Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set_system_proxy not working as expected when using SystemD #1851

Open
4 of 5 tasks
demarcush opened this issue Jun 10, 2024 · 8 comments · May be fixed by #1889
Open
4 of 5 tasks

set_system_proxy not working as expected when using SystemD #1851

demarcush opened this issue Jun 10, 2024 · 8 comments · May be fixed by #1889
Labels
enhancement New feature or request

Comments

@demarcush
Copy link

demarcush commented Jun 10, 2024
edited
Loading

Operating system

Linux (Arch deriv.)

System version

latest

Installation type

Original sing-box Command Line (From AUR)

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.9.3

Environment: go1.22.4 linux/amd64
Tags: with_gvisor,with_quic,with_wireguard,with_utls,with_reality_server,with_clash_api,with_ech,with_acme,with_dhcp
Revision: 4619f2280afffb2e045f499511e69dc116476f23
CGO: enabled

Description

When declaring set_system_proxy in the config file, default system unit file fails, whether running as user root or sing-box.

Providing a user unit file is the first solution that came to my mind, cause I suspect this would also be the case under GNOME too.

Reproduction

  • Install sing-box with default systemd unit files in /release/config under KDE6
  • Declare set_system_proxy for mixed inbound.
  • sudo systemctl enable --now sing-box.service
  • As of version 1.9.0, no problems due to the fact that said option was bogus prior to 69dc87a
  • As of 1.9.1 and later, encountering error and panic.

Logs

sing-box[24514]: FATAL[0000] start service: initialize inbound/mixed[0]: set system proxy: execute (/usr/bin/kwriteconfig6) kwriteconfig6 --file kioslaverc --group Proxy Settings --key ProxyType 1: exit status 2
systemd[1]: sing-box.service: Main process exited, code=exited, status=1/FAILURE

Supporter

Integrity requirements

  • I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
  • I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
  • I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
  • I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.
@demarcush
Copy link
Author

I Will tinker around to see if I can get it to work with a user unit. Will open a PR if successful.

@demarcush demarcush mentioned this issue Jun 12, 2024
Closed
@lgjint
Copy link
Contributor

lgjint commented Jun 13, 2024

I Will tinker around to see if I can get it to work with a user unit. Will open a PR if successful.

This is not a bug. In your KDE6, there was no kwriteconfig5, so actually the KDE system proxy was not successfully set in the previous version, leading you to mistakenly believe that the KDE system proxy can be set by systemd unit.

And please specify your linux distro before asking because normally if you run sing-box by systemd unit it will tell you that set system proxy: unable to set as root.

sing-box/common/settings/proxy_linux.go

Lines 130 to 138 in a184005

func (p *LinuxSystemProxy) runAsUser(name string, args ...string) error {
if os.Getuid() != 0 {
return shell.Exec(name, args...).Attach().Run()
} else if p.sudoUser != "" {
return shell.Exec("su", "-", p.sudoUser, "-c", F.ToString(name, " ", strings.Join(args, " "))).Attach().Run()
} else {
return E.New("set system proxy: unable to set as root")
}
}

kwriteconfig and dbus-send should be run as current user in order to set up the KDE system proxy correctly.

If you really want to use systemd, then just create a user unit by yourself.

@demarcush
Copy link
Author

The installation is from the AUR and there's this line in the pkgbuild:

    sed -i "/^\[Service\]$/a StateDirectory=$pkgname"    release/config/$pkgname.service
    sed -i "/^\[Service\]$/a StateDirectory=$pkgname-%i" release/config/[email protected]
    sed -i "/^\[Service\]$/a User=$pkgname"              release/config/$pkgname*.service

Which makes the system service run as sing-box user instead of root (current .service files omit User=). So with no access to dbus under sing-box user, I simply encountered that error instead of the defined unable to set as root.
Still, I think my pull request (which includes DynamicUser=true) is something that should be considered.
And yes, I'm aware that sing-box drops privileges during start on its own.

@lgjint
Copy link
Contributor

lgjint commented Jun 13, 2024
edited
Loading

The installation is from the AUR and there's this line in the pkgbuild:

    sed -i "/^\[Service\]$/a StateDirectory=$pkgname"    release/config/$pkgname.service
    sed -i "/^\[Service\]$/a StateDirectory=$pkgname-%i" release/config/[email protected]
    sed -i "/^\[Service\]$/a User=$pkgname"              release/config/$pkgname*.service

Which makes the system service run as sing-box user instead of root (current .service files omit User=). So with no access to dbus under sing-box user, I simply encountered that error instead of the defined unable to set as root. Still, I think my pull request (which includes DynamicUser=true) is something that should be considered. And yes, I'm aware that sing-box drops privileges during start on its own.

dbus-send requires the current user's DBUS_SESSION_BUS_ADDRESS, and kwriteconfig requires the current user's XDG_CONFIG_HOME, which I think should these enviroment variables can only be obtained through the user unit.

Your PR has too many commits, you need to remove the useless commits and merge them together.

And I don't know whether the systemd versions of other distributions are new enough to support these security options.

@demarcush
Copy link
Author

demarcush commented Jun 13, 2024
edited
Loading

I'll turn the PR to draft until I merge them. Will test the new service files under Debian Stable. Does that count?

@demarcush
Copy link
Author

@nekohasekai: What do you think?

@demarcush demarcush changed the title set_system_proxy systemd bug (KDE) set_system_proxy not working when using SystemD with User=sing-box Jun 13, 2024
@demarcush demarcush changed the title set_system_proxy not working when using SystemD with User=sing-box set_system_proxy not working as expected when using SystemD with User=sing-box Jun 13, 2024
@demarcush
Copy link
Author

  • you need to remove the useless commits

@demarcush
Copy link
Author

demarcush commented Jun 13, 2024
edited
Loading

  • Both system and user units tested on Debian 12 with systemd version 252.22

@demarcush demarcush changed the title set_system_proxy not working as expected when using SystemD with User=sing-box set_system_proxy not working as expected when using SystemD Jun 13, 2024
@demarcush demarcush linked a pull request Jun 24, 2024 that will close this issue
Open
@nekohasekai nekohasekai added the enhancement New feature or request label Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update release directory demarcush/sing-box
3 participants
@nekohasekai @lgjint @demarcush