tags 980079 unreproducible moreinfo
thanks

Nils König:
I must correct myself.

As I ofc only remembered after sending the bug report, I did already change
the initscript once before to start as root (so it can read the root-owned ssl
certs once on startup, before dropping privileges)

So in the default config, the --user switches shouldn't be a problem (but with
CAPABILITIES enabled they probably still are) and the pidfile-dir permission
should be the only problem.

~~ Nils

I'd like to have some more information in order to figure out how I can help with this issue.
------------
Is the system with this issue running systemd?
Which method of creating an SSL cert is being used?

I've tested mumble-server on Debian 10.7 for this, with the default configuration, both with and without CAPABILITIES enabled, and I'm able to shut down mumble-server correctly on a system running systemd. The PID file is /run/mumble-server/mumble-server.pid and it as well as the murmurd process disappear when shutting it with with 'systemctl stop mumble-server'.

I understand the problem of needing to start as root in order to read ssl certs, and I'm assuming this is in relation to creating an SSL cert with LetsEncrypt. If so I think there's an alternative; I think the SSL cert can be copied with different ownership + permissions to a location that mumble-server can access using a "post-hook" or "deploy-hook" call to certbot or dehydrated (or copying the file manually if making a self-signed SSL cert) to run a script that will copy the cert(s) and alter file permissions in an automated way. I haven't actually done this yet but that's the method I last intended to look into.

Mumble upstream also suggests a method of dealing with this by setting the execute bit on directories in the folder path to get to the SSL certficate to allow mumble-server to traverse the path and allow read the files. I think this method is less restrictive and less secure though.

https://wiki.mumble.info/wiki/Obtaining_a_Let%27s_Encrypt_Murmur_Certificate


I'm fairly interested in trying to find a good solution to this, because this permission problem is a common gripe that I hear from users on the Mumble IRC channel, so if a better solution can be found maybe I could have upstream add it to the wiki or the website so others could take advantage of it.

   -- Chris

--
Chris Knadle
[email protected]

Reply via email to