| View previous topic :: View next topic |
| Author |
Message |
dufeu
l33t
Joined: 30 Aug 2002
Posts: 924
Location: US-FL-EST
|
 Posted: Tue Oct 17, 2017 10:30 am Post subject: openrc 'service' binary removal: news post [SOLVED] |
 |
|
I've read the news post.
As a user, how can I tell if I'm using the "service" binary?
My current install dates back to 2007. Since I'm not a programmer, I often don't know about behind the scene items like this.
I'd prefer not to find out I'm using the binary "service" in openrc through updating then rebooting and then having something break.
_________________
People whom think M$ is mediocre, don't know the half of it.
Last edited by dufeu on Sun Nov 26, 2017 7:25 pm; edited 1 time in total |
|
| Back to top |
|
 |
John R. Graham
Administrator
Joined: 08 Mar 2005
Posts: 10589
Location: Somewhere over Atlanta, Georgia
|
| Posted: Tue Oct 17, 2017 10:56 am Post subject: |
|
|
If you're not a systemd user, and you don't know you're using it, then in all likelihood you're not using it. It was never the standard or documented way of controlling init scripts in Gentoo. Booting does not depend on it. If you were a systemd user, I don't think you would see this news item in the first place.
- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21633
|
| Posted: Wed Oct 18, 2017 1:42 am Post subject: |
|
|
| Technically, a systemd user can get this message. The news item is gated by whether the system has <=sys-apps/openrc-0.33 installed. As I understand it, it's perfectly valid to install both openrc and systemd, then use only one and completely ignore the other. In such a case, someone who used systemd as their active init system might get this message because Portage reacted to the presence of openrc, rather than its usage. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed Oct 18, 2017 2:15 am Post subject: |
|
|
I really don't understand this. They removed "service" and substituted "rc-service". Why not just symlink them and not make a big deal of it?
This reminds me of the openrc-run/runscript fiasco. https://forums.gentoo.org/viewtopic-t-1045350-start-0.html
And was "service" just a way of invoking "/etc/init.d<some service name> <action>"? Wouldn't an alias work as well? Why all these binaries?
To be perfectly clear I'm running OpenRC-0.17 and had to undo the PATH variable change. |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Thu Oct 19, 2017 5:22 am Post subject: |
|
|
| Tony0945 wrote: | I really don't understand this. They removed "service" and substituted "rc-service". Why not just symlink them and not make a big deal of it?
This reminds me of the openrc-run/runscript fiasco.
And was "service" just a way of invoking "/etc/init.d<some service name> <action>"? Wouldn't an alias work as well? Why all these binaries? |
Heh, I remember banging on at someone on IRC, when I first got online, about how Gentoo was so much cleaner than other systems, that the traditional "service" command was doable with a bashrc function (sh-compatible): | Code: | service() {
local svc
svc=$1; shift
"/etc/init.d/$svc" "$@"
} |
So not an alias, just a function (which is preferred by #bash regulars in any case.)
The other guy just said "I can just tab them directly from /etc/init.d" and that was the end of it. ;)
| Quote: | | To be perfectly clear I'm running OpenRC-0.17 and had to undo the PATH variable change. |
Hmm I missed that one. Got a link to a topic or bug? |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Thu Oct 19, 2017 9:25 am Post subject: Re: openrc 'service' binary removal: news post |
|
|
| dufeu wrote: | I've read the news post.
As a user, how can I tell if I'm using the "service" binary?
My current install dates back to 2007. Since I'm not a programmer, I often don't know about behind the scene items like this.
I'd prefer not to find out I'm using the binary "service" in openrc through updating then rebooting and then having something break.
|
well how do you manually start,stop services? Do you go service foo start or /etc/init.d/foo start
That's the most obvious sign. A more subtle sign is whether additional applications use service to start services and this is where there could be a problem.
Let's take an example of torbrowser, let's say when it starts it checks if tor is running. Let's say it does that via the service command (as it blindly assumes systemd is used). This would now fail. The problem for users is there would be no trivial way to determine which applications use such a command.
However... This is already solved. There is an init-system-helpers which is a shell script "service" that abstracts the lower level service control specifics, be it sysvinit, systemd or openrc. Ubuntu uses this and Gentoo has had this package since last week
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
Zucca
Moderator
Joined: 14 Jun 2007
Posts: 3345
Location: Rasi, Finland
|
| Posted: Thu Oct 19, 2017 9:44 am Post subject: |
|
|
It was/is a binary? O.o
Like posted above: a simple symlink to replace the service binary would propably "do the thing".
_________________
..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
| Quote: | | I am NaN! I am a man! |
|
|
| Back to top |
|
|
Genone
Retired Dev
Joined: 14 Mar 2003
Posts: 9530
Location: beyond the rim
|
| Posted: Fri Oct 20, 2017 7:22 am Post subject: |
|
|
| Quote: | | However... This is already solved. There is an init-system-helpers which is a shell script "service" that abstracts the lower level service control specifics, be it sysvinit, systemd or openrc. Ubuntu uses this and Gentoo has had this package since last week |
| Zucca wrote: | It was/is a binary? O.o
Like posted above: a simple symlink to replace the service binary would propably "do the thing". |
Generally, if a binary is renamed it's to avoid name collisions with another package. So symlinking would completely counteract the measure. |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6051
Location: Removed by Neddy
|
| Posted: Fri Oct 20, 2017 8:37 am Post subject: |
|
|
I didn't advocate a symlink, I was posting that this is solved.
I agree renaming is done to stop collisions
_________________
| Quote: | | Removed by Chiitoo |
|
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Fri Oct 20, 2017 11:08 am Post subject: Exposing 'service' to the GUI considered harmful |
|
|
| Naib wrote: | | well how do you manually start,stop services? Do you go service foo start or /etc/init.d/foo start |
Sheesh, that's up to the sysadmin to deal with, which is why one usually has a bashrc function for it.
| Quote: | | That's the most obvious sign. A more subtle sign is whether additional applications use service to start services and this is where there could be a problem. |
You're missing the real problem, though: which is that an application thinks it should start a daemon.
| Quote: | | Let's take an example of torbrowser, let's say when it starts it checks if tor is running. Let's say it does that via the service command (as it blindly assumes systemd is used). This would now fail. The problem for users is there would be no trivial way to determine which applications use such a command. |
The application should not try to start a "service"; it just has to try and use it, and report an error if it's not already running. On-demand startup is hardly a new issue (cf: inetd, xinetd.)
| Quote: | | However... This is already solved. There is an init-system-helpers which is a shell script "service" that abstracts the lower level service control specifics, be it sysvinit, systemd or openrc. Ubuntu uses this and Gentoo has had this package since last week |
It doesn't solve the problem, since the semantics are essentially undefined, in that different init-systems report different metrics.
Papering over that with a false sense of convenience, does not make it go away.
Seriously, apps should just try to access the service they need; that's what protocols are for.
It is definitely not their place to set off root-level system initialisation; and per-user is at the desktop level (for GUI apps as in this case), where object request brokers have been around for decades.
If the user needs something running, it's better they know about it: if they're not a power-user (so not in fact a first-line Gentoo user) then they can ask the admin/their geeky friend, or maybe even start their journey of discovery.
"Smart" systems disenfranchise users, in the long run.
AFAIC this is all just "complexity of one's own making." (cf Djikstra)
It seems to stem from a newb desire to "do it all", resulting in an inability to do anything well, while ignorant of extant mechanisms.
Exposing "service" to desktop apps is an awful idea. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Fri Oct 20, 2017 2:52 pm Post subject: Re: Exposing 'service' to the GUI considered harmful |
|
|
| steveL wrote: | | Exposing "service" to desktop apps is an awful idea. |
A great post and this particular part cannot be emphasized enough. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sat Oct 21, 2017 3:06 pm Post subject: |
|
|
| steveL wrote: |
Heh, I remember banging on at someone on IRC, when I first got online, about how Gentoo was so much cleaner than other systems, that the traditional "service" command was doable with a bashrc function (sh-compatible): | Code: | service() {
local svc
svc=$1; shift
"/etc/init.d/$svc" "$@"
} |
|
I created /root/.bash_profile, put this function in it, logged out then back in and it works like a charm!
Saves all that typing of i.e. /etc/init.d/minidlna start and I don't have to mentally translate what I see in Ubuntu guides.
You are absolutely right, there is no need for any binary and if one doesn't like the name "service", just change the name to "rc-service" or "launchit" or whatever.
I've always been an assembly/C programmer, but why have an opaque binary when a script will do fine? Just to ape RedHat?
EDIT:
My server already had a .bash_profile and I just added the function and tested it. I didn't even have to log out. I assume that .bash_profile is sourced whenever I type a command? Or only inside an ssh shell?
EDIT2:
Oops! I already had a service binary (when did that come in?), but it's a symlink as I said: | Code: | X3 bin # ls -l /sbin/service
lrwxrwxrwx 1 root root 12 Oct 17 22:29 /sbin/service -> /sbin/openrc |
I'll try renaming it and test the bash function again. |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sun Oct 22, 2017 10:59 am Post subject: |
|
|
| Tony0945 wrote: | You are absolutely right, there is no need for any binary and if one doesn't like the name "service", just change the name to "rc-service" or "launchit" or whatever.
I've always been an assembly/C programmer, but why have an opaque binary when a script will do fine? Just to ape RedHat? |
Yeah, asm and C ftw :-) And when you code those, you absolutely love coming up to shell, and awk is a particular favourite of mine, where everything is done for you :D
I think the service "binary" is part of RedHat establishing dominance in the desktop, which as we've discussed leads to an awful mess wrt layering violations. | Quote: | | My server already had a .bash_profile and I just added the function and tested it. I didn't even have to log out. I assume that .bash_profile is sourced whenever I type a command? Or only inside an ssh shell? |
That's odd; afaik you have to log in again for the profile to be read. See greycat's most excellent wiki for proper info. | Quote: | | Oops! I already had a service binary (when did that come in?), but it's a symlink as I said.. I'll try renaming it and test the bash function again. |
You don't need to worry about any existing binary, or renaming it, as the bashrc function will take precedence.
If you want to use the external from within a wrapper function, cf: man 1p command, and: help command for a quick reminder when scripting. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Oct 22, 2017 6:16 pm Post subject: |
|
|
| steveL wrote: | You don't need to worry about any existing binary, or renaming it, as the bashrc function will take precedence.
If you want to use the external from within a wrapper function, cf: man 1p command, and: help command for a quick reminder when scripting. |
Thanks for the info. I did rename the binary to tmp_service and the service command still works, as expected. Next step, when I have time is to modify the ebuild to not even include it. IMHO, that binary should have been optional from a "service" use flag. Someday, you and I will clean up openrc as freerc or whatever. Right now, hardly anytime to breath. My sister fell on Sep 15, spent a week in a hospital, and is still in the SNF, scheduled to come out Nov 10. I'm handling her affairs including a move and paying her bills. One more enjoyable task will be updating her notebook. It runs Winblows 8 and Comcast and Norton have done a great job of cocking it up. In frustration, I found a sale on a 320GB 7200 RPM hard drive and ordered it today. I'll just remove her drive, put the new one in and do a clean Gentoo install. I think she'll like Mate. All she ever runs is Firefox and Thunderbird anyway. It should boot much faster (OpenRC of course) and I'll be able to administer it remotely with ssh. I have to research how to set ssh to allow my ipaddress only and how to login with ssh to a computer behind a router.
If she doesn't like it I'll put the old hard drive back in. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21633
|
| Posted: Sun Oct 22, 2017 8:33 pm Post subject: |
|
|
You could use a Match Address block in sshd_config to apply different rules when the connection comes from your IP. Beware getting locked out if your IP changes, though.
For logging in behind a NAT device, you need a port forwarding from the public IP to the administered machine's ssh port. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Sun Oct 22, 2017 10:05 pm Post subject: |
|
|
| Hu wrote: | You could use a Match Address block in sshd_config to apply different rules when the connection comes from your IP. Beware getting locked out if your IP changes, though.
For logging in behind a NAT device, you need a port forwarding from the public IP to the administered machine's ssh port. |
Thanks, Hu. it seems like I'll have to set up port forwarding on the router at her address. if the router is like mine, there is a handy menu item for this but it allows all traffic from that port. I will (can?) add an iptable rule on the destination machine (there is only one) to reject all incoming that is not from my ipaddress. Yes, if my ipaddress changes, someone has to edit the firewall and sshd_config and restart the services. My daughter lives nearby and is familiar with Raspian and Ubuntu, although not Gentoo. She could follow my instructions whereas it would be Achaean Greek to my sister. Then, I think, just adding a host name at here WAN ipaddress would let me ssh in the normal way. I'll set up an sudoers config for her (but NOT for my sister, that would be like handing a baby a loaded gun). I wouldn't even bother updating but I've seen what happens if portage gets out of date and FF and T-bird need occasional updates. If the router is versatile enough, as the DLINK Dir-655 is, I can set up a scheduled short window for logins, say one day a month. |
|
| Back to top |
|
|
jonathan183
Guru
Joined: 13 Dec 2011
Posts: 318
|
| Posted: Mon Oct 23, 2017 12:12 am Post subject: |
|
|
| Tony0945 wrote: | | If the router is versatile enough, as the DLINK Dir-655 is, I can set up a scheduled short window for logins, say one day a month. |
My approach to this sort of issue is a little different but might be worth you considering/combining ... IP address made up for the purposes of this example:-
Setup remote router
1. DHCP to allocate IP addresses starting at 192.168.1.100
2. Setup firewall rule to forward a non-standard ssh port to 192.168.1.20 and leave this rule active all the time
Setup remote PC
1. Use DHCP or some static IP other than 192.168.1.20 for normal use
2. Setup firewall to drop incomming ports except the non-standard ssh port
3. Write a script to:-
a) use static IP 192.168.1.20
b) start sshd listening on non-standard port with key based authentication
c) optionally display IP address for router - if static IP/other method is not used
4. Write a script to:-
a) return to normal IP address
b) stop sshd
5. Setup sudo to allow the user to run the scripts with the required parameters in the script only.
Then get the normal user to run the script to allow you to establish ssh when needed, including a phone call from you if necessary.
This way the normal user can let you know if there have been any issues/system misbehaving at other times, is aware you are doing an update/system admin work and can expect some delays and can be warned if shutdown/loss of system is expected.
Write some simple instruction to follow and put them on the desktop.
Have at least one system which is local setup and updated in a similar way just before you update the remote system- so you can work through any update issues locally.
You could use cron to run the script to establish the ssh connection and another to disconnect after a suitable time period, but I prefer to involve the users.
This requires fairly basic stuff from the router.
Ed: I also save the router config and show the user how to reload the router config if problems occur or it is reset by the ISP. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Mon Oct 23, 2017 1:02 am Post subject: |
|
|
Interesting. I would be making a call anyway to tell her to turn the computer on.
I would do my home updates first, so I would know if there were any portage issues or blockers. I probably would update the kernel very infrequently because the hardware is old (2013, model came out in 2012) so there is probably not any driver updates. Besides it's a one lung AMD E2-1800 and big builds would be very slow. I might even block Xorg and Mate updates, at least until the current builds pass out of the tree. I would like to keep up with updates on ssh, ssl, FF, and T-bird. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Mon Oct 23, 2017 10:22 pm Post subject: |
|
|
why not make it easy and allow any IP to use ssh, but disallow password login and only with key, you have to setup host once and everyone coming without the right key will be kick out.
you should have tones of "passwordless ssh" wiki and documents, but it's as easy as: add your key in the client /user/.ssh/autorized_keys file and fix its /etc/ssh/sshd_config to disallow password login |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21633
|
| Posted: Tue Oct 24, 2017 1:13 am Post subject: |
|
|
| Flipping the IP address seems like unnecessary complication and disruption. I concur with krinn that authentication should require a key, never a password. If you really want extra security, keep a Netfilter rule blocking ssh active except during maintenance and let the local operator enable/disable that rule, rather than flipping the IP address. If you go that route, the "open" condition can be by IP whitelist as discussed above, rather than open to all (although in most cases, aside from log spam, open-to-all is probably safe if you require key authentication). |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue Oct 24, 2017 1:22 am Post subject: |
|
|
| Hu wrote: | | Flipping the IP address seems like unnecessary complication and disruption. I concur with krinn that authentication should require a key, never a password. If you really want extra security, keep a Netfilter rule blocking ssh active except during maintenance and let the local operator enable/disable that rule, rather than flipping the IP address. If you go that route, the "open" condition can be by IP whitelist as discussed above, rather than open to all (although in most cases, aside from log spam, open-to-all is probably safe if you require key authentication). |
I like this one. I can easily write a desktop app with wxwidgets that has two buttons, "Enable Remote login" and "Disable Remote login". The app should not elevate privilege but can write a zero or one into file where a root cronjob can read it.
Key authentication makes it easier for me to not worry about the password. Is it really safer than password authentication?
EDIT: A better idea. I never liked "is it soup yet?" programs.
So, pressing the button sends a one or zero to a socket. A root program launched at boot hangs a blocking read on the socket. When it gets a one, iit starts the sshd daemon. When it gets a zero, it stops the daemon. No timed wake, no wasted cycles. A good embedded solution. Even with the port forwarding permanently on, an intruder can't ssh in because the daemon is down and he doesn't know about the port to enable the daemon. The port forwarding ip address doesn't change unless I get a new modem or leave the modem off for a few days. My ISP does give me the address by DHCP, but it has a long time to live and doesn't change otherwise. I've had it for years. |
|
| Back to top |
|
|
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Tue Oct 24, 2017 11:03 am Post subject: |
|
|
| Tony0945 wrote: | | Key authentication makes it easier for me to not worry about the password. Is it really safer than password authentication? |
If you take the keys like they are password it would mean: send me a big password, if i don't have that password in my authorized_file you'll be kick (it's like "normal" password usage there), then i will use that password to encrypt what i will answer to you, and you will decrypt it with another different password (your private key). |
|
| Back to top |
|
|
jonathan183
Guru
Joined: 13 Dec 2011
Posts: 318
|
| Posted: Tue Oct 24, 2017 5:34 pm Post subject: |
|
|
Just to clarify ... the method I suggested means:-
A. The destination does not have to fight off attempts to connect in any way at any time other than when you are doing updates (using screen and disconnecting could reduce the exposure time further).
B. Any other devices connected to the router don't get exposed in error.
C. I had suggested key based authentication (see 3b in the post).
D. Access to allow updates etc is actually controlled by the owner of the system. Because the user is involved you get feedback on if the system has not been working/acting in an unusual way rather than just thinking you may have been doing an update.
Running a script to set things up for the update at the remote end should be easy to do irrespective of how many steps are taken.
Having DHCP and static networks and allowing the user to select normal_use or allow ssh_and_system_update means you don't even need to do the network switch with a script.
I had previously configured the router with a normal (all incoming ports closed) and ssh allowed and got the user to switch them but dropped that in favor of having 2 network configurations on the remote machine.
The approach does not scale well ... but this is a family and few friends only type approach. Exposing systems to potential attack for the minimum time, and at random times seemed like a reasonable thing to do ... ymmv |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21633
|
| Posted: Wed Oct 25, 2017 1:55 am Post subject: |
|
|
Rather than playing games with writing flag values to a socket[1], why not just give the user permission to sudo exactly two commands: allow-maintenance and disallow-maintenance? These would then do the work of the root program in your example, without the need for a running program and probably without the need for any custom programs at all. Further, since it would be routed through sudo, it would automatically be logged by the usual logging mechanism, giving you an audit trail of when access was turned on/off.
Key authentication is vastly superior to password-based authentication. Both require the connecting system to know secret information, but since the keys are persisted to the client's storage instead of held in someone's memory, they can be far larger than a human could remember (or tolerate typing). For added security, you can password-protect the at-rest private key on the client. This is better than not protecting it, but beware that an attacker who steals an encrypted private key can bruteforce it offline, whereas an attacker who wants to bruteforce a password must do so online. On the other hand, if the attacker is stealing data off the administrator's hard drive, you have other problems, regardless of whether that data is encrypted. 
[1] If you want to use a socket, use a local (AF_UNIX) socket for this, so that it's completely impossible for remote peers to connect, even if they know everything about how the scheme works.
jonathan183: so you did. Sorry, I missed that in the larger scheme, and remarked on it primarily because the post immediately above mine mentioned it and I wanted to emphasize that I thought it was a good idea. I should have credited both of you. |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Wed Oct 25, 2017 2:39 am Post subject: |
|
|
| Hu wrote: | | Rather than playing games with writing flag values to a socket[1],... |
Because the user is totally non-technical and cannot even use the command line. That's why I am maintaining the system. The user can barely log on to Windows and is terrified by Windows Defender constantly saying "Are you sure you want to run this program? It might be malware or spyware." referring to Firefox and Thunderbird. Apparently only IE and Windows Live Mail are considered "safe". That's why I'm doing a basic Gentoo installation with Mate and the two FF and T-bird icons on the desktop. Plus my GUI. Believe me, it's hard enough to get an old lady to click the green X or the red X. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
