Problem with file owner/group check
list Ian Marsh
We recently encountered a problem with directory permissions on one of our web servers and so decided to update our Xymon installation (v4.2.3) to monitor it. Unfortunately I think I've found a bug in the code that facilitates this. In the hobbit-client.cfg file we have a test like this: FILE /var/somefile mode=755 owner=root groupid=root yellow The owner test works fine but the group test doesn't, instead it say that the file should be owned by group 'd=root'. Further investigation shows that the owner test also fails in the same way if we use the 'ownerid=root' variation of the owner test. It's almost as if the code is assuming that the first 6 characters of the token is the name and everything else is the value. This works fine with the 'owner=root' variation but fails dismally with the 'ownerid=root' and 'groupid=root' variations. It would be fine if we could use 'group=root' but as that's a reserved word it's not allowed. Unfortunately my C coding is virtually non-existent, I can get by with reading it but not writing it! Has anyone encountered this before and written a patch for it? Or has it been fixed in the 4.3.0 beta? Thank you, Ian Marsh IT Service Operations - Network Services
list Henrik Størner
In <user-336f30b07a30@xymon.invalid> "Marsh, Ian" <user-ba159ca7ed42@xymon.invalid> writes: Hi Ian,
▸
In the hobbit-client.cfg file we have a test like this:
FILE /var/somefile mode=755 owner=root groupid=root yellow
The owner test works fine but the group test doesn't, instead it say that the file should be owned by group 'd=root'. Further investigation shows that the owner test also fails in the same way if we use the 'ownerid=root' variation of the owner test. It's almost as if the code is assuming that the first 6 characters of the token is the name and everything else is the value.
your analysis is spot-on. Classical cut-and-paste error, I'm afraid,
and it is also present in the current 4.3.0 code. So I'm glad You
spotted it!
A diff for 4.2.3 is below. For 4.3.0, I'll commit a change later today -
there are some other fixes in the same area of code that I am working
on (relating to the Windows client SVC checks).
Regards,
Henrik
Index: hobbitd/client_config.c
===================================================================
--- hobbitd/client_config.c (revision 6333)
+++ hobbitd/client_config.c (working copy)
@@ -827,10 +827,11 @@
}
else if ((strncasecmp(tok, "owner=", 6) == 0) ||
(strncasecmp(tok, "ownerid=", 8) == 0)) {
- char *eptr;
+ char *p, *eptr;
int uid;
• - uid = strtol(tok+6, &eptr, 10);
• + p = strchr(tok, '=');
+ uid = strtol(p+1, &eptr, 10);
if (*eptr == '\0') {
/* All numeric */
currule->flags |= FCHK_OWNERID;
@@ -843,10 +844,11 @@
}
else if (strncasecmp(tok, "groupid=", 8) == 0) {
/* Cannot use "group" because that is reserved */
- char *eptr;
+ char *p, *eptr;
int uid;
• - uid = strtol(tok+6, &eptr, 10);
• + p = strchr(tok, '=');
+ uid = strtol(p+1, &eptr, 10);
if (*eptr == '\0') {
/* All numeric */
currule->flags |= FCHK_GROUPID;
list Ian Marsh
Henrik,
Thanks for such a quick response! I can confirm that the patch works, but only if you test against the numeric uid's and gid's. If you try to test against the names then you get the same result I was seeing before; the MAN page for hobbit-clients.cfg says you can use either but that doesn't appear to be the case.... I'd prefer to use the user and group names if possible, just so that it makes more sense to the less experienced members of the support team!
▸
Thank you,
Ian Marsh
IT Service Operations - Network Services
-----Original Message-----
From: Henrik "Størner [mailto:user-ce4a2c883f75@xymon.invalid] Sent: 14 January 2011 12:06
To: xymon at xymon.com
Subject: Re: [xymon] Problem with file owner/group check
In <user-336f30b07a30@xymon.invalid> "Marsh, Ian" <user-ba159ca7ed42@xymon.invalid> writes:
Hi Ian,
In the hobbit-client.cfg file we have a test like this:
FILE /var/somefile mode=755 owner=root groupid=root yellow
The owner test works fine but the group test doesn't, instead it say that the file should be owned by group 'd=root'. Further investigation shows that the owner test also fails in the same way if we use the 'ownerid=root' variation of the owner test. It's almost as if the code is assuming that the first 6 characters of the token is the name and everything else is the value.
your analysis is spot-on. Classical cut-and-paste error, I'm afraid, and it is also present in the current 4.3.0 code. So I'm glad You spotted it!
A diff for 4.2.3 is below. For 4.3.0, I'll commit a change later today - there are some other fixes in the same area of code that I am working on (relating to the Windows client SVC checks).
Regards,
Henrik
Index: hobbitd/client_config.c
===================================================================
--- hobbitd/client_config.c (revision 6333)
+++ hobbitd/client_config.c (working copy)
@@ -827,10 +827,11 @@
}
else if ((strncasecmp(tok, "owner=", 6) == 0) ||
(strncasecmp(tok, "ownerid=", 8) == 0)) {
- char *eptr;
+ char *p, *eptr;
int uid;
• - uid = strtol(tok+6, &eptr, 10);
• + p = strchr(tok, '=');
+ uid = strtol(p+1, &eptr, 10);
if (*eptr == '\0') {
/* All numeric */
currule->flags |= FCHK_OWNERID;
@@ -843,10 +844,11 @@
}
else if (strncasecmp(tok, "groupid=", 8) == 0) {
/* Cannot use "group" because that is reserved */
- char *eptr;
+ char *p, *eptr;
int uid;
• - uid = strtol(tok+6, &eptr, 10);
• + p = strchr(tok, '=');
+ uid = strtol(p+1, &eptr, 10);
if (*eptr == '\0') {
/* All numeric */
currule->flags |= FCHK_GROUPID;
list Henrik Størner
▸
In <user-59f8ce4949f4@xymon.invalid> "Marsh, Ian" <user-ba159ca7ed42@xymon.invalid> writes:
Thanks for such a quick response! I can confirm that the patch = works, but only if you test against the numeric uid's and gid's. If you = try to test against the names then you get the same result I was seeing = before; the MAN page for hobbit-clients.cfg says you can use either but = that doesn't appear to be the case.... I'd prefer to use the user and = group names if possible, just so that it makes more sense to the less = experienced members of the support team!
I should have looked at little further down in the code... if you search the hobbitd/client_config.c file for "ownerid=" you'll see that is where the patch went in. And just a few lines further down is a line with currule->flags |= FCHK_OWNERSTR; currule->rule.fcheck.ownerstr = strdup(tok+6); Change that line to "p+1" instead of "tok+6": currule->rule.fcheck.ownerstr = strdup(p+1); and usernames should work. An identical fix some 15 lines or so further down fixes it for the groupnames. Regards, Henrik
list Ian Marsh
Thanks for that, it all works now. :)
▸
Thank you,
Ian Marsh
IT Service Operations - Network Services
-----Original Message-----
From: Henrik "Størner [mailto:user-ce4a2c883f75@xymon.invalid] Sent: 14 January 2011 15:42
To: xymon at xymon.com
Subject: Re: [xymon] Problem with file owner/group check
In <user-59f8ce4949f4@xymon.invalid> "Marsh, Ian" <user-ba159ca7ed42@xymon.invalid> writes:
Thanks for such a quick response! I can confirm that the patch = works, but only if you test against the numeric uid's and gid's. If you = try to test against the names then you get the same result I was seeing = before; the MAN page for hobbit-clients.cfg says you can use either but = that doesn't appear to be the case.... I'd prefer to use the user and = group names if possible, just so that it makes more sense to the less = experienced members of the support team!
I should have looked at little further down in the code... if you search the hobbitd/client_config.c file for "ownerid=" you'll see that is where the patch went in. And just a few lines further down is a line with currule->flags |= FCHK_OWNERSTR; currule->rule.fcheck.ownerstr = strdup(tok+6); Change that line to "p+1" instead of "tok+6": currule->rule.fcheck.ownerstr = strdup(p+1); and usernames should work. An identical fix some 15 lines or so further down fixes it for the groupnames. Regards, Henrik