Systemd service not starting - 'Failed at step EXEC spawning… Permission denied'

Question

I've read other answers for similar issues (Failed at step EXEC spawning... Permission denied) and none seem to apply.

After I upgraded my bitcoin node to v0.20.0 it is no longer starting on boot nor manually with systemctl start bitcoind.service.

Journalctl output:-

$ journalctl -xe
...
Jul 12 15:58:22 $HOSTNAME systemd[572]: bitcoind.service: Failed to execute command: Permission denied
Jul 12 15:58:22 $HOSTNAME systemd[572]: bitcoind.service: Failed at step EXEC spawning /usr/bin/bitcoind: Permission denied
-- Subject: Process /usr/bin/bitcoind could not be executed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
-- 
-- The process /usr/bin/bitcoind could not be executed and failed.

I'm using the default init script (https://github.com/bitcoin/bitcoin/blob/master/contrib/init/bitcoind.service) softlinked from my home directory to /etc/systemd/system/.

The executable is softlinked from my home directory into /usr/local/bin, so previous answer I've linked above suggesting an SELinux issue could apply but I don't believe it is enabled: (-bash: getenforce: command not found). I am running Debian 10.4 and believe it is disabled by default.

$ ls -al /usr/bin/bitcoind 
lrwxrwxrwx 1 root root 34 May  5  2019 /usr/bin/bitcoind -> /home/$MY_NAME/src/bitcoin/src/bitcoind

$ ls -al /home/$MY_NAME/src/bitcoin/src/bitcoind
-rwxr-xr-x 1 bitcoin bitcoin 175058584 Jul  7 20:40 /home/$MY_NAME/src/bitcoin/src/bitcoind

Everything is set to run under the 'bitcoin' nologin user:

$ id bitcoin
uid=999(bitcoin) gid=999(bitcoin) groups=999(bitcoin)

$ cat /etc/passwd
...
bitcoin:x:999:999::/home/bitcoin:/bin/false
...

Here are the permissions on the relevant directories:

$ ls -al /etc/bitcoin
total 12
drwx--x---  2 bitcoin bitcoin 4096 Jul 11 22:30 .
drwxr-xr-x 87 root    root    4096 Jul 12 15:58 ..
-rw-rw----  1 bitcoin bitcoin  601 Jul 11 22:30 bitcoin.conf

$ ls -al /var/lib/bitcoind
total 21896
drwx--x---  5 bitcoin bitcoin     4096 Jul  9 11:55 .
drwxr-xr-x 32 root    root        4096 Dec  5  2019 ..
...

$ ls -al /run
total 24
drwxr-xr-x 18 root        root         560 Jul 12 15:59 .
drwxr-xr-x 22 root        root        4096 Jun  2 17:46 ..
...

I'm stumped - any input greatly appreciated.

Edit - permissions on path to the binary:

$ ls -al /home/$MY_NAME
total 160
drwxr-xr-x 11 XXX  XXX   4096 Jul 12 15:58 .
drwxr-xr-x  3 root root  4096 May  4  2019 ..
...
drwxr-xr-x  6 XXX  XXX   4096 Oct 25  2019 src
...

$ ls -al /home/$MY_NAME/src
total 24
drwxr-xr-x  6 XXX XXX 4096 Oct 25  2019 .
drwxr-xr-x 11 XXX XXX 4096 Jul 12 15:58 ..
drwxr-xr-x 15 XXX XXX 4096 Jul  7 20:26 bitcoin
...

$ ls -al /home/$MY_NAME/src/bitcoin
total 1976
drwxr-xr-x 15 XXX XXX    4096 Jul  7 20:26 .
drwxr-xr-x  6 XXX XXX    4096 Oct 25  2019 ..
...
drwxr-xr-x 28 XXX XXX   12288 Jul  7 21:01 src
...

$ ls -al /home/$MY_NAME/src/bitcoin/src
total 936796
drwxr-xr-x 28 XXX     XXX         12288 Jul  7 21:01 .
drwxr-xr-x 15 XXX     XXX          4096 Jul  7 20:26 ..
...
-rwxr-xr-x  1 bitcoin bitcoin 175058584 Jul  7 20:40 bitcoind
...

Is that symbolic linc really to "/hme/$MY_NAME/..." or is that a little fantasy of yours? Is user bitcoin allowed to read and search /home/$MY_NAME and below? — Gerard H. Pille, Jul 12 '20 at 16:00
$MY_NAME above is just my actual name - would be /home/patrick if my name was Patrick, which it isn't. I'll edit the post with permissions for the whole path to the executable but unless I've fundmentally misunderstood Linux permissions, the bitcoin user should be able to run it. — Baron Mingus, Jul 12 '20 at 16:08

score 3 · Accepted Answer · answered Jul 12 '20 at 16:33

3

Install the binary properly in /usr/bin, as it should have been installed, and try again.

The systemd unit does a lot of confining of the service, and one thing that is denied is access to user home directories. It's not expected that it will need to access a user home directory when running as a system service.

answered Jul 12 '20 at 16:33

Michael Hampton

237,123
42
477
940

Thank you, that seems to have worked. Is there somewhere in the systemd documentation that will explain why this happened? All I can find is a lot of stuff abuot homectl which doesn't seem relevant. It previously was working under this same setup for many months before I did the upgrade - keen to understand the principle. – Baron Mingus Jul 12 '20 at 19:46
I couldn't say why it was "working" before, not without a time machine anyway. What I can say is that it should not have been working. See the [systemd docs](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing) regarding the specific directives that are being used here. – Michael Hampton Jul 12 '20 at 19:58
1

Perfect, thank you very much. If anyone else is having this issue, it's because the setting `ProtectHome=true` was added to the bitcoin default service file: https://github.com/bitcoin/bitcoin/commit/870d4152dfc3d990e336723562948835c2dbd646#diff-0e0a2519396cbb2e01948503d9c040b9 – Baron Mingus Jul 12 '20 at 20:08

Systemd service not starting - 'Failed at step EXEC spawning… Permission denied'

1 Answers1