tags 980079 unreproducible moreinfo
thanks
Nils König:
I must correct myself.
As I ofc only remembered after sending the bug report, I did already change
the initscript once before to start as root (so it can read the root-owned ssl
certs once on startup, before dropping privileges)
So in the default config, the --user switches shouldn't be a problem (but with
CAPABILITIES enabled they probably still are) and the pidfile-dir permission
should be the only problem.
~~ Nils
I'd like to have some more information in order to figure out how I can help
with this issue.
------------
Is the system with this issue running systemd?
Which method of creating an SSL cert is being used?
I've tested mumble-server on Debian 10.7 for this, with the default
configuration, both with and without CAPABILITIES enabled, and I'm able to shut
down mumble-server correctly on a system running systemd. The PID file is
/run/mumble-server/mumble-server.pid and it as well as the murmurd process
disappear when shutting it with with 'systemctl stop mumble-server'.
I understand the problem of needing to start as root in order to read ssl certs,
and I'm assuming this is in relation to creating an SSL cert with LetsEncrypt.
If so I think there's an alternative; I think the SSL cert can be copied with
different ownership + permissions to a location that mumble-server can access
using a "post-hook" or "deploy-hook" call to certbot or dehydrated (or copying
the file manually if making a self-signed SSL cert) to run a script that will
copy the cert(s) and alter file permissions in an automated way. I haven't
actually done this yet but that's the method I last intended to look into.
Mumble upstream also suggests a method of dealing with this by setting the
execute bit on directories in the folder path to get to the SSL certficate to
allow mumble-server to traverse the path and allow read the files. I think this
method is less restrictive and less secure though.
https://wiki.mumble.info/wiki/Obtaining_a_Let%27s_Encrypt_Murmur_Certificate
I'm fairly interested in trying to find a good solution to this, because this
permission problem is a common gripe that I hear from users on the Mumble IRC
channel, so if a better solution can be found maybe I could have upstream add it
to the wiki or the website so others could take advantage of it.
-- Chris
--
Chris Knadle
[email protected]