PERMISSIONS./.JAVA

Have some feedback, questions, suggestions, or just fancy a chat? Pop it in here.
Post Reply
thx4
Posts: 2
Joined: Thu Nov 14, 2019 1:26 pm

PERMISSIONS./.JAVA

Post by thx4 »

Hey there,

i am working on a small server solution for our restaurants. We have a cash desk solution called Gastronovi (http://www.gastronovi.com). We used RaspPi3 till now and with the switch to the new RP4 i thought i gave DietPi a try.

I installed DPi headless. (SSH worked fine. Thanks!) Than installed java and the printserver application:

Code: Select all

apt-get install default-jre

mkdir /opt/gn_server/
cd /opt/gn_server/
wget https://office.gastronovi.de/gn_server.jar

nano /etc/systemd/system/gn_server.service

[Unit]
Description=GN Server
[Service]

User=nobody
ExecStart=/usr/bin/java -jar /opt/gn_server/gn_server.jar
TimeoutStopSec=10
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target

systemctl start gn_server
systemctl enable gn_server
reboot
Now the server is accessable via the same network via the (example) IP adress 10.10.10.99:6767.

There is an update button where I can request to check for an update. Unfortunatly I always get the following result:

Update failed: Update has failed. Please try again!! (java.io.FileNotFoundException: /opt/gn_server/gn_server.jar_update (Permission denied))

I mean obviously it is something with permissions... But I have no idea how to solve this.

Any solution? Would appriciate help.

Thanks!
thx4
Posts: 2
Joined: Thu Nov 14, 2019 1:26 pm

Re: PERMISSIONS./.JAVA

Post by thx4 »

No one? :cry:
User avatar
MichaIng
Site Admin
Posts: 2294
Joined: Sat Nov 18, 2017 6:21 pm

Re: PERMISSIONS./.JAVA

Post by MichaIng »

@thx4
Your systemd unit contains: User=nobody
This is a user that is meant to have no write permissions to any file/dir that does not have global write permissions mode.

So you have two possibilities:
chmod -R 777 /opt/gn_server
But this means that every user has full R/W + execute permissions to your service dir, which is in most cases not what you want.

Better create a separate system user to run the program, e.g.:

Code: Select all

useradd -rMU -d /opt/gn_server -s $(command -v nologin) gnserver
chown -R gnserver:gnserver /opt/gn_server
G_CONFIG_INJECT 'User=' 'User=gnserver' /etc/systemd/system/gn_server.service
systemctl daemon-reload
systemctl restart gn_server
The user gnserver has no password or login shell attached, hence it is a pure system user that you cannot "login" with.
It has not much permissions, but full R/W access to you service dir, which is also its home dir, hence updates should work now.
You could further reduce permissions of the user or the systemd unit/service itself: https://www.freedesktop.org/software/sy ... Sandboxing

I hope this helps.
Post Reply