From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,NICE_REPLY_A autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 23140 invoked from network); 17 Oct 2020 10:43:35 -0000 Received: from alyss.skarnet.org (95.142.172.232) by inbox.vuxu.org with ESMTPUTF8; 17 Oct 2020 10:43:35 -0000 Received: (qmail 10514 invoked by uid 89); 17 Oct 2020 10:44:00 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm Sender: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Received: (qmail 10507 invoked from network); 17 Oct 2020 10:44:00 -0000 X-Originating-IP: [86.10.101.211] X-Authenticated-User: J.deBoynePollard-newsgroups@NTLWorld.COM X-Spam: 0 X-Authority: v=2.3 cv=ZcczyPdA c=1 sm=1 tr=0 a=FQ5CjUvp3JFI4KFGyeqcZw==:117 a=FQ5CjUvp3JFI4KFGyeqcZw==:17 a=N659UExz7-8A:10 a=rg2V61WcAAAA:8 a=0roYIOJnqFuPThpbn04A:9 a=k-tpyXzdTJugk31F:21 a=EJSJao723v2dV-Um:21 a=pILNOxqGKmIA:10 a=h2Zpg1Gm_F5nnxfnuFwt:22 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ntlworld.com; s=meg.feb2017; t=1602931412; bh=DieFRNHZQKkC0YVMBI6/gbz9m//LnPQxplJVu2Wgff0=; h=Subject:To:References:From:Date:In-Reply-To; b=c4H08QUT/Lsaa4Qh7zBGs01eWG9RZ6GchQ9fpOwzKyqwyJ3vcRh2ssjuYSfY+ksvN bJ02psVicpOhl3/oj6L97vCgztahGxaDl2CfHqN5z9QsYzM/1waCSV3XJJdvUOOdaU vWOVrmak5njxxJZYszJjpzQZyIDWUdwiyhE0ozVrfHQ6HX53W7AcWXEi5PP1Zt7250 L8LlH3RCcOp531iC2iuJTMuhoqRCXO1muXx/oc+F/xbNVsgtVJBpZcmXN4BIiJY+TE jhm6Ad5q7lXZBpdWseF+k+IG5eFrkt+/AE1eGc4hV5MT1PbK8KkpWSlNkVKYKv99HF jeVba4VSo9rmg== Subject: Re: runit: run process in a tty To: supervision@list.skarnet.org References: <20201017003545.6k2vys6psg4izccg@frisbee> From: Jonathan de Boyne Pollard Message-ID: <40aba353-c950-5fd7-ab1b-7665c56a7d22@NTLWorld.COM> Date: Sat, 17 Oct 2020 11:43:32 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.1 MIME-Version: 1.0 In-Reply-To: <20201017003545.6k2vys6psg4izccg@frisbee> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfBlxbhTfzhRLC/e8YOdsM1U9cALjqpWtK2AZUJ52DzEHrD+dlNdQwj8uPQq76XMLhWwHDdCkApWqgKq8TEpOu//C8UnfQfOWAnoRkvFpAOCPouXDIVBQ ZDLwrJIxTiIsR3mCJi2MAcworkL3OMahgX8hz7dSUvRF6T76MvWpSdvoEqSx6ZGTikbKEzF7rpMOEq2CxF5vIQe/ZAUNxbXzYzaVaZUPHVFCEDE/ZVHZX2y/ Kian Kasad: > Unable to open file: /dev/tty2: Operation not permitted. > Operating systems do a whole bunch of stuff when connecting user programs to terminals, including changing the permissions of the terminal device file to allow the logged-in user access. If you check the terminal device file of a terminal where you have actually logged in, you will find that it is owned by you, and that the device files of terminals where you have not logged in are owned by the superuser. This is one of several things that the login process does. Taking ly's supplied systemd service unit and converting it using the nosh toolset's convert-systemd-units command (http://jdebp.uk./Softwares/nosh/guide/commands/convert-systemd-units.xml), one obtains the following, which demonstrates that there are extra steps involved and provides at least a pointer to how a "run" script for a runit service should be constructed. > % convert-systemd-units --no-systemd-quirks ./ly.service > convert-systemd-units: WARNING: ./ly.service: Unused setting: [install] alias = display-manager.service > % > % system-control print-service-scripts ./ly > start:#!/bin/nosh > start:#Start file generated from ./ly.service > start:true > stop:#!/bin/nosh > stop:#Stop file generated from ./ly.service > stop:true > run:#!/bin/nosh > run:#Run file generated from ./ly.service > run:#TUI display manager > run:vc-get-tty /dev/tty2 > run:open-controlling-tty --revoke > run:vc-reset-tty --hard-reset > run:/usr/bin/ly > restart:#!/bin/sh > restart:#Restart file generated from ./ly.service > restart:exec true # ignore script arguments > % Notice how the service invokes the open-controlling-tty program (http://jdebp.uk./Softwares/nosh/guide/commands/open-controlling-tty.xml) to open the terminal device file as standard I/O and to make it the service's controlling terminal. It knows what terminal device because that has been set up by the vc-get-tty program (http://jdebp.uk./Softwares/nosh/guide/commands/vc-get-tty.xml) which was passed the name "/dev/tty2". Notice also how the service runs the "ly" program as the superuser. It does not drop privileges by switching to an unprivileged account. Furthermore, notice that there are two separate places where one tells "ly" what terminal to use: in the service definition, as here, and in the program's own configuration file.