Arch Linux User Repository

Thanks for your quick reply!

You're right that there is a comment in those files (which is how I found out what was going on eventually) but I didn't bother to look in them initially because I wasn't aware of .tmpfiles and how it works at all. For me the most logical place to inform users would be in the official Sonarr/Radarr installation docs (https://sonarr.tv/#downloads-v3-linux-archlinux) as an optional step 4 maybe?

Also I'm not 100% sure that running the software as a different user is the best way to go but because I also use FUSE mounts as that user this way all the software can access the mountpoints without any permission and ownership issues at all, this has simply always worked for me.

I think it is mainly because the other big way of doing it is w/ an .install file which creates and sets ownership of that folder. It isn't part of the package itself, since its all runtime stuff.

What would have helped you figure it out quicker? There is a #comment at the top of the tmpfile. Maybe an additional comment at the top of the service file?

Are you sure running it as a different user is the right move for you? A typical setup would probably override the Group= and UMask= so that your whole setup runs each software as its own user, but a shared group.

You're the first I know of across all the automation packages to really have this concern, but I don't mind improving things. I probably won't move away from .sysusers and .tmpfiles, but am always open to suggestions.

@fryfrog I'm using a systemd override.conf (through systemctl edit radarr) to run Radarr (and Sonarr) as a different user. But because of the current tmpfiles with your package the file ownership is changed back to user radarr on system boot. To fix this for now I created a symbolic link called radarr.conf in /etc/tmpfiles.d/ linking to /dev/null as recommended in systemd man pages.

Is this how you would recommend users of your packages to fix this as well? And what's the use of setting permissions and ownership on /var/lib/radarr on every boot anyways? Once the package is installed I wouldn't expect something else to make changes to ownership/permissions. I never heard of tmpfiles and how to override them before so to me it was quite a puzzle solving this and I'm guessing more users might run into this.

@codeswhite, could you file a GitHub issue on Radarr? This is actually just a binary package. In the issue, it is worth mentioning that lidarr and readarr probably have the same issue.

Hi, i've noticed that the binary is compiled without the recommended exploit protection:

$ sudo checksec --proc=Radarr
...snip...
         COMMAND    PID RELRO           STACK CANARY            SECCOMP          NX/PaX        PIE                     FORTIFY
          Radarr    123 Partial RELRO   Canary found            No Seccomp       NX enabled    No PIE                  No

Those Partial RELRO and No PIE will result in a much easier arbitrary code execution exploit in the Radarr binary.

@jlanzobr: You can see radarr.service right up there in Sources and see that it is not using the mono binary. So instead, you need to stop using your custom service and use the one from the package. And you should switch to using a systemd override via systemctl edit when you want to modify parts of a .service file.

The systemd init file needs to be updated. The path (/usr/bin/mono --debug /usr/lib/radarr/bin/Radarr -nobrowser -data=/var/lib/radarr) is no longer correct.

@emphire: I'll probably never do a script because I find it annoying to control options in two places. But before tmpfiles, all my packages used the .install file. The systemd tmpfiles seemed like the suggested way, but I'll have another look. I don't care either way about that, would go w/ which ever is the "Arch" way there. You can do so much w/ tmpfiles, like links and folders and ownership and ... seems like its original intent doesn't match its capabilities. :)

Thanks for the response @fryfrog. Sorry it took me a while to get back. In the first line of the docs (https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html), it says it's for volatile and temporary files. Using tmpfiles works but feels a bit hacky for this reason. I find the script file is handy to have for troubleshooting and running it manually instead of as a service. Thanks for maintaining the package.

Hey @emphire, check out the radarr-aphrodite package which has done a little of what you're talking about.

They added a package_info that lets me disable the built in updater and display a message, so I've put /usr/lib/radarr back to root:root which I think you'll appreciate. I'm waiting for that to come to the normal version, then I'll change it there too.

I moved all my packages from doing it in the .install file to using tmpfiles, I believe based on feedback from #archlinux-aur. Do you have some packaging guidelines that talk about doing this as part of the package vs via tmpfiles? I mean, the name obviously implies it... but I prefer it over doing it in the install precisely because it'll fix permissions more often if needed. And can be easily overridden by the user, unlike doing it from the package.

Finally, the script that runs mono that runs Radarr... that is one of the things that bugs me a little about the sonarr package I don't own, for some reason I just don't like it. Also, the next version of Radarr is dotnet core so doesn't even need Mono, you just run it directly. If you want to change some parameters, now you need to hunt down that file if they're mono options or edit the script if they're not... or don't edit the script because the package is going to blow it away, edit the .service.

Thanks for the feedback, if you can convince me of any of these specific changes, I'll be happy to make them and I'll then do it for all the packages I own. But at the very least, I think the most import part of it (the root:root ownership of /usr/lib/radarr) is coming eventually. :)