View previous topic :: View next topic |
Author |
Message |
Prof. Frink Apprentice
Joined: 07 Jan 2017 Posts: 176
|
Posted: Fri Jan 27, 2017 5:38 pm Post subject: Is it possible to start a service after user login (openrc?) |
|
|
Hey,
I'm looking for a possibility to start profile-sync-deamon (psd) after a user logged in. It is necessary to wait for the user login, because the /home directory is encrypted and therefore profile paths are not reachable before the login and
service psd start
should be executed afterwards. Futhermore when logging out
service psd stop
should be executed.
Can this be done with openrc? Or are there other possibilities?
Thank you,
Frink |
|
Back to top |
|
|
markisthejob Tux's lil' helper
Joined: 04 Aug 2008 Posts: 143 Location: Cork, Republic of Ireland
|
Posted: Fri Jan 27, 2017 5:56 pm Post subject: |
|
|
If you use openrc:
Code: | /etc/init.d/psd start |
Code: | /etc/init.d/psd stop |
|
|
Back to top |
|
|
Prof. Frink Apprentice
Joined: 07 Jan 2017 Posts: 176
|
Posted: Fri Jan 27, 2017 6:17 pm Post subject: |
|
|
I want those commands to be executed automatically. Is this possible? |
|
Back to top |
|
|
markisthejob Tux's lil' helper
Joined: 04 Aug 2008 Posts: 143 Location: Cork, Republic of Ireland
|
Posted: Fri Jan 27, 2017 7:11 pm Post subject: |
|
|
Sorry I misunderstood.Are you saying that
Code: | rc-update add psd default |
does not work for you?
You shouldn't need to worry about logging out as it should automatically stop
There are many ways to start after login so maybe someone else has a better way and can explain how to execute the command after login
https://wiki.gentoo.org/wiki/Handbook:X86/Working/Initscripts
Last edited by markisthejob on Fri Jan 27, 2017 7:41 pm; edited 1 time in total |
|
Back to top |
|
|
Prof. Frink Apprentice
Joined: 07 Jan 2017 Posts: 176
|
Posted: Fri Jan 27, 2017 7:24 pm Post subject: |
|
|
No that does not work, because as I mentioned before, the user has to login before the job can be started, as the home directory is encrypted and paths wont be available before login. But openrc starts psd before login of the user if I add it to runlevel default. |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3137
|
Posted: Fri Jan 27, 2017 7:29 pm Post subject: |
|
|
Add start script to .bashrc, .profile, or another file that will be loaded upon login.
Or even replace your user's shell with a script that will start that service and then exec the actual shell. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Fri Jan 27, 2017 8:04 pm Post subject: |
|
|
szatox wrote: | Add start script to .bashrc, .profile, or another file that will be loaded upon login.
Or even replace your user's shell with a script that will start that service and then exec the actual shell. | Probably sudo is needed to in such a scenario. |
|
Back to top |
|
|
Prof. Frink Apprentice
Joined: 07 Jan 2017 Posts: 176
|
Posted: Fri Jan 27, 2017 8:16 pm Post subject: |
|
|
szatox wrote: | Add start script to .bashrc, .profile, or another file that will be loaded upon login.
Or even replace your user's shell with a script that will start that service and then exec the actual shell. |
First the command needs root privileges and second what about the logout? The service has to be stopped before the user has logged out, because the profile directories have to be written back to the home directory before it gets encrypted again. |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Sat Jan 28, 2017 4:56 am Post subject: |
|
|
Prof. Frink wrote: | szatox wrote: | Add start script to .bashrc, .profile, or another file that will be loaded upon login.
Or even replace your user's shell with a script that will start that service and then exec the actual shell. |
First the command needs root privileges and second what about the logout? The service has to be stopped before the user has logged out, because the profile directories have to be written back to the home directory before it gets encrypted again. | In the former case, you could use .bash_logout, if you are using bash as your login shell, or for instance .zlogout if you are using zsh; regardless you would need to be reasonably careful regarding other potentially login sessions being present when a login shell exits. In the latter case, the easiest solution would be to run the shell from within the script but to not actually use exec to do so, thereby maintaining control after the shell exits, then clean up once no other instances running. You also, probably, need to factor .xinitrc into your considerations if you decide to use this type of approach. |
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Sat Jan 28, 2017 11:59 am Post subject: |
|
|
Prof. Frink wrote: | No that does not work, because as I mentioned before, the user has to login before the job can be started, as the home directory is encrypted and paths wont be available before login. But openrc starts psd before login of the user if I add it to runlevel default. |
Most guys encrypt the root partition without the boot partition. When you are paranoid you could hash /boot and verify it on every boot (which I leave out).
--
When you use
gentoo handbook layout
and only use lvm2 => luks => ext4 for root you will basically solve all those issues. You just need a new kernel + a new initramfs + move the data.
--
Alternatively you could check if your user has teh permissions to open encryption, or give it the rights.
Or use some sort of automounter
--
When yu need encryption, you should at least encrypt hole root. When you are lazy you could skip /boot.
There are some files in the system which are very sensitive and therfore encrypting root should be done, when you want encryption. |
|
Back to top |
|
|
Roman_Gruber Advocate
Joined: 03 Oct 2006 Posts: 3846 Location: Austro Bavaria
|
Posted: Sat Jan 28, 2017 12:02 pm Post subject: |
|
|
Prof. Frink wrote: | szatox wrote: | Add start script to .bashrc, .profile, or another file that will be loaded upon login.
Or even replace your user's shell with a script that will start that service and then exec the actual shell. |
First the command needs root privileges and second what about the logout? The service has to be stopped before the user has logged out, because the profile directories have to be written back to the home directory before it gets encrypted again. |
I disagree.
We are talking about file systems. And I assuem you use luks or something else.
The files are usually written in soem time period, determined by the file system and fstab.
when you use sync it is written. => Quote: | The service has to be stopped before the user has logged out, because the profile directories have to be written back to the home directory before it gets encrypted again. |
Just use the sync command and thats it before.
--
I just suggest as written before from myself, encrypt your hole root. and not only half of the sensitive data on your box! Do not forget about swap also. Do not use swap! |
|
Back to top |
|
|
Prof. Frink Apprentice
Joined: 07 Jan 2017 Posts: 176
|
Posted: Sat Jan 28, 2017 8:58 pm Post subject: |
|
|
desultory wrote: |
In the former case, you could use .bash_logout, if you are using bash as your login shell, or for instance .zlogout if you are using zsh; regardless you would need to be reasonably careful regarding other potentially login sessions being present when a login shell exits. In the latter case, the easiest solution would be to run the shell from within the script but to not actually use exec to do so, thereby maintaining control after the shell exits, then clean up once no other instances running. You also, probably, need to factor .xinitrc into your considerations if you decide to use this type of approach. |
Looks like this is the only solution.
Roman_Gruber wrote: |
When you use
gentoo handbook layout
and only use lvm2 => luks => ext4 for root you will basically solve all those issues. You just need a new kernel + a new initramfs + move the data.
--
Alternatively you could check if your user has teh permissions to open encryption, or give it the rights.
Or use some sort of automounter
--
When yu need encryption, you should at least encrypt hole root. When you are lazy you could skip /boot.
There are some files in the system which are very sensitive and therfore encrypting root should be done, when you want encryption. |
You are right, this would be the best setup and would solve the problem, but I'm to lazy to migrate.
Roman_Gruber wrote: |
I disagree.
We are talking about file systems. And I assuem you use luks or something else.
The files are usually written in soem time period, determined by the file system and fstab.
when you use sync it is written. =>
Zitat:
The service has to be stopped before the user has logged out, because the profile directories have to be written back to the home directory before it gets encrypted again.
Just use the sync command and thats it before.
|
The problem is that I'm using a ecryptfs encrypted home directory. The home directory is decrypted when the user logs in and encrypted again when he logs out. The psd service may only read and write in between. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Sat Jan 28, 2017 11:37 pm Post subject: |
|
|
I don't have an encrypted /home directory but my curiosity was piqued regarding starting a service automatically post login and stopping it automatically pre logout. Does your installation use X Windows? If you're using a Display Manager to start a Desktop Environment, you might be able to start and stop a service by using the Display Manager. For example, LightDM has the following two parameters in its configuration file:
Code: | # session-setup-script = Script to run when starting a user session (runs as root)
# session-cleanup-script = Script to run when quitting a user session (runs as root) |
I wonder if those would do what you want if you were to wrap the commands '/etc/init.d/psd start' and '/etc/init.d/psd stop' in a couple of Bash scripts and declare them in lightdm.conf:
Code: | session-setup-script = /etc/start-service.sh
session-cleanup-script = /etc/stop-service.sh |
_________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21635
|
Posted: Sat Jan 28, 2017 11:41 pm Post subject: |
|
|
Strictly speaking, if eCryptFS actually decrypted your home directory on each login, that would be a huge security hole. What would happen if the machine crashed while the user was logged in? As I understand it, what actually happens is that the home directory remains encrypted, but a mutable view of the decrypted home directory is made available when the eCryptFS is opened and is removed when it is closed. Under this model, if eCryptFS had a hook that it runs at close time, you could use that to stop the service. |
|
Back to top |
|
|
|