions, and calling that script
> from your actual script. I have done all of the above at various
> times for various reasons. And also written scripts in Python instead
> of bash, so I can use Python's excellent logging capabilities, which
> includes the ability to send things to syslog.
>
> It is always possible to use ACLs (Access Control Lists) instead of
> the ordinary permissions mechanisms, which allows fine grained access.
> See the setfacl and getfacl commands and also "man acl". Most Linux
> distros have ACLs enabled in the kernel now, and the system does use
> them in various places, but you normally do not notice as the usual
> listing tools like ls do not show the ACLs. As an example, I run a
> mosquitto server (running under user mosquitto), which needs to use my
> Let's Encrypt certificates to allow encrypted connections. So in the
> script I run when the certificates are automatically updated, I have
> this:
>
> setfacl -R -m u:mosquitto:rX /etc/letsencrypt/{live,archive}
>
> which gives the mosquitto user read access to the directory where the
> links to the current certificates are (live) and to the directory
> where the actual certificate files are (archive). So to allow
> programs running as the mythtv user to write to a log file, this might
> work:
>
> sudo touch /var/log/mythtv/mylogfile.log
> sudo chown syslog:adm /var/log/mythtv/mylogfile.log
> sudo setfacl -m u:mythtv:rwx /var/log/mythtv/mylogfile.log
>
> I have not actually tried that setfacl command though - I might have
> missed something.
>
>
HI Stephen,

The script is from here:
https://www.mythtv.org/wiki/Silicondust_HDHomeRun_setup

It's used to ensure that the Homeruns are running before the backend is
started so it's part of the systemd stuff:

/etc/systemd/system/mythtv-backend.service.d/override.conf

[Unit]
After=network-online.target
Wants=network-online.target
[Service]
ExecStartPre=/usr/local/bin/mythbackendpre.sh

The script just does the checks for the HDHomerun(s) and logs it.
Unfortunately the wiki entry just contains the vague instruction: "That log
file will need write permissions set."

So I guess it needs to be the user that runs systemd?

>
>

On Thu, 14 Mar 2024 08:01:01 -0400, you wrote:

>On Wed, Mar 13, 2024, 9:31?p.m. Stephen Worthington <
>stephen_agent@jsw.gen.nz> wrote:
>
>> On Wed, 13 Mar 2024 17:47:00 -0400, you wrote:
>>
>> >I have the mythfrontendpre.sh script setup fine and discovering my two
>> >hdhomerun devices before starting the backend. However, I'm getting
>> >permission denied on writing /var/log/mythtv/mythbackendpre.log file.
>> >
>> >A lack of sleep has shot my Linux brain today. I figure I need to touch to
>> >create an empty file. The other logs in the dir are syslog:adm but what's
>> >the proper chmod?
>> >
>> >[reaches for second coffee]
>>
>> The syslog:adm permissions on the log files works because the log
>> messages are being sent to syslog (rsyslogd) on port 514 and the
>> rsyslogd daemon receives the messages and sorts out where to write
>> them to, in accordance with its /etc/rsyslog.conf and /etc/rsyslog.d/*
>> config files. So the actual file writing is being done by a program
>> running under user syslog.
>>
>> Unfortunately, unless you do something to send messages to rsyslogd in
>> your script instead of writing directly to a log file, the script
>> needs access to the /var/log directories and the log file it is
>> writing to under its own user or group. This is a complex permissions
>> problem, depending usually on group memberships. Your frontend user
>> will usually belong to the syslog and adm groups, which helps, but
>> your mythtv user will not.
>>
>> So what user and group are being used to run mythfrontendpre.sh? Is
>> it run under user mythtv, or your frontend user?
>>
>> In practical terms, doing commands like this:
>>
>> sudo touch /var/log/mythtv/mylogfile.log
>> sudo chown syslog:adm /var/log/mythtv/mylogfile.log
>> sudo chmod a+w /var/log/mythtv/mylogfile.log
>>
>> normally works, but it is less than ideal as it allows universal write
>> access to the log file. Or running your script as root will always
>> work. Or putting your log files in /tmp. Or writing an "sudoers"
>> helper script that has the right permissions, and calling that script
>> from your actual script. I have done all of the above at various
>> times for various reasons. And also written scripts in Python instead
>> of bash, so I can use Python's excellent logging capabilities, which
>> includes the ability to send things to syslog.
>>
>> It is always possible to use ACLs (Access Control Lists) instead of
>> the ordinary permissions mechanisms, which allows fine grained access.
>> See the setfacl and getfacl commands and also "man acl". Most Linux
>> distros have ACLs enabled in the kernel now, and the system does use
>> them in various places, but you normally do not notice as the usual
>> listing tools like ls do not show the ACLs. As an example, I run a
>> mosquitto server (running under user mosquitto), which needs to use my
>> Let's Encrypt certificates to allow encrypted connections. So in the
>> script I run when the certificates are automatically updated, I have
>> this:
>>
>> setfacl -R -m u:mosquitto:rX /etc/letsencrypt/{live,archive}
>>
>> which gives the mosquitto user read access to the directory where the
>> links to the current certificates are (live) and to the directory
>> where the actual certificate files are (archive). So to allow
>> programs running as the mythtv user to write to a log file, this might
>> work:
>>
>> sudo touch /var/log/mythtv/mylogfile.log
>> sudo chown syslog:adm /var/log/mythtv/mylogfile.log
>> sudo setfacl -m u:mythtv:rwx /var/log/mythtv/mylogfile.log
>>
>> I have not actually tried that setfacl command though - I might have
>> missed something.
>>
>>
>HI Stephen,
>
>The script is from here:
>https://www.mythtv.org/wiki/Silicondust_HDHomeRun_setup
>
>It's used to ensure that the Homeruns are running before the backend is
>started so it's part of the systemd stuff:
>
>/etc/systemd/system/mythtv-backend.service.d/override.conf
>
>[Unit]
>After=network-online.target
>Wants=network-online.target
>[Service]
>ExecStartPre=/usr/local/bin/mythbackendpre.sh
>
>The script just does the checks for the HDHomerun(s) and logs it.
>Unfortunately the wiki entry just contains the vague instruction: "That log
>file will need write permissions set."
>
>So I guess it needs to be the user that runs systemd?

Unless you specify otherwise, systemd will run everything as root.
However, the standard mythtv-backend.service file includes this line:

User=mythtv

so mythbackendpre.sh will be run from user mythtv. Which means that
you will have to do something like the touch/chown/setfacl commands to
create the log file for it, and they need to be done as root, so could
not be done from the mythtv-backend.service file except by using an
sudo helper script. Which is complicated.

The other alternative, which I think would be easier, would be to run
mythfrontendpre.sh as a separate systemd unit, and then make
mythtv-backend wait for the mythfrontendpre.service to complete before
it is run. Then the mythfrontendpre.sh service can just be run as
root. So you would put something like this in your
mythtv-backend.service override files:

[Unit]
Wants=mythbackendpre.service
After=mythbackendpre.service

That is what I do with my local-network-pingable.service.

Another alternative is to use the systemd journal to log to. To do
that, you make the output from mythfrontendpre.sh go to stdout instead
of putting it in a log file. You can then see the output by doing
"journalctl -u mythtv-backend". I think stderr output also goes to
the journal.
_______________________________________________
mythtv-users mailing list
mythtv-users@mythtv.org
http://lists.mythtv.org/mailman/listinfo/mythtv-users
http://wiki.mythtv.org/Mailing_List_etiquette
MythTV Forums: https://forum.mythtv.org

On Thu, Mar 14, 2024, 8:34?a.m. Stephen Worthington <
stephen_agent@jsw.gen.nz> wrote:

> On Thu, 14 Mar 2024 08:01:01 -0400, you wrote:
>
> <snip>
> Unless you specify otherwise, systemd will run everything as root.
> However, the standard mythtv-backend.service file includes this line:
>
> User=mythtv
>
> so mythbackendpre.sh will be run from user mythtv. Which means that
> you will have to do something like the touch/chown/setfacl commands to
> create the log file for it, and they need to be done as root, so could
> not be done from the mythtv-backend.service file except by using an
> sudo helper script. Which is complicated.
>
> The other alternative, which I think would be easier, would be to run
> mythfrontendpre.sh as a separate systemd unit, and then make
> mythtv-backend wait for the mythfrontendpre.service to complete before
> it is run. Then the mythfrontendpre.sh service can just be run as
> root. So you would put something like this in your
> mythtv-backend.service override files:
>
> [Unit]
> Wants=mythbackendpre.service
> After=mythbackendpre.service
>
> That is what I do with my local-network-pingable.service.
>
> Another alternative is to use the systemd journal to log to. To do
> that, you make the output from mythfrontendpre.sh go to stdout instead
> of putting it in a log file. You can then see the output by doing
> "journalctl -u mythtv-backend". I think stderr output also goes to
> the journal.
>
> Thanks again for a great explanation. Realizing it's not something I need
to check on frequently, I went with the last option you suggested and used
the journal method.

Thanks again.

>
>