Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

backups: always in season, never out of style.


computers / news.software.nntp / Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

SubjectAuthor
* innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedJeffery Small
`* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedRuss Allbery
 `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedJeffery Small
  +- Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedJeffery Small
  `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedRuss Allbery
   `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedJeffery Small
    `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedRuss Allbery
     `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedJeffery Small
      `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedRuss Allbery
       `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedJeffery Small
        `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedRuss Allbery
         `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedJeffery Small
          `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedRuss Allbery
           `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedJeffery Small
            `* Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedRuss Allbery
             `- Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission deniedJeffery Small

1
innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1246&group=news.software.nntp#1246

 copy link   Newsgroups: news.software.nntp
X-Received: by 2002:a05:620a:27d2:b0:6cf:b644:f644 with SMTP id i18-20020a05620a27d200b006cfb644f644mr17379057qkp.35.1664896557967;
Tue, 04 Oct 2022 08:15:57 -0700 (PDT)
X-Received: by 2002:a25:b0a2:0:b0:6bd:1276:b2f1 with SMTP id
f34-20020a25b0a2000000b006bd1276b2f1mr17556066ybj.260.1664896557632; Tue, 04
Oct 2022 08:15:57 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Tue, 4 Oct 2022 08:15:57 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=2601:600:9100:5ca0:e23f:49ff:fee8:1a31;
posting-account=HkkpOQkAAADsR9HpuB7NpuJa7KNw-XVw
NNTP-Posting-Host: 2601:600:9100:5ca0:e23f:49ff:fee8:1a31
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
Subject: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
From: jefferys...@gmail.com (Jeffery Small)
Injection-Date: Tue, 04 Oct 2022 15:15:57 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3605
 by: Jeffery Small - Tue, 4 Oct 2022 15:15 UTC

I recently upgraded from Xubuntu 20.04 to 22.04.1. The upgrade was very rocky, but no changes were made (by me!) to the inn2 installation. Inn is the standard repository package version 2.6.4-2build4. The news system is working generally. Ever since the upgrade, I'm getting a steady stream of the error message (see subject line) but I cannot determine why. The file exists where it always has. (Note that /var/www is a symlink and the actual path is /x/u/www/inn/inn_status.html)

% ls -l /var/www/inn/inn_status.html
-rw-rw-r-- 1 news news 1057 Sep 2 15:25 /var/www/inn/inn_status.html

All programs in /usr/lib/news/bin are owned by root. The /etc/cron.d/inn2 file remains unchanged.

% cat /etc/cron.d/inn2
###############################################################################
# minute hours dom month dow usercommand
# 0-59 0-23 0-31 1-12 0-6 (0:Sun)
###############################################################################
SHELL=/bin/sh
PATH=/usr/lib/news/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Expire old news and overview entries nightly, generate reports.

15 6 * * * news test -x /usr/lib/news/bin/news.daily && news.daily expireover lowmark delayrm

# Refresh the cached IP addresses every day.

2 3 * * * news [ -x /usr/sbin/ctlinnd ] && ctlinnd -t 300 -s reload incoming.conf "flush cache"

# Every hour, run an rnews -U. This is not only for UUCP sites, but
# also to process queud up articles put there by nnrpd in case
# innd wasn't accepting any articles.

50 * * * * news [ -x /usr/bin/rnews ] && rnews -U

# Enable this entry to send posted news back to your upstream provider.
# Also edit /etc/news/nntpsend.ctl !
# Not if you use innfeed, of course.

10 * * * * news nntpsend

# Enable this if you want to send news by uucp to your provider.
# Also edit /etc/news/send-uucp.cf !

#22 * * * * news send-uucp.pl

# NINPATHS ###################################################################
# To enable ninpaths please add this line to /etc/news/newsfeeds:
# inpaths!:*:Tc,WP:/usr/lib/news/bin/ginpaths2
# #6 6 * * * news ctlinnd -s -t 60 flush inpaths!
#8 6 1 * * news sendinpaths
# NINPATHS ###################################################################

% pgrep -fa -- inn
784328 /usr/lib/news/bin/innd -f
784347 /bin/sh /usr/lib/news/bin/innwatch -i 60

Any suggestions greatly appreciated.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<874jwjsj66.fsf@hope.eyrie.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1247&group=news.software.nntp#1247

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!paganini.bofh.team!news.killfile.org!news.eyrie.org!.POSTED!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
Date: Tue, 04 Oct 2022 08:27:45 -0700
Organization: The Eyrie
Message-ID: <874jwjsj66.fsf@hope.eyrie.org>
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="23542"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:L1aWb6/Qxyc9FGL8RWYpLuzN4m4=
 by: Russ Allbery - Tue, 4 Oct 2022 15:27 UTC

Jeffery Small <jefferysmall@gmail.com> writes:

> I recently upgraded from Xubuntu 20.04 to 22.04.1. The upgrade was very
> rocky, but no changes were made (by me!) to the inn2 installation. Inn
> is the standard repository package version 2.6.4-2build4. The news
> system is working generally. Ever since the upgrade, I'm getting a
> steady stream of the error message (see subject line) but I cannot
> determine why. The file exists where it always has. (Note that
> /var/www is a symlink and the actual path is
> /x/u/www/inn/inn_status.html)

> % ls -l /var/www/inn/inn_status.html
> -rw-rw-r-- 1 news news 1057 Sep 2 15:25 /var/www/inn/inn_status.html

Check the permissions on the parent directories, maybe? I'm wondering if
something changed the permissions in /var/www (/x/u/www) such that the
news user can't traverse it.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1248&group=news.software.nntp#1248

 copy link   Newsgroups: news.software.nntp
X-Received: by 2002:a05:620a:10bc:b0:6ce:4169:7bcc with SMTP id h28-20020a05620a10bc00b006ce41697bccmr17761378qkk.732.1664901551335;
Tue, 04 Oct 2022 09:39:11 -0700 (PDT)
X-Received: by 2002:a81:8701:0:b0:341:9e24:5992 with SMTP id
x1-20020a818701000000b003419e245992mr25419888ywf.110.1664901551090; Tue, 04
Oct 2022 09:39:11 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!3.eu.feeder.erje.net!feeder.erje.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Tue, 4 Oct 2022 09:39:10 -0700 (PDT)
In-Reply-To: <874jwjsj66.fsf@hope.eyrie.org>
Injection-Info: google-groups.googlegroups.com; posting-host=2601:600:9100:5ca0:e23f:49ff:fee8:1a31;
posting-account=HkkpOQkAAADsR9HpuB7NpuJa7KNw-XVw
NNTP-Posting-Host: 2601:600:9100:5ca0:e23f:49ff:fee8:1a31
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com> <874jwjsj66.fsf@hope.eyrie.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
From: jefferys...@gmail.com (Jeffery Small)
Injection-Date: Tue, 04 Oct 2022 16:39:11 +0000
Content-Type: text/plain; charset="UTF-8"
 by: Jeffery Small - Tue, 4 Oct 2022 16:39 UTC

On Tuesday, October 4, 2022 at 8:27:47 AM UTC-7, Russ Allbery wrote:
> Jeffery Small writes:
>
> > I recently upgraded from Xubuntu 20.04 to 22.04.1. The upgrade was very
> > rocky, but no changes were made (by me!) to the inn2 installation. Inn
> > is the standard repository package version 2.6.4-2build4. The news
> > system is working generally. Ever since the upgrade, I'm getting a
> > steady stream of the error message (see subject line) but I cannot
> > determine why. The file exists where it always has. (Note that
> > /var/www is a symlink and the actual path is
> > /x/u/www/inn/inn_status.html)
>
> > % ls -l /var/www/inn/inn_status.html
> > -rw-rw-r-- 1 news news 1057 Sep 2 15:25 /var/www/inn/inn_status.html
> Check the permissions on the parent directories, maybe? I'm wondering if
> something changed the permissions in /var/www (/x/u/www) such that the
> news user can't traverse it.

Yes that was my first thought. I checked all the paths and everything is
kosher. However I just sued into news and walked to the directory without
problem. But when I tried to manually edit the inn_status.html file I get the message:

"Authorization requires, but no authorization protocol specified"

Even if I su to root, I get the same message!

I have a ~/.Xauthority file and (forever) I have had /.Xauthority as a symlink to this
file. It looks like there have been some serious changes to the auth program that I'm
unaware of and this may be an underlying problem here, but I really don't understand
what is going on and how this affects daemon and cron programs, or why only this
particular directory is affected. When I try to edit it myself, I don't get this message,
but (of course) can only open it RO.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<f761589b-f58f-44c4-8ef4-43ae32e03ab2n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1249&group=news.software.nntp#1249

 copy link   Newsgroups: news.software.nntp
X-Received: by 2002:a05:6214:21a9:b0:4aa:b0e6:c6f5 with SMTP id t9-20020a05621421a900b004aab0e6c6f5mr20545717qvc.19.1664901994798;
Tue, 04 Oct 2022 09:46:34 -0700 (PDT)
X-Received: by 2002:a25:ba47:0:b0:695:e4ad:8df3 with SMTP id
z7-20020a25ba47000000b00695e4ad8df3mr26005624ybj.378.1664901994607; Tue, 04
Oct 2022 09:46:34 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.goja.nl.eu.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Tue, 4 Oct 2022 09:46:34 -0700 (PDT)
In-Reply-To: <b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=2601:600:9100:5ca0:e23f:49ff:fee8:1a31;
posting-account=HkkpOQkAAADsR9HpuB7NpuJa7KNw-XVw
NNTP-Posting-Host: 2601:600:9100:5ca0:e23f:49ff:fee8:1a31
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org> <b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <f761589b-f58f-44c4-8ef4-43ae32e03ab2n@googlegroups.com>
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
From: jefferys...@gmail.com (Jeffery Small)
Injection-Date: Tue, 04 Oct 2022 16:46:34 +0000
Content-Type: text/plain; charset="UTF-8"
 by: Jeffery Small - Tue, 4 Oct 2022 16:46 UTC

BTW, my home directory is /u/jeff and not located under /home. It's been this
way for 40 years. I did make a symlink from /home to /u. I only mention this
because snap packages totally break for "non-standard" $HOME and maybe the
same is now true for other things*. Nevertheless, I can't see how this has any
bearing on programs being run by root or news. I just mention it here in case it
sparks a thought.
--
* Every day UNIX gets destroyed a little more. :-(

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<87r0znqzj9.fsf@hope.eyrie.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1250&group=news.software.nntp#1250

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!paganini.bofh.team!news.killfile.org!news.eyrie.org!.POSTED!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
Date: Tue, 04 Oct 2022 10:17:14 -0700
Organization: The Eyrie
Message-ID: <87r0znqzj9.fsf@hope.eyrie.org>
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org>
<b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="23542"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:09aBjXandeyG6MhsjD9HT+x0LU8=
 by: Russ Allbery - Tue, 4 Oct 2022 17:17 UTC

Jeffery Small <jefferysmall@gmail.com> writes:

> Yes that was my first thought. I checked all the paths and everything
> is kosher. However I just sued into news and walked to the directory
> without problem. But when I tried to manually edit the inn_status.html
> file I get the message:

> "Authorization requires, but no authorization protocol specified"

This is probably unrelated. What editor are you using? It sounds like
it's trying to open an X connection. (If Emacs, use emacs -nw instead.)

Is this file system mounted over the network, possibly?

Another possibility is that you have a corrupt file system.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1251&group=news.software.nntp#1251

 copy link   Newsgroups: news.software.nntp
X-Received: by 2002:a05:6214:230c:b0:4b1:795c:4e89 with SMTP id gc12-20020a056214230c00b004b1795c4e89mr13750481qvb.18.1664912921138;
Tue, 04 Oct 2022 12:48:41 -0700 (PDT)
X-Received: by 2002:a25:4fc1:0:b0:6bc:c570:f99e with SMTP id
d184-20020a254fc1000000b006bcc570f99emr25648222ybb.58.1664912920937; Tue, 04
Oct 2022 12:48:40 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Tue, 4 Oct 2022 12:48:40 -0700 (PDT)
In-Reply-To: <87r0znqzj9.fsf@hope.eyrie.org>
Injection-Info: google-groups.googlegroups.com; posting-host=2601:600:9100:5ca0:e23f:49ff:fee8:1a31;
posting-account=HkkpOQkAAADsR9HpuB7NpuJa7KNw-XVw
NNTP-Posting-Host: 2601:600:9100:5ca0:e23f:49ff:fee8:1a31
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org> <b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
From: jefferys...@gmail.com (Jeffery Small)
Injection-Date: Tue, 04 Oct 2022 19:48:41 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 2278
 by: Jeffery Small - Tue, 4 Oct 2022 19:48 UTC

On Tuesday, October 4, 2022 at 10:17:15 AM UTC-7, Russ Allbery wrote:
> This is probably unrelated. What editor are you using? It sounds like
> it's trying to open an X connection. (If Emacs, use emacs -nw instead.)
>
> Is this file system mounted over the network, possibly?
>
> Another possibility is that you have a corrupt file system.

I was just using the vim (non-graphical) text editor inside a terminal window.
Root is on a mirrored SSD and the file itself is on a separate ext4 hard disk
(actually two mirrored disks) mounted a /x, so no funny business there and
the mirror reports no problems.

I tried other editors such as mousepad and gedit and get the same results
as with vim -- except that these others open a new window while vim
stays withing the current terminal..

I believe you are correct that this is an unrelated issue, and I will look into
it further. That brings us back to the original problem....

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<87edvnqqvz.fsf@hope.eyrie.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1252&group=news.software.nntp#1252

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!paganini.bofh.team!news.killfile.org!news.eyrie.org!.POSTED!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
Date: Tue, 04 Oct 2022 13:24:00 -0700
Organization: The Eyrie
Message-ID: <87edvnqqvz.fsf@hope.eyrie.org>
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org>
<b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org>
<f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="23542"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:mx+dimTU/xY4RPBOfmODrBcYJJw=
 by: Russ Allbery - Tue, 4 Oct 2022 20:24 UTC

Jeffery Small <jefferysmall@gmail.com> writes:

> I believe you are correct that this is an unrelated issue, and I will
> look into it further. That brings us back to the original problem....

Oh, what does /lib/systemd/system/inn2.service look like? I bet that innd
is now started with systemd following your upgrade and probably has
various security features enabled, and you're getting bitten by the fact
that /var/www is a symlink off to some other file system and that file
system probably isn't set up to be writable by the innd process.

If something like ProtectSystem=strict is set in that file, you may need
to create a directory named /etc/systemd/system/inn2.service.d and drop a
file in there named something like www.conf and containing:

[Service]
ReadWritePaths=/var/www/inn

to whitelist an additional writable path. I think it will automatically
resolve symlinks; if not, you may need:

[Service]
ReadWritePaths=/x/u/www

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1258&group=news.software.nntp#1258

 copy link   Newsgroups: news.software.nntp
X-Received: by 2002:a0c:9a4e:0:b0:4b1:d537:c6b9 with SMTP id q14-20020a0c9a4e000000b004b1d537c6b9mr1412546qvd.3.1665025763730;
Wed, 05 Oct 2022 20:09:23 -0700 (PDT)
X-Received: by 2002:a81:b045:0:b0:329:5160:41a7 with SMTP id
x5-20020a81b045000000b00329516041a7mr2710242ywk.306.1665025763458; Wed, 05
Oct 2022 20:09:23 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Wed, 5 Oct 2022 20:09:23 -0700 (PDT)
In-Reply-To: <87edvnqqvz.fsf@hope.eyrie.org>
Injection-Info: google-groups.googlegroups.com; posting-host=2601:600:9100:5ca0:e23f:49ff:fee8:1a31;
posting-account=HkkpOQkAAADsR9HpuB7NpuJa7KNw-XVw
NNTP-Posting-Host: 2601:600:9100:5ca0:e23f:49ff:fee8:1a31
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org> <b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org> <f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
<87edvnqqvz.fsf@hope.eyrie.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
From: jefferys...@gmail.com (Jeffery Small)
Injection-Date: Thu, 06 Oct 2022 03:09:23 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 4563
 by: Jeffery Small - Thu, 6 Oct 2022 03:09 UTC

On Tuesday, October 4, 2022 at 1:24:01 PM UTC-7, Russ Allbery wrote:
> > I believe you are correct that this is an unrelated issue, and I will
> > look into it further. That brings us back to the original problem....
> Oh, what does /lib/systemd/system/inn2.service look like? I bet that innd
> is now started with systemd following your upgrade and probably has
> various security features enabled, and you're getting bitten by the fact
> that /var/www is a symlink off to some other file system and that file
> system probably isn't set up to be writable by the innd process.
>
> If something like ProtectSystem=strict is set in that file, you may need
> to create a directory named /etc/systemd/system/inn2.service.d and drop a
> file in there named something like www.conf and containing:
>
> [Service]
> ReadWritePaths=/var/www/inn
>
> to whitelist an additional writable path. I think it will automatically
> resolve symlinks; if not, you may need:
>
> [Service]
> ReadWritePaths=/x/u/www

Russ:

Just a quick follow-up. I tried your suggestions but unfortunately, it didn't work. Below I'll list the primary systemd inn2.service file as well as my addition. I did add multiple directory paths and reloaded the daemon and restarted inn2. Still I get a stream of errors. ProtectSystem is set to full. I'm new to systemd and have been attacking it piecemeal. I'm going to read up on the whole thing so I have a better understanding of what's going on. In the meantime, any further suggestions are always welcome.

% cat /usr/lib/systemd/system/inn2.service
[Unit]
Description=InterNetNews
Documentation=man:innd(8)
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
Restart=on-abort
ExecStart=/usr/lib/news/bin/rc.news
ExecStop=/usr/lib/news/bin/rc.news stop
ExecReload=/usr/sbin/ctlinnd -t 20 reload all 'by systemd'
User=news
Group=news
ConfigurationDirectory=news
LogsDirectory=news
LogsDirectoryMode=775
RuntimeDirectory=news
StateDirectory=news
StateDirectoryMode=775
ReadWritePaths=/var/spool/news/
ProtectSystem=full
ProtectControlGroups=yes
ProtectHome=yes
# These directives are not compatible with innbind (or postdrop from Postfix)
# because they automatically enable NoNewPrivileges:
# PrivateDevices=yes
# ProtectClock=yes
# ProtectHostname=yes
# ProtectKernelLogs=yes
# ProtectKernelModules=yes
# ProtectKernelTunables=yes
# RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# RestrictNamespaces=yes
# RestrictRealtime=yes
# RestrictSUIDSGID=yes
# LockPersonality=yes
# MemoryDenyWriteExecute=yes
# SystemCallArchitectures=native
# SystemCallErrorNumber=EPERM
# SystemCallFilter=@system-service
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target

$ cat /etc/systemd/system/inn2.service.d/www.conf
[Service]
ReadWritePaths=\
/var/www/ \
/var/www/inn/ \
/x/u/www/ \
/x/u/www/inn/

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<87tu4hvd23.fsf@hope.eyrie.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1259&group=news.software.nntp#1259

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!paganini.bofh.team!news.killfile.org!news.eyrie.org!.POSTED!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
Date: Wed, 05 Oct 2022 20:36:04 -0700
Organization: The Eyrie
Message-ID: <87tu4hvd23.fsf@hope.eyrie.org>
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org>
<b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org>
<f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
<87edvnqqvz.fsf@hope.eyrie.org>
<aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="10280"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:KzkohoBIqPSO4yFLZL0Gql/ElS8=
 by: Russ Allbery - Thu, 6 Oct 2022 03:36 UTC

Jeffery Small <jefferysmall@gmail.com> writes:

> Just a quick follow-up. I tried your suggestions but unfortunately, it
> didn't work. Below I'll list the primary systemd inn2.service file as
> well as my addition. I did add multiple directory paths and reloaded
> the daemon and restarted inn2. Still I get a stream of errors.
> ProtectSystem is set to full.

Ah, that's not it, then. ProtectSystem=full doesn't do anything with /var
or other file systems. It just does /usr, /boot, /efi, and /etc.

I'm still pretty confused! Definitely worth trying to write to the file
after su to the news user, just to rule out all the normal UNIX permission
things.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<82780217-dd2d-4931-9d84-4d0b01cb7090n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1260&group=news.software.nntp#1260

 copy link   Newsgroups: news.software.nntp
X-Received: by 2002:a05:620a:1914:b0:6ce:5ac8:3b4f with SMTP id bj20-20020a05620a191400b006ce5ac83b4fmr1945657qkb.627.1665028958280;
Wed, 05 Oct 2022 21:02:38 -0700 (PDT)
X-Received: by 2002:a0d:ed44:0:b0:350:ae6b:7b25 with SMTP id
w65-20020a0ded44000000b00350ae6b7b25mr2842906ywe.405.1665028958079; Wed, 05
Oct 2022 21:02:38 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Wed, 5 Oct 2022 21:02:37 -0700 (PDT)
In-Reply-To: <87tu4hvd23.fsf@hope.eyrie.org>
Injection-Info: google-groups.googlegroups.com; posting-host=2601:600:9100:5ca0:e23f:49ff:fee8:1a31;
posting-account=HkkpOQkAAADsR9HpuB7NpuJa7KNw-XVw
NNTP-Posting-Host: 2601:600:9100:5ca0:e23f:49ff:fee8:1a31
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org> <b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org> <f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
<87edvnqqvz.fsf@hope.eyrie.org> <aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>
<87tu4hvd23.fsf@hope.eyrie.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <82780217-dd2d-4931-9d84-4d0b01cb7090n@googlegroups.com>
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
From: jefferys...@gmail.com (Jeffery Small)
Injection-Date: Thu, 06 Oct 2022 04:02:38 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2617
 by: Jeffery Small - Thu, 6 Oct 2022 04:02 UTC

On Wednesday, October 5, 2022 at 8:36:06 PM UTC-7, Russ Allbery wrote:
> Ah, that's not it, then. ProtectSystem=full doesn't do anything with /var
> or other file systems. It just does /usr, /boot, /efi, and /etc.
>
> I'm still pretty confused! Definitely worth trying to write to the file
> after su to the news user, just to rule out all the normal UNIX permission
> things.

Just happened to still be at my desk. I did su to news and I am able to create a new file in the /var/www/inn directory and append to the inn_status.html file, so there is no Linux permission problem. If I can do that, why can't the service programs?

I still have the xauth problem and, as news, cannot edit the file with vim. I fixed the problem for root by removing the existing .Xauthority file in my home directory and at /. I see root now has a new home directory! I also found an .Xauthority file in the news home directory (/var/spool/news) and eliminated that, but that didn't fix the problem. Still looking.....

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<87o7upvb9c.fsf@hope.eyrie.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1261&group=news.software.nntp#1261

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!aioe.org!nntp.terraraq.uk!nntp-feed.chiark.greenend.org.uk!ewrotcd!news.eyrie.org!.POSTED!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
Date: Wed, 05 Oct 2022 21:14:55 -0700
Organization: The Eyrie
Message-ID: <87o7upvb9c.fsf@hope.eyrie.org>
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org>
<b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org>
<f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
<87edvnqqvz.fsf@hope.eyrie.org>
<aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>
<87tu4hvd23.fsf@hope.eyrie.org>
<82780217-dd2d-4931-9d84-4d0b01cb7090n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="10280"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:Vjmyhu0W03CsSpKqhygH5U3pjhs=
 by: Russ Allbery - Thu, 6 Oct 2022 04:14 UTC

Jeffery Small <jefferysmall@gmail.com> writes:

> Just happened to still be at my desk. I did su to news and I am able to
> create a new file in the /var/www/inn directory and append to the
> inn_status.html file, so there is no Linux permission problem. If I can
> do that, why can't the service programs?

Okay, then it's some sort of security control related to the service
startup. It's not immediately jumping out to me in the service unit,
though. Do you have SELinux or AppArmor or anything like that enabled?
(Ubuntu, so AppArmor is probably more likely. I don't know if INN has
AppArmor rules, though.)

For the record, the reason for all this is that Linux now supports
limiting what a service can access so that if there's a security
vulnerability in the service, it doesn't compromise your whole system.
It's in general a very good thing (particularly for fairly old C code like
INN) and it makes Linux systems way more secure, but like every security
measure there's a usability trade-off and some amount of faffing about
trying to figure out where the security rule blocking the thing that the
service needs to do is.

In this case, I'm pretty sure the symlink to a different file system is
the root of the problem, I'm just not sure how.

> I still have the xauth problem and, as news, cannot edit the file with
> vim. I fixed the problem for root by removing the existing .Xauthority
> file in my home directory and at /. I see root now has a new home
> directory! I also found an .Xauthority file in the news home directory
> (/var/spool/news) and eliminated that, but that didn't fix the problem.
> Still looking.....

For some reason all the editors you're using including vim are trying to
connect to your X display, I think. One thing to try would be to unset
the DISPLAY environment variable before trying to edit the file, which
should hopefully clue in editors that support either using X or not that
there's no X display they have access to.

It's possible that your vim actually ended up being vim-gtk3 or something
during the upgrade.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<ce163f8a-c1ed-42b1-b096-82c4a761d615n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1262&group=news.software.nntp#1262

 copy link   Newsgroups: news.software.nntp
X-Received: by 2002:a37:9785:0:b0:6cf:55d:e554 with SMTP id z127-20020a379785000000b006cf055de554mr2108494qkd.459.1665099792322;
Thu, 06 Oct 2022 16:43:12 -0700 (PDT)
X-Received: by 2002:a81:383:0:b0:350:9b62:60bc with SMTP id
125-20020a810383000000b003509b6260bcmr1966543ywd.514.1665099792052; Thu, 06
Oct 2022 16:43:12 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Thu, 6 Oct 2022 16:43:11 -0700 (PDT)
In-Reply-To: <87o7upvb9c.fsf@hope.eyrie.org>
Injection-Info: google-groups.googlegroups.com; posting-host=2601:600:9100:5ca0:e23f:49ff:fee8:1a31;
posting-account=HkkpOQkAAADsR9HpuB7NpuJa7KNw-XVw
NNTP-Posting-Host: 2601:600:9100:5ca0:e23f:49ff:fee8:1a31
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org> <b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org> <f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
<87edvnqqvz.fsf@hope.eyrie.org> <aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>
<87tu4hvd23.fsf@hope.eyrie.org> <82780217-dd2d-4931-9d84-4d0b01cb7090n@googlegroups.com>
<87o7upvb9c.fsf@hope.eyrie.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <ce163f8a-c1ed-42b1-b096-82c4a761d615n@googlegroups.com>
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
From: jefferys...@gmail.com (Jeffery Small)
Injection-Date: Thu, 06 Oct 2022 23:43:12 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 4786
 by: Jeffery Small - Thu, 6 Oct 2022 23:43 UTC

On Wednesday, October 5, 2022 at 9:14:57 PM UTC-7, Russ Allbery wrote:
> Okay, then it's some sort of security control related to the service
> startup. It's not immediately jumping out to me in the service unit,
> though. Do you have SELinux or AppArmor or anything like that enabled?
> (Ubuntu, so AppArmor is probably more likely. I don't know if INN has
> AppArmor rules, though.)

AppArmor is installed and the service is running. I have never touched
this and there is no inn2 profile, so I don't think it is the problem.

> In this case, I'm pretty sure the symlink to a different file system is
> the root of the problem, I'm just not sure how.

I see that apache2 doesn't have any access problems. I looked in the
/etc/apache2/apache2.conf file and see the following lines that have
been there for many years:

<Directory /u/www/>
AddHandler cgi-script .cgi
Options Includes Indexes FollowSymLinks ExecCGI MultiViews
AllowOverride All
Require all granted
</Directory>

<Directory /var/www/>
AddHandler cgi-script .cgi
Options Includes Indexes FollowSymLinks ExecCGI MultiViews
AllowOverride All
Require all granted
</Directory>

So, at some point, I apparently added a duplicate entry for /u/www
which seems strange because the disk is actually mounted on /x
and /u is a symlink pointing to /x/u just as /var/www is a symlink
to /u/www -- which is actually a path with two symlinks.

So, regarding apache2, there doesn't seem to be a restriction regarding
symlinks.

In /etc/news/inn.conf file there is only one entry that points to a symlink
path:

pathhttp: /var/www/inn

I guess there are two things I could do. 1) change the path to eliminate
symlinks:

pathhttp: /x/u/www/inn

or 2) completely change the location of the directory to somewhere on the
root drive. For example:

pathhttp: /var/inn2

The only thing under the current /var/www/inn directory is the sole
inn_status.html file. However, I'm not sure what making a change line
this would do to the overall inn2 operations.

Suggestions?

> For some reason all the editors you're using including vim are trying to
> connect to your X display, I think. One thing to try would be to unset
> the DISPLAY environment variable before trying to edit the file, which
> should hopefully clue in editors that support either using X or not that
> there's no X display they have access to.
>
> It's possible that your vim actually ended up being vim-gtk3 or something
> during the upgrade.

You are correct. Unsetting the DISPLAY variable allowed the news user to
edit the file. I am going to have to look into what new things auth is doing
under the hood. One thought I had was that user news had a home directory
of /var/spool/news, but cannot login since the shell is set to "nologin". Other
users get a ~/.Xauthority file created when they first login. (Copying my file
to that location doesn't work.) Is there a way to force non-login users to get
an .Xauthority file? If not, maybe I need to add a shell, login to create the
auth file and then reset it to nologin.

Thoughts?

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<87v8ow1ng1.fsf@hope.eyrie.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1263&group=news.software.nntp#1263

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!news.niel.me!nntp.terraraq.uk!nntp-feed.chiark.greenend.org.uk!ewrotcd!news.killfile.org!news.eyrie.org!.POSTED!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
Date: Thu, 06 Oct 2022 17:34:22 -0700
Organization: The Eyrie
Message-ID: <87v8ow1ng1.fsf@hope.eyrie.org>
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org>
<b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org>
<f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
<87edvnqqvz.fsf@hope.eyrie.org>
<aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>
<87tu4hvd23.fsf@hope.eyrie.org>
<82780217-dd2d-4931-9d84-4d0b01cb7090n@googlegroups.com>
<87o7upvb9c.fsf@hope.eyrie.org>
<ce163f8a-c1ed-42b1-b096-82c4a761d615n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="25909"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:YP83+XKxpvDxmx/N1YEtZrsHo30=
 by: Russ Allbery - Fri, 7 Oct 2022 00:34 UTC

Jeffery Small <jefferysmall@gmail.com> writes:
> On Wednesday, October 5, 2022 at 9:14:57 PM UTC-7, Russ Allbery wrote:

>> In this case, I'm pretty sure the symlink to a different file system is
>> the root of the problem, I'm just not sure how.

> I see that apache2 doesn't have any access problems.

There's definitely some sort of security configuration at play that's
specific to innd. (Either that or innd isn't actually running as the user
news, but presumably you've checked that with ps already.)

I am suspicious that it's something that mounts /x read-only for innd,
which is definitely a thing that one can do with systemd security
configuration, but I don't know why it's happening here because your
systemd configuration does not seem to be doing that.

> In /etc/news/inn.conf file there is only one entry that points to a symlink
> path:

> pathhttp: /var/www/inn

> I guess there are two things I could do. 1) change the path to eliminate
> symlinks:

> pathhttp: /x/u/www/inn

> or 2) completely change the location of the directory to somewhere on the
> root drive. For example:

> pathhttp: /var/inn2

> The only thing under the current /var/www/inn directory is the sole
> inn_status.html file. However, I'm not sure what making a change line
> this would do to the overall inn2 operations.

This is the only thing about innd behavior that setting controls. But I
didn't mean that the fact that path points to a symlink is inherently a
problem.

I'm trying to figure out what's different on your system than on other
Ubuntu systems where the inn2 package presumably works (or there would be
a lot of other bug reports). The one thing that we've found so far that
seems to be different on your system is that your /var/www is a symlink to
a different file system, and I know that some systemd security
configuration for daemons mounts different file systems read-only for
security protection. That's consistent with the symptoms that you're
seeing where innd cannot write to that file with a permission denied
error, but when you su to the news user (which doesn't involve any of the
systemd configuration) you can write to the file just fine.

> You are correct. Unsetting the DISPLAY variable allowed the news user
> to edit the file. I am going to have to look into what new things auth
> is doing under the hood. One thought I had was that user news had a
> home directory of /var/spool/news, but cannot login since the shell is
> set to "nologin". Other users get a ~/.Xauthority file created when
> they first login. (Copying my file to that location doesn't work.) Is
> there a way to force non-login users to get an .Xauthority file? If
> not, maybe I need to add a shell, login to create the auth file and then
> reset it to nologin.

In general, you no longer have X access to spawn new X clients after
running su or sudo or the like. I know there's something you can do to
restore access, but I never do this and therefore don't remember what it
is. (Also, I'm not sure if you're running Wayland rather than X; if
that's the case, it has a whole different permissions model and I have not
yet learned how it works.)

I don't think logging on as the user will do it since the web session is
still under your normal user, not under that different user.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<4f444a6c-a00d-4b8d-ad9f-5839a90d4754n@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1264&group=news.software.nntp#1264

 copy link   Newsgroups: news.software.nntp
X-Received: by 2002:ac8:5bcd:0:b0:35b:b56d:b5 with SMTP id b13-20020ac85bcd000000b0035bb56d00b5mr8380491qtb.462.1665237894753;
Sat, 08 Oct 2022 07:04:54 -0700 (PDT)
X-Received: by 2002:a81:89:0:b0:35a:beb4:6c8d with SMTP id 131-20020a810089000000b0035abeb46c8dmr9270922ywa.80.1665237894553;
Sat, 08 Oct 2022 07:04:54 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Sat, 8 Oct 2022 07:04:54 -0700 (PDT)
In-Reply-To: <87v8ow1ng1.fsf@hope.eyrie.org>
Injection-Info: google-groups.googlegroups.com; posting-host=2601:600:9100:5ca0:e23f:49ff:fee8:1a31;
posting-account=HkkpOQkAAADsR9HpuB7NpuJa7KNw-XVw
NNTP-Posting-Host: 2601:600:9100:5ca0:e23f:49ff:fee8:1a31
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org> <b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org> <f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
<87edvnqqvz.fsf@hope.eyrie.org> <aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>
<87tu4hvd23.fsf@hope.eyrie.org> <82780217-dd2d-4931-9d84-4d0b01cb7090n@googlegroups.com>
<87o7upvb9c.fsf@hope.eyrie.org> <ce163f8a-c1ed-42b1-b096-82c4a761d615n@googlegroups.com>
<87v8ow1ng1.fsf@hope.eyrie.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <4f444a6c-a00d-4b8d-ad9f-5839a90d4754n@googlegroups.com>
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
From: jefferys...@gmail.com (Jeffery Small)
Injection-Date: Sat, 08 Oct 2022 14:04:54 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 2751
 by: Jeffery Small - Sat, 8 Oct 2022 14:04 UTC

Well, I still don't have a systemd solution or answer to the problem,
but I changed the /etc/news/inn.conf line to:

pathhttp: /x/u/www/inn

which is the original location on the mounted disk, but bypassing
the symlink. I restarted the inn2 service, but this also fails.

I then created a new directory, /var/inn, which is on the primary
drive and placed the inn_status.html file there. I changed the
/etc/news/inn.conf line to:

pathhttp: /var/inn

and restarted the inn2 service. No more error messages and the
file is now updating. So the problem is with the file being on the
mounted disk and doesn't seem to be related to the symlink.
Does this provide a clue? I'm not seeing any problems elsewhere.
The /u/www (/x/u/www) directory contains all the html files used
by apache2 and /u (/x/u) contains home directories, the location
of my KVM images and other misc. things. VM, apache2 and other
programs that access music (e.g., clementine) or picture (e.g., gimp)
files read/write without problem.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<878rlqi9xa.fsf@hope.eyrie.org>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1265&group=news.software.nntp#1265

 copy link   Newsgroups: news.software.nntp
Path: i2pn2.org!i2pn.org!paganini.bofh.team!news.killfile.org!news.eyrie.org!.POSTED!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: news.software.nntp
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
Date: Sat, 08 Oct 2022 08:58:57 -0700
Organization: The Eyrie
Message-ID: <878rlqi9xa.fsf@hope.eyrie.org>
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org>
<b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org>
<f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
<87edvnqqvz.fsf@hope.eyrie.org>
<aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>
<87tu4hvd23.fsf@hope.eyrie.org>
<82780217-dd2d-4931-9d84-4d0b01cb7090n@googlegroups.com>
<87o7upvb9c.fsf@hope.eyrie.org>
<ce163f8a-c1ed-42b1-b096-82c4a761d615n@googlegroups.com>
<87v8ow1ng1.fsf@hope.eyrie.org>
<4f444a6c-a00d-4b8d-ad9f-5839a90d4754n@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: hope.eyrie.org;
logging-data="4231"; mail-complaints-to="news@eyrie.org"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cancel-Lock: sha1:zvkUTqho/brF41au5uP5nCUvoe8=
 by: Russ Allbery - Sat, 8 Oct 2022 15:58 UTC

Jeffery Small <jefferysmall@gmail.com> writes:

> Well, I still don't have a systemd solution or answer to the problem,
> but I changed the /etc/news/inn.conf line to:

> pathhttp: /x/u/www/inn

> which is the original location on the mounted disk, but bypassing
> the symlink. I restarted the inn2 service, but this also fails.

> I then created a new directory, /var/inn, which is on the primary
> drive and placed the inn_status.html file there. I changed the
> /etc/news/inn.conf line to:

> pathhttp: /var/inn

> and restarted the inn2 service. No more error messages and the
> file is now updating. So the problem is with the file being on the
> mounted disk and doesn't seem to be related to the symlink.

Yup, that's what I thought.

Something is making that file system read-only for innd. I'm not sure
what. I still suspect systemd security controls somewhere, something
about either ProtectHome=true or ProtectSystem=full that I'm not
understanding and that isn't overridden by ReadWritePaths for some reason.

One thing you could do to work around the problem, although unsatisfying
since it doesn't explain why, is symlink the other direction: have INN
write to /var/inn or whatever, and make a symlink from /x/u/www/inn to
that directory so that your web server can still serve it. The size of
files that INN will write are quite small, so it shouldn't be a problem
with available space.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied

<06094e44-21cd-4881-bfec-7c827e0ecf6an@googlegroups.com>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=1266&group=news.software.nntp#1266

 copy link   Newsgroups: news.software.nntp
X-Received: by 2002:a05:620a:271f:b0:6d4:56aa:4385 with SMTP id b31-20020a05620a271f00b006d456aa4385mr8489426qkp.175.1665273635644;
Sat, 08 Oct 2022 17:00:35 -0700 (PDT)
X-Received: by 2002:a81:a43:0:b0:35e:445:a024 with SMTP id 64-20020a810a43000000b0035e0445a024mr11172726ywk.378.1665273635381;
Sat, 08 Oct 2022 17:00:35 -0700 (PDT)
Path: i2pn2.org!i2pn.org!aioe.org!news.mixmin.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: news.software.nntp
Date: Sat, 8 Oct 2022 17:00:35 -0700 (PDT)
In-Reply-To: <878rlqi9xa.fsf@hope.eyrie.org>
Injection-Info: google-groups.googlegroups.com; posting-host=2601:600:9100:5ca0:e23f:49ff:fee8:1a31;
posting-account=HkkpOQkAAADsR9HpuB7NpuJa7KNw-XVw
NNTP-Posting-Host: 2601:600:9100:5ca0:e23f:49ff:fee8:1a31
References: <1fa7c51d-79c0-4411-bb01-1a01bc6ea891n@googlegroups.com>
<874jwjsj66.fsf@hope.eyrie.org> <b6710de6-919f-4331-a663-b18eaed4346an@googlegroups.com>
<87r0znqzj9.fsf@hope.eyrie.org> <f129b02c-cd9c-409d-b88f-8053d62f14e2n@googlegroups.com>
<87edvnqqvz.fsf@hope.eyrie.org> <aecf2f19-92ee-4c4f-9334-763ad2375d0bn@googlegroups.com>
<87tu4hvd23.fsf@hope.eyrie.org> <82780217-dd2d-4931-9d84-4d0b01cb7090n@googlegroups.com>
<87o7upvb9c.fsf@hope.eyrie.org> <ce163f8a-c1ed-42b1-b096-82c4a761d615n@googlegroups.com>
<87v8ow1ng1.fsf@hope.eyrie.org> <4f444a6c-a00d-4b8d-ad9f-5839a90d4754n@googlegroups.com>
<878rlqi9xa.fsf@hope.eyrie.org>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <06094e44-21cd-4881-bfec-7c827e0ecf6an@googlegroups.com>
Subject: Re: innd: SERVER cant open /var/www/inn/inn_status.html: Permission denied
From: jefferys...@gmail.com (Jeffery Small)
Injection-Date: Sun, 09 Oct 2022 00:00:35 +0000
Content-Type: text/plain; charset="UTF-8"
 by: Jeffery Small - Sun, 9 Oct 2022 00:00 UTC

On Saturday, October 8, 2022 at 8:58:58 AM UTC-7, Russ Allbery wrote:
> One thing you could do to work around the problem, although unsatisfying
> since it doesn't explain why, is symlink the other direction

Done! Russ, thanks for the help and let me know if I can do anything to
further help nail down the real issue.

1
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor