Linux service listening on privileged port

Matthew_Stevens · December 22, 2021, 11:01am

Bit of a long shot but I thought I would ask if anyone has come across this and knows the cause/workaround.

I have knocked together a xojo console application that connects to syslog udp port 514. All is working and the final step is to start the application as a service from systemd. I’ve created a unit file and systemd is perfectly happy starting the executable as root. The problem I have hit is attempting to start the executable as some other user.

Target distribution is CentOS 7.

Attempting to start the service produces the following output in /var/log/messages

# Dec 22 10:18:33 myhost myapp: /opt/myapp/myapp: error while loading shared libraries: XojoConsoleFramework64.so: cannot open shared object file: No such file or directory

The file that is being complained about definitely exists

# ls -hl /opt/myapp/myapp\ Libs/XojoConsoleFramework64.so
-rwxr-xr-x. 1 root root 39M Dec 21 13:24 /opt/myapp/myapp\ Libs/XojoConsoleFramework64.so

I’ve created a system user account.
# useradd -rMUl myapp

Given the executable permission to bind to privileged ports
# setcap cap_net_bind_service=+epi /opt/myapp/myapp

And permissions are set thus

# chown -R root:root /opt/myapp
# 755 /opt/myapp/
# 755 /opt/myapp/myapp
# 755 /opt/myapp/myapp\ Libs/*
# 644 /opt/myapp/myapp.service

DerkJ · December 22, 2021, 11:06am

You installed (uploaded) the files as root make the owner a user:

chown -R username:username /opt/myapp/*
This makes that user able to read the files/use it as well as root.

make sure the file is actually there:
/opt/myapp/myapp\ Libs/XojoConsoleFramework64.so

Your log output clealy states it can’t find or read the XojoConsoleFramework64.so which is a required library.

Matthew_Stevens · December 23, 2021, 8:27am

Thanks for the quick response but I’m sure it is nothing so obvious as file system ownership and permissions. The file exists and is world read and executable.

My gut feelings are

Some limitation of a system user account
Some oddity of systemd and dbus

On consideration, I may be overthinking this. The majority of Linux background services run in the root context so maybe it’s appropriate for my application.

I may revisit and investigate further for the sake of curiosity but for the moment I need to get on.

Greg_O_Lone · December 23, 2021, 11:33am

Make sure the libs folder itself is set to 755 as well.

Matthew_Stevens · December 23, 2021, 2:36pm

Thanks for the response but I’m sure it is nothing so obvious as file system ownership and permissions. Already checked the myapp\ Libs folder is 755.

Greg_O_Lone · December 23, 2021, 2:39pm

You might check and see if your system has SELinux running.

Also, I suggest looking at /var/log/messages to see if there are any other errors regarding your app.

Greg_O_Lone · December 23, 2021, 2:42pm

FWIW, we use non-root Xojo console apps extensively on CentOS running under SystemD ourselves and they do work, so I’m sure this is solvable. In fact, Xojo Cloud web apps fit this criteria precisely.

Matthew_Stevens · December 23, 2021, 3:27pm

SE Linux is disabled.

Knowing you can start a service as a user is very useful information, thanks. In fact it’s triggered a thought. Does the xojo loader locate the Libs folder using a relative path? If so, I may need to add a WorkingDirectory directive to the unit file.

Packing up for the holiday now but may give it ago over the break.

DerkJ · December 23, 2021, 4:07pm

Did you make sure to upload the files in Binary mode?