Bug#931366: krb5-admin-server nor krb5-kdc service cannot write their log files

To: submit@bugs.debian.org
Subject: Bug#931366: krb5-admin-server nor krb5-kdc service cannot write their log files
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Wed, 03 Jul 2019 09:35:25 +0000
Message-id: <[🔎] 20190703093525.Horde.vU1EC6tcOI6xBTbSpNwCrzP@mail.das-netzwerkteam.de>
Reply-to: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 931366@bugs.debian.org

Package: src:krb5
Severity: important
Version: 1.17-3
User: debian-edu@lists.debian.org
Usertags: debian-edu
X-Debbugs-Cc: debian-edu@lists.debian.org

Hi Sam et al,

When restarting krb5-kdc or krb5-admin-server on a fresh Debian Edubuster main server, I see the following logs lines in syslog:

Jul 3 11:08:16 tjener krb5kdc[22684]: Couldn't open log file/var/log/kdc.log: Das Dateisystem ist nur lesbar

[...]

Jul 3 11:10:06 tjener kadmind[23272]: Couldn't open log file/var/log/krb5.log: Das Dateisystem ist nur lesbar


(Translation: Das Dateisystem ist nur lesbar: The file system is read-only)

As expected by the error message, not log output gets produced.

The following two systemd service file patches fix the issue(appending /var/log to ReadWriteDirectories= key):

```

root@tjener:~/fixes-buster# diff -u krb5-admin-server.service.origkrb5-admin-server.service

--- krb5-admin-server.service.orig	2019-07-03 11:26:51.607417138 +0200
+++ krb5-admin-server.service	2019-07-03 11:25:37.843418670 +0200
@@ -8,7 +8,7 @@
 EnvironmentFile=-/etc/default/krb5-admin-server
 InaccessibleDirectories=-/etc/ssh -/etc/ssl/private  /root
 ReadOnlyDirectories=/
-ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run
+ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run /var/log
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 Restart=on-abnormal

```

```
root@tjener:~/fixes-buster# diff -u krb5-kdc.service.orig krb5-kdc.service
--- krb5-kdc.service.orig	2019-07-03 11:26:57.275417080 +0200
+++ krb5-kdc.service	2019-07-03 11:25:45.183417900 +0200
@@ -10,7 +10,7 @@
 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5-kdc.pid $DAEMON_ARGS
 InaccessibleDirectories=-/etc/ssh -/etc/ssl/private  /root
 ReadOnlyDirectories=/
-ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run
+ReadWriteDirectories=-/var/tmp /tmp /var/lib/krb5kdc -/var/run /run /var/log
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 Restart=on-abnormal


```

Can you make sure that these fixes make it into Debian 10.1? Thanks,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 486 14 27

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgpN6drGC6Pze.pgp
Description: Digitale PGP-Signatur

Reply to:

Follow-Ups:
- Processed: Re: Bug#931366: krb5-admin-server nor krb5-kdc service cannot write their log files
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Processed: Bug#931366 marked as pending in debian-edu-config
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Re: Website translation to French
Next by Date: Processed: Re: Bug#931366: krb5-admin-server nor krb5-kdc service cannot write their log files
Previous by thread: Re: Website translation to French
Next by thread: Processed: Re: Bug#931366: krb5-admin-server nor krb5-kdc service cannot write their log files
Index(es):
- Date
- Thread