Subsonic Forum

[ralyon]

I just saw the new release and first thing I did was read the change log from 4.4 up. I got excited when I saw that it was not longer running as root and then disappointed when I saw it returned. I have been running as a subsonic user for about a year myself and I'm hoping I can help to resolve the problems people had with leaving the root user behind. I wanted to start a new thread since the issues I have found seem to be mixed with other topics and I think it would be easier to work on this problem separately.

One of the problems I saw was updating album covers. I run into this problem myself on occasion if I copy a new folder into my music folder. The permissions follow the folder which has my user and group listed on it. Check the User and Group owners of the folder and then pick one of the 4 ways to fix this, substitute words in all caps for your info:

1. Change the user to subsonic "sudo chown -R subsonic FOLDER" and make sure it has write permissions "sudo chmod -R u+rw FOLDER"
2. Add the subsonic user to the group that owns the files "sudo adduser subsonic GROUP", and make sure the group can write "sudo chmod -R g+rw FOLDER"
3. Change the group to one subsonic is already a member "sudo chgrp -R GROUP FOLDER", and make sure the group can write "sudo chmod -R g+rw FOLDER"
4. Give everyone write access "sudo chmod -R a+rw FOLDER"

In my case since my music is already in my mythtv directory, I choose method 2, added subsonic to the mythtv group and made sure the group has write access. The "-R" stands for recursive which sets the options for all the subfolders and files.

The second issue I saw was accessing USB drives and using https. I believe this could be fixed with the correct groups. Can anyone who had this problem list the groups that subsonic is a member of "groups subsonic"? I'm thinking adding subsonic to the plugdev group may fix this. If not, a good way to test would be to add subsonic to all the groups, then remove them one at a time until it no longer works. I'll try and create this situation and test when I get some time.

The last issue I saw was not able to create https/ssl while running as subsonic. I'm not sure a group permission would resolve this, but it would probably be the www-data group if so.. This might take modifing some code or script to initiate the https/ssl as root seperately from running the subsonic thread.

Imho, https adds extra processing where it is not needed. I personally use 3 levels of passwords, complex for computer logins/email accounts, moderate for social sites/IMs and simple passwords for things I'm not worried to much about like forums. I use and admin account for modifying users and settings in subsonic with a complex password that I rarely log in with and usually only on my lan, then a simple password for my daily account which can play and download music only. If you crack my simple password the worst you could do is mess up my playlists, but good luck cracking my admin account. That's just my preference though.

Please bring any other issues you have had on linux with the 4.4 beta2 on linux as well and hopefully we can help to create a root free subsonic!
ralyon

[jarome]

It sounds as if you are on Ubuntu. I am quite concerned with running as root on OpenSUSE.
How do you change the startup script to run as some other user?

I tried changing the owner of my /var/subsonic folder (and its files), but it would not start. But there are also files in /usr/share/subsonic. I just did this again, following the above, and it seems to work-- subsonic starts.

How do I tell if the process is or is not running as root?
jarfx:/var # ps -lae | grep 12470
0 S 0 12470 1 1 80 0 - 134050 futex_ pts/8 00:00:32 java

This is a critical security issue, and the RPMs should do the necessary things to get rid of the root user.

[ralyon]

Code: Select all

ps -ef | grep subsonic

The first column is the owner of the process.

To change the process owner, first add this line to the end of your /etc/default/subsonic file:

Code: Select all

RUNAS_USER=subsonic

Then in the /etc/init.d/subsonic change the startup command to this:

Code: Select all

    touch $PIDFILE
    chown $RUNAS_USER $PIDFILE

    start-stop-daemon --start --chuid $RUNAS_USER --pidfile $PIDFILE --exec $DAEMON -- $DAEMON_ARGS || return 2

Also make sure before you start up subsonic again that you delete or chown the /tmp/subsonic folder and contents or it won't start as well. I believe all the folder locations should be the same.

[jarome]

That does not wok in OpenSUSE. There is no start-stop-daemon, and there was no subsonic file in /etc/default. I put RUNAS_USER in the script header.

There is start_daemon and start_proc:

startproc [-fLves] [[-n ]+/-<prio>] [-(t|T) <sec>] [-u user] [-g group]
[-l log_file|-q|-d] [-p pid_file] [-i ignore_file] [-c root] [-(w|W <file list>)]
/path/to/executable [arguments for executable]

start_daemon [-fLve] [-n +/-<prio>] [-u user] [-g group] [-l log_file|-q|-d] [-p pid_file]
[-i ignore_file] [-c root] /path/to/executable [arguments for executable]

SYNOPSIS LSB 3.1
start_daemon [-f] [-n +/-<prio>] /path/to/executable [arguments for executable]
--------------------
I tried

Code: Select all

do_start()
{
    # Check if daemon is already running.
    if [ -e $PIDFILE ]
    then
   ps -p $(cat $PIDFILE) > /dev/null
   [ "$?" = 0 ] && return 1
    fi

    echo $"Starting $NAME ..."
#    $DAEMON $DAEMON_ARGS
    start_daemon -u $RUNAS_USER -g subsonic -p $PIDFILE $DAEMON $DAEMON_ARGS || return 2

    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && touch $LOCKFILE
    return $RETVAL
}

but it is still runnin g as root:

jarfx:/etc/init.d # ps -ef | grep subsonic
root 12470 1 0 Oct08 pts/8 00:25:24 java -Xmx100m -Dsubsonic.home=/var/subsonic -Dsubsonic.host=0.0.0.0 -Dsubsonic.port=4040 -Dsubsonic.httpsPort=0 -Dsubsonic.contextPath=/ -Dsubsonic.defaultMusicFolder=/var/music -Dsubsonic.defaultPodcastFolder=/var/music/Podcast -Dsubsonic.defaultPlaylistFolder=/var/playlists -Djava.awt.headless=true -verbose:gc -jar subsonic-booter-jar-with-dependencies.jar
root 16936 13353 0 08:50 pts/8 00:00:00 grep subsonic

[jarome]

Fixed it!

Code: Select all

# For SELinux we need to use 'runuser' not 'su'
if [ -x "/sbin/runuser" ]; then
    SU="/sbin/runuser"
else
    SU="/bin/su"
fi

do_start()
{
    # Check if daemon is already running.
    if [ -e $PIDFILE ]
    then
   ps -p $(cat $PIDFILE) > /dev/null
   [ "$?" = 0 ] && return 1
    fi
    touch $PIDFILE
    chown $RUNAS_USER $PIDFILE
   
    echo $"Starting $NAME ..."
    su - $RUNAS_USER -c "$DAEMON $DAEMON_ARGS"

    RETVAL=$?
    echo
    [ $RETVAL -eq 0 ] && touch $LOCKFILE
    return $RETVAL
}


And now
jarfx:/etc/init.d # ps -ef | grep subsonic
subsonic 20166 1 18 10:35 ? 00:00:05 /usr/lib64/jvm/java/bin/java -Xmx512m -Dsubsonic.home=/var/subsonic -Dsubsonic.host=0.0.0.0 -Dsubsonic.port=4040 -Dsubsonic.httpsPort=0 -Dsubsonic.contextPath=/ -Dsubsonic.defaultMusicFolder=/var/music -Dsubsonic.defaultPodcastFolder=/var/music/Podcast -Dsubsonic.defaultPlaylistFolder=/var/playlists -Djava.awt.headless=true -verbose:gc -jar subsonic-booter-jar-with-dependencies.jar

The script in the RPM should put this in for OpenSUSE systems.

[jarome]

This fails in 12.1 if AppArmor is installed.
Anyone know how to get it to allow switching uderIDs?

[ThyMaster]

Hmm,

when I try to use a different user than root the server starts fine but I can't access the web interface.
The Jetty server throws a HTTP ERROR 503!

I guess it's something about missing rights on port access?

Any ideas?

TIA
- ThyMaster

[jarome]

Did you add 4040 to your open firewall ports? 503 means service is unavailable, so it did not start.

You also need to examine the startup script in /etc/init.d/subsonic carefully for your system? I had to make a lot of changes in mine (see above post).

[ThyMaster]

Solved it!

Under my (old) SuSE 10.1 I had to edit the /etc/services and changed the following lines from

Code: Select all

#yo-main         4040/tcp   # Yo.net main service
yo-main         4040/udp   # Yo.net main service
houston         4041/tcp   # Rocketeer-Houston
houston         4041/udp   # Rocketeer-Houston

to

Code: Select all

subsonic         4040/tcp   # Subsonic music server
subsonic         4040/udp   # Subsonic music server
#                          Subsonic music server
subsonic         4041/tcp   # Subsonic music server via https
subsonic         4041/udp   # Subsonic music server via https

From now on ports 4040 and 4041 aren't blocked from non-root user usage!

A little hint for SuSE users:
You can add the following to /etc/sysconfig/subsonic file:

Code: Select all

# To change the startup parameters of Subsonic, modify
# the SUBSONIC_ARGS variable below.
#
RUNAS_USER=NonRootUser

With this entry you can use the RUNAS_USER variable in the modified start script (see post above) for SuSE users without need to define it in the start script itself.

- ThyMaster

EDIT: Just for the records: I also changes owner for the following dirs:
/var/subsonic
/tmp/subsonic

[jarome]

You might also put
SUBSONIC_ARGS="--max-memory=500"
into /etc/sysconfig/subsonic. It needs more memory if you have a big collection.