logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
Slacker  
#1 Posted : Thursday, October 29, 2015 6:50:27 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
I've never really thought about it, until I looked into moving my SC install from a dedicated machine at my house to a VPS that also runs as a web host.
I just can't bring myself to run Screenconnect, with an open port to the world, as root on that server.

We should either have an option to choose/create a user during install, or a procedure in the wiki to run SC/mono as a standard user.

I did some playing around in the /etc/init.d/screenconect file, trying to get it to run using su, but was not successful, though at one of the attempts yielded mono running as the user, but screenconnect still ran as root.

Alexander  
#2 Posted : Monday, November 2, 2015 5:24:51 PM(UTC)
Alexander


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 7/23/2013(UTC)
Posts: 715
Man
Location: Raleigh, NC

Was thanked: 66 time(s) in 63 post(s)
Originally Posted by: Slacker Go to Quoted Post
one of the attempts yielded mono running as the user, but screenconnect still ran as root.


Hmm, are you talking about these guys?

Code:
UID        PID  PPID  C STIME TTY          TIME CMD
root     17311     1  0 Oct26 ?        00:00:00 /bin/sh /etc/init.d/screenconnect restart
root     17314 17311  0 Oct26 ?        00:02:44 mono /opt/screenconnect/Bin/ScreenConnect.Service.exe startservices 7 14765 10


The mono process is the main ScreenConnect process; the init script process just sticks around to keep it running, and isn't connected to any ports or anything. So just getting the mono process to not run as root would still be a significant improvement.

(I'm also curious what you tried, since I haven't looked into this much myself.)
ScreenConnect Team
Slacker  
#3 Posted : Saturday, November 14, 2015 3:33:36 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
I've been out of town and haven't been able to look into it. Now I've forgotten what I've done (must be old age).

Gonna do some digging, today, to see what I can get done. I'd like to move my SC install over to the VPS and not worry about some zero-day exploit taking it down.
Slacker  
#4 Posted : Saturday, November 14, 2015 5:47:03 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
Coming back fresh, and actually paying attention, yielded some results.
Gave the user group ownership to /opt/screenconnect/*
Modified the the run line in runservice with su username -c "...logfilePath""

The service will start, though it will hang at "Waiting on signal that services have started..." and eventually time out. Stopping the service leaves orphan processes.

This is with a FRESH install and only at the initial screen.

On a populated install, I get the session/login screen with a blank box where "No Available Sessions" is supposed to be, and cannot login, so it must be some database connectivity issue.
Too hot to continue, today, so I may look further into it later.


Alexander  
#5 Posted : Monday, November 16, 2015 3:21:26 PM(UTC)
Alexander


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 7/23/2013(UTC)
Posts: 715
Man
Location: Raleigh, NC

Was thanked: 66 time(s) in 63 post(s)
Hmm, I guess if the init script is running as root and the mono process is running as the user, the mono process wouldn't be able to signal the init-script process that it's started. So it might be running fine (or it might be running into a bunch of errors; if so, they should show up in /var/log/screenconnect).
ScreenConnect Team
Slacker  
#6 Posted : Friday, November 20, 2015 2:30:49 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
I wouldn't really care whether I have to force kill the thing if I need to or not, but it looks like it doesn't have access to whatever database keeps all the info. Log shows nothing, just the services starting normally.
Debug shows what you mentioned with what I thought.

[0x7fca447ac700:] EXCEPTION handling: System.TypeInitializationException: An exception was thrown by the type initializer for ScreenConnect.SQLite.libsqlite3

and

"WaitForChange" tid=0x0x7fca2bfff700 this=0x0x7fca469b4bd0 thread handle 0x30e1 state : not waiting owns ()
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke (System.Runtime.Remoting.Proxies.RealProxy,System.Runtime.Remoting.Messaging.IMessage,System.Exception&,object[]&) <IL 0x001f0, 0x00e1b>
at (wrapper runtime-invoke) <Module>.runtime_invoke_object_object_object_Exception&_object[]& (object,intptr,intptr,intptr) <IL 0x00070, 0xffffffff>
at <unknown> <0xffffffff>
at (wrapper managed-to-native) object.__icall_wrapper_mono_remoting_wrapper (intptr,intptr) <0xffffffff>
at (wrapper remoting-invoke) ScreenConnect.ISessionManager.WaitForChange (long,System.Nullable`1<long>) <IL 0x00045, 0xffffffff>
at ScreenConnect.WaitForChangeManager.RunThread (object) [0x00016] in d:\ScreenConnect_5_4\Product\Server\SQLite\UnsafeNativeMethods.cs:1986
at System.Threading.Thread.StartInternal () <IL 0x0003c, 0x0009f>
at (wrapper runtime-invoke) object.runtime_invoke_void__this__ (object,intptr,intptr,intptr) <IL 0x0004e, 0xffffffff>
Alexander  
#7 Posted : Friday, November 20, 2015 4:40:24 PM(UTC)
Alexander


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 7/23/2013(UTC)
Posts: 715
Man
Location: Raleigh, NC

Was thanked: 66 time(s) in 63 post(s)
Hmm, looks like it might be having problems loading the SQLite library in the first placeā€¦ What's before that TypeInitializationException? There should be the actual exception that was thrown by the type initializer.
ScreenConnect Team
Slacker  
#8 Posted : Friday, January 15, 2016 2:44:42 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
I got busy, then I slacked, but I'll do some more digging, pretty soon.
Slacker  
#9 Posted : Tuesday, January 19, 2016 4:35:03 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
Ok, mono runs under user, so that's good enough for me. I'm not really good at bash scripting, so I put a "squish it with a hammer" kill statement at service stop to take care of the dangling process.
Was simpler than I thought, once you cleared up the other processes that run under root.

Screenconnect is installed under /opt/screenconnect, with the standard user owning the directory and all files. It needs to be started as root, or run as a service.

/etc/init.d/screenconnect diff/patch
Code:

--- /tmp/ScreenConnect_5.4.9849.5781_Install/Installer/screenconnect	2015-11-14 12:09:07.033020105 -0500
+++ /etc/init.d/screenconnect	2016-01-19 11:12:34.012066252 -0500
@@ -28,6 +28,9 @@
 # Make sure cwd exists
 cd "$screenconnectPath"
 
+#Brute-force determine user by directory owner.
+user="$(ls -ld $screenconnectPath | awk 'NR==1 {print $3}')"
+
 findControllerPIDs() {
 	# find processes whose command lines' second-to-last argument is this file
 	local pids="$(find /proc -maxdepth 2 -name cmdline -execdir sh -c 'test "$(penultimateArgument="$(cat "$1" | xargs --null | grep -v sudo | awk "{ print \$(NF - 1) }" 2>/dev/null)"; cd cwd 2>/dev/null; readlink -f -- "$penultimateArgument")" = '"$serviceScript" sh '{}' \; -print | grep -E -o '[[:digit:]]+' 2>/dev/null)"
@@ -65,7 +68,7 @@
 	trap 'trap "echo Sending SIGKILL. >> \"$logFilePath\"; kill -9 \"$childPID\"; exit" TERM; kill -9 "$(ps --no-headers -o pid --ppid "$childPID")" 2>/dev/null; kill "$childPID"; isStopping=true' TERM
 
 	while [ -z "$isStopping" ]; do
-		mono "$screenconnectPath/Bin/ScreenConnect.Service.exe" startservices 7 "$signalPID" "$signalNumber" >> "$logFilePath" 2>&1 </dev/null &
+		su $user -c "mono "$screenconnectPath/Bin/ScreenConnect.Service.exe" startservices 7 "$signalPID" "$signalNumber" >> "$logFilePath"" 2>&1 </dev/null &
 		childPID="$!"
 		while kill -0 "$childPID"; do wait "$childPID"; done
 		childPID=''
@@ -129,18 +132,16 @@
 
 		sleep 1
 	done
+#Herp derp durr kill orphan service
+kill $(ps aux | grep 'opt/screenconnect/Bin/ScreenConnect.Service.exe' | awk '{print $2}')
+
 }
 
 debugService() {
 	ulimit -n 12288 >/dev/null 2>&1
-	mono --debug --trace=E:all "$screenconnectPath/Bin/ScreenConnect.Service.exe" startservices 7 </dev/null
+	su $user -c "mono --debug --trace=E:all "$screenconnectPath/Bin/ScreenConnect.Service.exe" startservices 7" </dev/null
 }
 
-if [ "$(whoami)" != root ]; then
-	echo 'Must be root to start or stop service.'
-	exit 1
-fi
-
 case "$1" in
 	start)
 		startService


Alexander  
#10 Posted : Tuesday, January 19, 2016 5:29:51 PM(UTC)
Alexander


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 7/23/2013(UTC)
Posts: 715
Man
Location: Raleigh, NC

Was thanked: 66 time(s) in 63 post(s)
Nice, glad to hear it worked!

One minor thing I'd suggest is to escape the quotes:

su $user -c "mono \"$screenconnectPath/Bin/ScreenConnect.Service.exe\" startservices 7 \"$signalPID\" \"$signalNumber\" >> \"$logFilePath\"" 2>&1 </dev/null &
su $user -c "mono --debug --trace=E:all \"$screenconnectPath/Bin/ScreenConnect.Service.exe\" startservices 7" </dev/null

It works without that because the shell concatenates adjacent strings, but it'll run into problems if the paths include whitespace.
ScreenConnect Team
Slacker  
#11 Posted : Tuesday, January 19, 2016 5:39:05 PM(UTC)
Slacker


Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Brazil
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
I'm from the old 8.3 era, so you won't see spaces in my directory structure. lol
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.