avahi
avahi copied to clipboard
lathiat
Cannot start Avahi-daemon without everyone being allowed to access /run/dbus/system_bus_socket or avahi user being part of the messagebus group.
If you do not set the user "avahi" to be part of the messagebus group you need to allow complete access to the /run/dbus/system_bus_socket socket file, or use the no-drop-root option when starting the program. This is obviously horrible for security and should be patched somehow ASAP.
Avahi does nothing out of the ordinary, it simply uses libdbus (the reference dbus implementation) to connect to the system bus in the default, recommended way. If you have a problem with how this works, then you have a problem with dbus itself, not with avahi.
It's really unclear what you're even trying to describe, /run/dbus/system_bus_socket socket is normally world-writable (0666) since write-permission of sockets controls the ability to connect to the socket and the system bus is supposed to be accessible by everyone. Fine-grained access control to the system bus is available through dbus-daemon's configuration/policy files.
Every linux system I've been able to check (debian buster, debian bullseye, debian sid, centos 7.7) have the following permissions:
drwxr-xr-x 2 root root /run/dbus
srw-rw-rw- 1 root root /run/dbus/system_bus_socket
and avahi, when installed, is not member of the messagebus group nor any other group other than its own avahi group.
I am trying to run avahi on Termux, which is a limited environment that runs under Android. As such, we do not have access to add users, and a getpwnam('avahi') will fail. The --no-drop-root option does a good job of preventing drop_root() from running, but it still runs the user management parts of make_runtime_dir() per https://github.com/lathiat/avahi/blob/master/avahi-daemon/main.c#L1408
If I'm running without dbus and with --no-drop-root set, can we assume I just want to run this as the current user, and not try to inspect the passwd database?
See also termux/termux-packages#8111
Uhh, why are you trying to run Avahi on android? Android already runs an mDNS stack, accessed via the "Network Service Discovery" API.
I do agree that with --no-drop-root it ought to just use the current user's runtime dir instead of using assumptions compiled into the executable, though Avahi is normally always run as system service and current behaviour isn't really a problem in that case. And if you really want to run Avahi as normal user then there's always the option of compiling Avahi with AVAHI_USER and AVAHI_GROUP configured to the user and group you want to run it as, and AVAHI_DAEMON_RUNTIME_DIR to that user's runtime directory.
I also don't see how any of this relates to whatever you attempted to originally describe in this issue. You seem to be describing something completely different now.
I am sure that Android has a Java API for exposing a hostname, but that's not something I can make use of from a Termux shell very easily. And the termux packaging can't predict what the user for Termux will be at runtime on Android.
I didn't open this issue, but merely wanted to illustrate some other assumptions being made in the code about the avahi user. I can open a new issue if that will help.
Ah I wasn't paying attention, I thought it was a reply from the original poster. But yeah, your comment seems completely off-topic here, I'd suggest you create a new issue, or better yet a pull request ;-) BTW, that java API connects via a unix socket to the actual mDNS daemon, which is a fairly old version of Apple's mDNSResponder. If that socket (/dev/socket/mdnsd group inet according to the rc file) is accessible and you only need .local name resolution, presumably installing its libnss-mdns would suffice?
