hitch-1.5.1 won't run workers as user hitch, even when explicitly set #322
Comments
|
Reverting 55b2f62 does, not surprisingly circumvent the problem. |
|
It is actually enough to revert just the change in main, so I may add this patch, and it will run as expected: |
|
This is hitch-1.5.1 running with the patch above: root# hitch --version; hitch -L 1 default.example.com.pem root# hitch --version; hitch -u hitch -L 1 default.example.com.pem root# hitch --version; hitch -u root -L 1 default.example.com.pem |
|
Are you testing from source or package? We have already pulled the 1.5.1 packages due to this bug. And yes, the commit you have pointed out is what broke things. So removing it should resolve the issue. We should have this officially patched soon. |
|
Thanks a lot @ingvarha - I've applied your fix now. Looks like 1.5.1 will be a very short-lived release - I'll roll 1.5.2 immediately. |
hitch-1.5.2 (2019-11-27) ------------------------ * Fix a problem introduced in the previous release that prevented us from running as a non-privileged user (Issue: 322_). .. _322: varnish/hitch#322 hitch-1.5.1 (2019-11-26) ------------------------ * Support for TCP Fast Open. Is is disabled by default (Issue: 185_) * Various code cleanups and minor bug fixes. .. _185: varnish/hitch#185
Platform: Fedora 30/x86_64
Hitch won't start when called as root, even when worker user is explicitly configured
Example run:
root# hitch --version; hitch -u hitch -g hitch -L 2 default.example.com.pem
hitch 1.5.1
20191127T004027.155239 [24633] {core} hitch 1.5.1 starting
20191127T004027.155457 [24633] {core} Using OpenSSL version 1010104f.
20191127T004027.160547 [24633] {core} Listening on 0.0.0.0:8443
20191127T004027.160628 [24633] {core} Listening on [::]:8443
20191127T004027.160643 [24633] {core} Loading certificate pem files (1)
20191127T004027.161955 [24633] {core} Using DH parameters from default.example.com.pem
20191127T004027.161983 [24633] {core} DH initialized with 1024 bit key
20191127T004027.162084 [24633] {core} ECDH Initialized with NIST P-256
20191127T004027.162274 [24633] {core} ERROR: Refusing to run workers as root, unless user and group is explicitly set to root.
This used to work with hitch-1.5.0:
[root@nohup ~]# hitch --version; hitch -u hitch -g hitch -L 2 default.example.com.pem
hitch 1.5.0
20191127T004127.922584 [24850] {core} hitch 1.5.0 starting
20191127T004127.922619 [24850] {core} Using OpenSSL version 1010104f.
20191127T004127.924167 [24850] {core} Listening on 0.0.0.0:8443
20191127T004127.924192 [24850] {core} Listening on [::]:8443
20191127T004127.924196 [24850] {core} Loading certificate pem files (1)
20191127T004127.924672 [24850] {core} Using DH parameters from default.example.com.pem
20191127T004127.924681 [24850] {core} DH initialized with 1024 bit key
20191127T004127.924726 [24850] {core} ECDH Initialized with NIST P-256
20191127T004127.924936 [24850] {core} hitch 1.5.0 initialization complete
20191127T004127.924966 [24851] {core} Process 0 online
20191127T004127.925074 [24851] {core} Successfully attached to CPU #0
20191127T004127.925083 [24852] {ocsp} Note: No OCSP responder URI found for cert default.example.com.pem
root# pgrep hitch | xargs ps -o pid,user,command -p
PID USER COMMAND
24850 root hitch -u hitch -g hitch -L 2 default.example.com.pem
24851 hitch hitch -u hitch -g hitch -L 2 default.example.com.pem
24852 hitch hitch -u hitch -g hitch -L 2 default.example.com.pem
Note that when starting as a non-privileged user, hitch-1.5.1 will actually try to start, and may succeed if it does not need to bind to privileged ports:
root# hitch --version; su - hitch -s /bin/sh -c "hitch -L 2 default.example.com.pem"
hitch 1.5.1
20191127T005040.406259 [25940] {core} hitch 1.5.1 starting
20191127T005040.406295 [25940] {core} Using OpenSSL version 1010104f.
20191127T005040.407678 [25940] {core} Listening on 0.0.0.0:8443
20191127T005040.407701 [25940] {core} Listening on [::]:8443
20191127T005040.407704 [25940] {core} Loading certificate pem files (1)
20191127T005040.408090 [25940] {core} Using DH parameters from default.example.com.pem
20191127T005040.408097 [25940] {core} DH initialized with 1024 bit key
20191127T005040.408131 [25940] {core} ECDH Initialized with NIST P-256
20191127T005040.408324 [25940] {core} hitch 1.5.1 initialization complete
20191127T005040.408311 [25985] {core} Process 0 online
20191127T005040.408440 [25986] {ocsp} Note: No OCSP responder URI found for cert default.example.com.pem
20191127T005040.408475 [25985] {core} Successfully attached to CPU #0
The text was updated successfully, but these errors were encountered: