Issue with users home on NFS with rootsquash option

zeltron80

Hi,

System : Ubuntu Mate 18-04
Veyon version : 4.1.91 (same issue with 4.1.7)

Since 4.1 version, Veyon has full systemd support, and works totally differently from previous linux versions (see : https://veyon.io/blog/2018/04/09/systemd-support/).

And since this changes, I can't get veyon working, as my users homes are on an NFS server, with rootsquash export option activated, and so, local root account on PCs doesn't have any rights on users homes.

When a user's session starts, veyon needs to "do something" in user's home, as root user, and it fails.

My question is about this "do something" :
What does veyon need to have access to in user's home ? It seems it doesn't need to write (I didn't notice any new file in user's home when it works).
I think, maybe, it needs to read the .Xauthority file ?

Could you explain to me what veyon needs to do, so I can try to fix this issue in my configuration ? (no_root_squash for nfs is not an option, because of security risks).

Thanks
ET

zeltron80

Hi,

Exploring this issue further, I can know exactly say what keeps veyon from working in this case :
Veyon needs to read the .Xauthority file in user's home :
I just made :

chmod o+x /home/testuser/.Xauthority

and it works back.
But it's not a great idea for security, of course.

I don't have any idea of veyon's code, but maybe it wouldn't be too difficult to modify the veyon service launching scenario to avoid this issue (as veyon worker runs as user and can communicate with service/server, I suppose)...

Just a suggestion, of course, unless, maybe someone sees another solution...

Regards,
ET

zeltron80

Hi again,

Maybe another solution for me would be to launch veyon service through /etx/xdg/autostart
To test that, I'd need the command which I need to launch (via Dbus, I guess ?)

I looked in code, but couldn't find where it takes place...

zeltron80

Hi,

Anybody could give me a lead to follow up ?
I really need to make it work, and I think I'm not far from it, but I just need to understand a little more precisely how it works to find a fix.

If a (the?) dev is passing by...

Thanks
ET

Guenos

Hello,

I make a comment so that you do not feel alone, I come here regularly but I know nothing Linux so I can not help you and I start on this software.

Good luck !

zeltron80

@Guenos
Thanks for your support

In fact, I hope tobydox will find time soon to make a little visit on the forum.
It seems he is a little bit alone in veyon development, and the veyon community is not developed enough yet to help him for support.
I try to help sometimes, but like you, I'm not veyon-pro enough to help on most of the posts.

Regards
ET

tobydox

Hi @zeltron80
thanks for investigating this issue! Indeed there can be small problems if the home directory is not accessible by root, e.g. on network shares where access is managed through tokens or keyrings. So when veyon-services launches veyon-server as root the veyon-server process is not able to access the X session of the user as it needs to read the Xauthority file as you've figured out correctly So you can either adjust permissions such that root can read this file (you won't need world access for this) or launch veyon-server (no additional parameters required) manually through a desktop file in /etc/xdg/autostart. Hope that helps!
Best regards

zeltron80

@tobydox
Thanks for your answer...
I already tried to launch veyon-server with a desktop file in /etc/xdg/autostart, but it asks for the root password, and I'm not about to give root passwords to my users
Anyway, even if I type it, the server doesn't launch, and it doesn't work better.
I hoped there could be a way through dbus : As veyon-server and veyon-service are root processes, I thought the process at session's start were launched as user through dbus.
Using a dbus command, it would then be (maybe) possible to make it work.
I don't understand what is the start session's scheme : As I see a veyon-worker user process, I imagined, veyon-service and server were launch through it ?

Regards
ET

tobydox

@zeltron80 I really wonder why it asks for the root password. veyon-server is a simple userspace program which does not require any special privileges - it's only run as root by veyon-service in order to prevent users from killing it . Have you disabled the veyon-service? I'm not familar with dbus when it comes to launch services so I can't help you on this specific topic. Are you using keyfile or logon authentication?

zeltron80

@tobydox

Ok, I just tried again, and you're right : veyon-server starts well when launch through /etc/xdg/autostart.

I tried so many things, I forgot this

Maybe because I red this was not a good idea that users may kill veyon-server process.
But it's not really a problem in my case.

Thank you for your work

Regards
ET

tobydox

Still it's great that it works now! Next time we'll find a solution more quickly

zeltron80

@tobydox
No problem, you can't be on dev and forum at the same time
Your job is really helpful for a lot of people, thanks for that.

I'd like to be more useful here on the forum, but not "good" enough yet with veyon to help much people.

Regards
ET