Link to home
Start Free TrialLog in
Avatar of schipmolder
schipmolder

asked on

OS X Quagga start at boot

Hi all,

I've got a Mac OS X 10.5.5 server that needs to use Quagga (zebra/bgpd) for it's routing.
Quagga itself is running fine when started by root and it's set to run as the quagga user.

The problem is that I can't get the daemons to start using LaunchDeamons and I get the following error:

bind: Permission denied

I assume this is because the daemon (in this case zebra) needs to bind to a socket, but no matter what I do it seems to have this problem.

I've tried several plist setups, but all to no avail.

Has anyone managed to get this to work?

Cheers
Skip
Avatar of DJDecay
DJDecay
Flag of United States of America image

have you tried setuid root on the binary?
Avatar of schipmolder
schipmolder

ASKER

I hadn't, but just tried it and same error.

The plist I'm using now is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs$
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>zebra</string>
        <key>OnDemand</key>
        <false/>
        <key>Program</key>
        <string>/usr/local/sbin/zebra</string>
        <key>ProgramArguments</key>
        <array>
                <string>/usr/local/sbin/zebra</string>
                <string>-d</string>
        </array>
</dict>
</plist>

/sbin/launchd is prob not running as root
otherwise you could specify

UserName <string>
     This optional key specifies the user to run the job as. This key is only applicable when launchd is
     running as root.

GroupName <string>
     This optional key specifies the group to run the job as. This key is only applicable when launchd is
     running as root. If UserName is set and GroupName is not, the the group will be set to the default
     group of the user.

zebra is supposed to drop root priv on it's own and become the zebra uid after it binds the privileged port. So root should be a good choice for both.

do a 'ps' for launchd and see if its running as root or some whacked out _securityagent  user
check this out for reference.

http://developer.apple.com/technotes/tn2005/tn2083.html


Yeah, well launchd is running as root and when I start zebra manually (as root) it does drop to the 'quagga' user nicely, but the plist below only causes the same permissions error as before plus the "Throttling respawn: Will start in 10 seconds" message.

I've already looked at the tech note, but as far as I can see it should all work. Apparently I'm missing something thought.


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
      <key>Label</key>
      <string>zebra</string>
      <key>OnDemand</key>
      <false/>
      <key>Program</key>
      <string>/usr/local/sbin/zebra</string>
      <key>ProgramArguments</key>
      <array>
            <string>/usr/local/sbin/zebra</string>
            <string>-d</string>
      </array>
      <key>UserName</key>
      <string>root</string>
</dict>
</plist>

Group
You need UID and GID
Hi DJDecay,

Sorry for the delay, I had some other things to sort out before I could get back to this one.

Ok, I now have the following plist, but not sure what groupname to use.
With this plist I get the exact same permissions error by the way.
   

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>zebra</string>
        <key>OnDemand</key>
        <false/>
        <key>Program</key>
        <string>/usr/local/sbin/zebra</string>
        <key>ProgramArguments</key>
        <array>
                <string>/usr/local/sbin/zebra</string>
                <string>-d</string>
        </array>
        <key>UserName</key>
        <string>root</string>
        <key>GroupName</key>
        <string>wheel</string>
</dict>
</plist>

ASKER CERTIFIED SOLUTION
Avatar of schipmolder
schipmolder

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial