Issue with users home on NFS with rootsquash option
-
Hi,
System : Ubuntu Mate 18-04
Veyon version : 4.1.91 (same issue with 4.1.7)Since 4.1 version, Veyon has full systemd support, and works totally differently from previous linux versions (see : https://veyon.io/blog/2018/04/09/systemd-support/).
And since this changes, I can't get veyon working, as my users homes are on an NFS server, with rootsquash export option activated, and so, local root account on PCs doesn't have any rights on users homes.
When a user's session starts, veyon needs to "do something" in user's home, as root user, and it fails.
My question is about this "do something" :
What does veyon need to have access to in user's home ? It seems it doesn't need to write (I didn't notice any new file in user's home when it works).
I think, maybe, it needs to read the .Xauthority file ?Could you explain to me what veyon needs to do, so I can try to fix this issue in my configuration ? (no_root_squash for nfs is not an option, because of security risks).
Thanks
ET -
Hi,
Exploring this issue further, I can know exactly say what keeps veyon from working in this case :
Veyon needs to read the .Xauthority file in user's home :
I just made :chmod o+x /home/testuser/.Xauthority
and it works back.
But it's not a great idea for security, of course.I don't have any idea of veyon's code, but maybe it wouldn't be too difficult to modify the veyon service launching scenario to avoid this issue (as veyon worker runs as user and can communicate with service/server, I suppose)...
Just a suggestion, of course, unless, maybe someone sees another solution...
Regards,
ET -
@Guenos
Thanks for your supportIn fact, I hope tobydox will find time soon to make a little visit on the forum.
It seems he is a little bit alone in veyon development, and the veyon community is not developed enough yet to help him for support.
I try to help sometimes, but like you, I'm not veyon-pro enough to help on most of the posts.Regards
ET -
Hi @zeltron80
thanks for investigating this issue! Indeed there can be small problems if the home directory is not accessible byroot
, e.g. on network shares where access is managed through tokens or keyrings. So whenveyon-services
launchesveyon-server
as root theveyon-server
process is not able to access the X session of the user as it needs to read the Xauthority file as you've figured out correctly So you can either adjust permissions such thatroot
can read this file (you won't need world access for this) or launchveyon-server
(no additional parameters required) manually through a desktop file in/etc/xdg/autostart
. Hope that helps!
Best regards -
@tobydox
Thanks for your answer...
I already tried to launch veyon-server with a desktop file in /etc/xdg/autostart, but it asks for the root password, and I'm not about to give root passwords to my users
Anyway, even if I type it, the server doesn't launch, and it doesn't work better.
I hoped there could be a way through dbus : As veyon-server and veyon-service are root processes, I thought the process at session's start were launched as user through dbus.
Using a dbus command, it would then be (maybe) possible to make it work.
I don't understand what is the start session's scheme : As I see a veyon-worker user process, I imagined, veyon-service and server were launch through it ?Regards
ET -
@zeltron80 I really wonder why it asks for the root password.
veyon-server
is a simple userspace program which does not require any special privileges - it's only run as root by veyon-service in order to prevent users from killing it . Have you disabled theveyon-service
? I'm not familar with dbus when it comes to launch services so I can't help you on this specific topic. Are you using keyfile or logon authentication? -
Ok, I just tried again, and you're right : veyon-server starts well when launch through /etc/xdg/autostart.
I tried so many things, I forgot this
Maybe because I red this was not a good idea that users may kill veyon-server process.
But it's not really a problem in my case.Thank you for your work
Regards
ET -
@tobydox
No problem, you can't be on dev and forum at the same time
Your job is really helpful for a lot of people, thanks for that.I'd like to be more useful here on the forum, but not "good" enough yet with veyon to help much people.
Regards
ET