Issue with users home on NFS with rootsquash option
-
Hi,
System : Ubuntu Mate 18-04
Veyon version : 4.1.91 (same issue with 4.1.7)Since 4.1 version, Veyon has full systemd support, and works totally differently from previous linux versions (see : https://veyon.io/blog/2018/04/09/systemd-support/).
And since this changes, I can't get veyon working, as my users homes are on an NFS server, with rootsquash export option activated, and so, local root account on PCs doesn't have any rights on users homes.
When a user's session starts, veyon needs to "do something" in user's home, as root user, and it fails.
My question is about this "do something" :
What does veyon need to have access to in user's home ? It seems it doesn't need to write (I didn't notice any new file in user's home when it works).
I think, maybe, it needs to read the .Xauthority file ?Could you explain to me what veyon needs to do, so I can try to fix this issue in my configuration ? (no_root_squash for nfs is not an option, because of security risks).
Thanks
ET -
Hi,
Exploring this issue further, I can know exactly say what keeps veyon from working in this case :
Veyon needs to read the .Xauthority file in user's home :
I just made :chmod o+x /home/testuser/.Xauthorityand it works back.
But it's not a great idea for security, of course.I don't have any idea of veyon's code, but maybe it wouldn't be too difficult to modify the veyon service launching scenario to avoid this issue (as veyon worker runs as user and can communicate with service/server, I suppose)...
Just a suggestion, of course, unless, maybe someone sees another solution...
Regards,
ET -
Hello,
I make a comment so that you do not feel alone, I come here regularly but I know nothing Linux so I can not help you and I start on this software.
Good luck !
@Guenos
Thanks for your support
In fact, I hope tobydox will find time soon to make a little visit on the forum.
It seems he is a little bit alone in veyon development, and the veyon community is not developed enough yet to help him for support.
I try to help sometimes, but like you, I'm not veyon-pro enough to help on most of the posts.Regards
ET -
Hi @zeltron80
thanks for investigating this issue! Indeed there can be small problems if the home directory is not accessible byroot, e.g. on network shares where access is managed through tokens or keyrings. So whenveyon-serviceslaunchesveyon-serveras root theveyon-serverprocess is not able to access the X session of the user as it needs to read the Xauthority file as you've figured out correctly So you can either adjust permissions such that rootcan read this file (you won't need world access for this) or launchveyon-server(no additional parameters required) manually through a desktop file in/etc/xdg/autostart. Hope that helps!
Best regards -
Hi @zeltron80
thanks for investigating this issue! Indeed there can be small problems if the home directory is not accessible byroot, e.g. on network shares where access is managed through tokens or keyrings. So whenveyon-serviceslaunchesveyon-serveras root theveyon-serverprocess is not able to access the X session of the user as it needs to read the Xauthority file as you've figured out correctly So you can either adjust permissions such that rootcan read this file (you won't need world access for this) or launchveyon-server(no additional parameters required) manually through a desktop file in/etc/xdg/autostart. Hope that helps!
Best regards@tobydox
Thanks for your answer...
I already tried to launch veyon-server with a desktop file in /etc/xdg/autostart, but it asks for the root password, and I'm not about to give root passwords to my users
Anyway, even if I type it, the server doesn't launch, and it doesn't work better.
I hoped there could be a way through dbus : As veyon-server and veyon-service are root processes, I thought the process at session's start were launched as user through dbus.
Using a dbus command, it would then be (maybe) possible to make it work.
I don't understand what is the start session's scheme : As I see a veyon-worker user process, I imagined, veyon-service and server were launch through it ?Regards
ET -
@zeltron80 I really wonder why it asks for the root password.
veyon-serveris a simple userspace program which does not require any special privileges - it's only run as root by veyon-service in order to prevent users from killing it . Have you disabled theveyon-service? I'm not familar with dbus when it comes to launch services so I can't help you on this specific topic. Are you using keyfile or logon authentication? -
@zeltron80 I really wonder why it asks for the root password.
veyon-serveris a simple userspace program which does not require any special privileges - it's only run as root by veyon-service in order to prevent users from killing it . Have you disabled theveyon-service? I'm not familar with dbus when it comes to launch services so I can't help you on this specific topic. Are you using keyfile or logon authentication?Ok, I just tried again, and you're right : veyon-server starts well when launch through /etc/xdg/autostart.
I tried so many things, I forgot this
Maybe because I red this was not a good idea that users may kill veyon-server process.
But it's not really a problem in my case.Thank you for your work
Regards
ET -