Hobbit Permission Problem
list Adam Goryachev
Hi all, I've got a bit of a problem across a number of machines which I'm having some trouble working out. Basically, the problem is my hobbit user can't display my log files: hobbit at host:/var/log$ cat messages cat: messages: Permission denied However, the user has these permissions/groups hobbit at host:/var/log$ id uid=110(hobbit) gid=110(hobbit) groups=0(root),4(adm),110(hobbit) The directories leading to the file have these permissions: hobbit at host:/var/log$ ls -ld / drwxr-xr-x 24 root root 4096 Nov 19 2009 / hobbit at host:/var/log$ ls -ld /var drwxr-xr-x 15 root root 4096 Nov 19 2009 /var hobbit at host:/var/log$ ls -ld /var/log drwxr-xr-x 14 root root 4096 Mar 29 08:46 /var/log The file has read permissions to the adm group of which we are a member (above) hobbit at host:/var/log$ ls -ld /var/log/messages -rw-r----- 1 root adm 21353 Mar 29 13:27 /var/log/messages Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100 I'm running a fairly standard Debian lenny The root user has no problem reading/writing the file/etc.... Any pointers would be appreciated.... Regards, Adam
list Josh Luthman
Xymon probably isn't running as root and hence the user has no permission to read that file. Use group permission for the file and add the Xymon user to that group. Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX On Mon, Mar 28, 2011 at 10:51 PM, Adam Goryachev <
▸
user-eaec2ffb4cbc@xymon.invalid> wrote:
Hi all, I've got a bit of a problem across a number of machines which I'm having some trouble working out. Basically, the problem is my hobbit user can't display my log files: hobbit at host:/var/log$ cat messages cat: messages: Permission denied However, the user has these permissions/groups hobbit at host:/var/log$ id uid=110(hobbit) gid=110(hobbit) groups=0(root),4(adm),110(hobbit) The directories leading to the file have these permissions: hobbit at host:/var/log$ ls -ld / drwxr-xr-x 24 root root 4096 Nov 19 2009 / hobbit at host:/var/log$ ls -ld /var drwxr-xr-x 15 root root 4096 Nov 19 2009 /var hobbit at host:/var/log$ ls -ld /var/log drwxr-xr-x 14 root root 4096 Mar 29 08:46 /var/log The file has read permissions to the adm group of which we are a member (above) hobbit at host:/var/log$ ls -ld /var/log/messages -rw-r----- 1 root adm 21353 Mar 29 13:27 /var/log/messages Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100 I'm running a fairly standard Debian lenny The root user has no problem reading/writing the file/etc.... Any pointers would be appreciated.... Regards, Adam
list David Baldwin
Adam,
▸
Hi all, I've got a bit of a problem across a number of machines which I'm having some trouble working out. Basically, the problem is my hobbit user can't display my log files: hobbit at host:/var/log$ cat messages cat: messages: Permission denied However, the user has these permissions/groups hobbit at host:/var/log$ id uid=110(hobbit) gid=110(hobbit) groups=0(root),4(adm),110(hobbit) The directories leading to the file have these permissions: hobbit at host:/var/log$ ls -ld / drwxr-xr-x 24 root root 4096 Nov 19 2009 / hobbit at host:/var/log$ ls -ld /var drwxr-xr-x 15 root root 4096 Nov 19 2009 /var hobbit at host:/var/log$ ls -ld /var/log drwxr-xr-x 14 root root 4096 Mar 29 08:46 /var/log The file has read permissions to the adm group of which we are a member (above) hobbit at host:/var/log$ ls -ld /var/log/messages -rw-r----- 1 root adm 21353 Mar 29 13:27 /var/log/messages
A shortcut for just checking modes is namei # namei -m /var/log/messages f: /var/log/messages drwxr-xr-x / drwxr-xr-x var drwxr-xr-x log -rwxr-x--- messages
▸
Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100 I'm running a fairly standard Debian lenny The root user has no problem reading/writing the file/etc.... Any pointers would be appreciated....
My solution to this one is to modify /etc/logrotate.d/syslog and change
group permissions on the file in question. A better solution might be to
use ACLs, but I tried that once and ran into an issue where '-r' test
didn't respect ACLs when checking it could read the log file! That may
have been back in the days of BB even... Group permissions haven't
caused any issues anyway :)
If your distro uses something other than logrotate to manage file
rotation you'll need to work out an appropriate recipe...
# cat /etc/logrotate.d/syslog
/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler
/var/log/boot.log /var/log/cron {
sharedscripts
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2>
/dev/null || true
/bin/kill -HUP `cat /var/run/rsyslogd.pid 2> /dev/null` 2>
/dev/null || true
chmod 750 /var/log/messages
chgrp hobbit /var/log/messages
endscript
}
David.
--
David Baldwin - IT Unit
Australian Sports Commission www.ausport.gov.au
Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616
user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au
This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list Adam Goryachev
▸
On 29/03/2011 3:09 PM, David Baldwin wrote:
Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100 I'm running a fairly standard Debian lenny The root user has no problem reading/writing the file/etc.... Any pointers would be appreciated....My solution to this one is to modify /etc/logrotate.d/syslog and change group permissions on the file in question. A better solution might be to use ACLs, but I tried that once and ran into an issue where '-r' test didn't respect ACLs when checking it could read the log file! That may have been back in the days of BB even... Group permissions haven't caused any issues anyway :)
Thanks for your suggestion, but I have other processes that rely on the adm group having access to the log files, and I don't want to make them world readable. The very short problem is: 1) I am a user with a supplemental group (adm) 2) I have a file with my supplemental group (adm) which is group readable 3) I can't read the file I understand permissions, groups, etc very well, I understand logrotate and it's config files, but I am stumped as to why this isn't working.... Thanks, Adam
list David Baldwin
▸
On 29/03/11 3:34 PM, Adam Goryachev wrote:
On 29/03/2011 3:09 PM, David Baldwin wrote:Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100 I'm running a fairly standard Debian lenny The root user has no problem reading/writing the file/etc.... Any pointers would be appreciated....My solution to this one is to modify /etc/logrotate.d/syslog and change group permissions on the file in question. A better solution might be to use ACLs, but I tried that once and ran into an issue where '-r' test didn't respect ACLs when checking it could read the log file! That may have been back in the days of BB even... Group permissions haven't caused any issues anyway :)Thanks for your suggestion, but I have other processes that rely on the adm group having access to the log files, and I don't want to make them world readable.
Sorry, didn't read all your message closely enough.
▸
The very short problem is: 1) I am a user with a supplemental group (adm) 2) I have a file with my supplemental group (adm) which is group readable 3) I can't read the file I understand permissions, groups, etc very well, I understand logrotate and it's config files, but I am stumped as to why this isn't working....
Did you restart the hobbit client process after you changed the group membership of the hobbit user?
▸
David. -- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617 Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list Ford Alan
Not sure what Linux you are running, but have you looked SELinux This could be causing you your access issues. Check this link out on ways to turn it off to see if it is the culprit. http://www.crypt.gen.nz/selinux/disable_selinux.html Alan
▸
From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Josh Luthman
Sent: Tuesday, 29 March 2011 1:21 PM
To: Adam Goryachev
Cc: xymon at xymon.com
Subject: Re: [Xymon] Hobbit Permission Problem
Xymon probably isn't running as root and hence the user has no permission to read that file.
Use group permission for the file and add the Xymon user to that group.
Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX
On Mon, Mar 28, 2011 at 10:51 PM, Adam Goryachev <user-eaec2ffb4cbc@xymon.invalid<mailto:user-eaec2ffb4cbc@xymon.invalid>> wrote:
Hi all,
I've got a bit of a problem across a number of machines which I'm having
some trouble working out.
Basically, the problem is my hobbit user can't display my log files:
hobbit at host:/var/log$ cat messages
cat: messages: Permission denied
However, the user has these permissions/groups
hobbit at host:/var/log$ id
uid=110(hobbit) gid=110(hobbit) groups=0(root),4(adm),110(hobbit)
The directories leading to the file have these permissions:
hobbit at host:/var/log$ ls -ld /
drwxr-xr-x 24 root root 4096 Nov 19 2009 /
hobbit at host:/var/log$ ls -ld /var
drwxr-xr-x 15 root root 4096 Nov 19 2009 /var
hobbit at host:/var/log$ ls -ld /var/log
drwxr-xr-x 14 root root 4096 Mar 29 08:46 /var/log
The file has read permissions to the adm group of which we are a member
(above)
hobbit at host:/var/log$ ls -ld /var/log/messages
-rw-r----- 1 root adm 21353 Mar 29 13:27 /var/log/messages
Finally, here is all the info I can see on the file:
hobbit at host:/var/log$ stat /var/log/messages
File: `/var/log/messages'
Size: 21353 Blocks: 48 IO Block: 1048576 regular file
Device: eh/14d Inode: 4202796 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm)
Access: 2011-03-28 20:21:00.000000000 +1100
Modify: 2011-03-29 13:27:00.000000000 +1100
Change: 2011-03-29 13:27:00.000000000 +1100
I'm running a fairly standard Debian lenny
The root user has no problem reading/writing the file/etc....
Any pointers would be appreciated....
Regards,
Adam
This email (including all attachments) may contain personal information and is intended solely for the named addressee. It is confidential and may be subject to legal or other professional privilege and any confidentiality or privilege is not waived or lost because this email has been sent to you by mistake. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Any personal Information in this email must be handled in accordance with the Privacy Act 1988 (Cth). If you have received it in error, please let Stanwell Corporation Limited know by reply email, delete it from your system and destroy any copies. Stanwell is not responsible for any changes made to a document other than those made by Stanwell. Stanwell accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. If you have any doubts about the authenticity of an email purportedly sent by us, please contact us immediately. If this is a commercial electronic message within the meaning of the Spam Act 2003 (Cth), you may indicate that you do not wish to receive any further commercial electronic messages from Stanwell by emailing mailto:user-0c0f74357833@xymon.invalid...
list Adam Goryachev
▸
On 29/03/2011 3:40 PM, David Baldwin wrote:
On 29/03/11 3:34 PM, Adam Goryachev wrote:On 29/03/2011 3:09 PM, David Baldwin wrote:Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100 I'm running a fairly standard Debian lenny The root user has no problem reading/writing the file/etc.... Any pointers would be appreciated....My solution to this one is to modify /etc/logrotate.d/syslog and change group permissions on the file in question. A better solution might be to use ACLs, but I tried that once and ran into an issue where '-r' test didn't respect ACLs when checking it could read the log file! That may have been back in the days of BB even... Group permissions haven't caused any issues anyway :)Thanks for your suggestion, but I have other processes that rely on the adm group having access to the log files, and I don't want to make them world readable.Sorry, didn't read all your message closely enough.The very short problem is: 1) I am a user with a supplemental group (adm) 2) I have a file with my supplemental group (adm) which is group readable 3) I can't read the file I understand permissions, groups, etc very well, I understand logrotate and it's config files, but I am stumped as to why this isn't working....Did you restart the hobbit client process after you changed the group membership of the hobbit user?
Yes, this problem has been around for a while, I've rebooted the system a number of times as well.... Regards, Adam
list Josh Luthman
So (user) hobbit is in group adm ll shows the file is owned by group adm (user) hobbit can not read the file?
▸
Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX
On Tue, Mar 29, 2011 at 1:00 AM, Adam Goryachev <user-eaec2ffb4cbc@xymon.invalid▸
wrote:
On 29/03/2011 3:40 PM, David Baldwin wrote:On 29/03/11 3:34 PM, Adam Goryachev wrote:On 29/03/2011 3:09 PM, David Baldwin wrote:Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100 I'm running a fairly standard Debian lenny The root user has no problem reading/writing the file/etc.... Any pointers would be appreciated....My solution to this one is to modify /etc/logrotate.d/syslog and change group permissions on the file in question. A better solution might be to use ACLs, but I tried that once and ran into an issue where '-r' test didn't respect ACLs when checking it could read the log file! That may have been back in the days of BB even... Group permissions haven't caused any issues anyway :)Thanks for your suggestion, but I have other processes that rely on the adm group having access to the log files, and I don't want to make them world readable.Sorry, didn't read all your message closely enough.The very short problem is: 1) I am a user with a supplemental group (adm) 2) I have a file with my supplemental group (adm) which is group readable 3) I can't read the file I understand permissions, groups, etc very well, I understand logrotate and it's config files, but I am stumped as to why this isn't working....Did you restart the hobbit client process after you changed the group membership of the hobbit user?Yes, this problem has been around for a while, I've rebooted the system a number of times as well.... Regards, Adam
list Adam Goryachev
▸
On 29/03/2011 3:59 PM, FORD Alan wrote:
Not sure what Linux you are running, but have you looked SELinux This could be causing you your access issues. Check this link out on ways to turn it off to see if it is the culprit. http://www.crypt.gen.nz/selinux/disable_selinux.html
The machine has a /selinux directory, but no files inside, running echo 0 > /selinux/enforce has no effect (other than creating the file)... I don't have any selinux commands like setenforce or similar As I said, I'm using Debian Lenny, AKAIK, this doesn't enable selinux by default, and I don't think it is running. Is there any other way to see what is happening or why? This was one of the things I initially thought it might be, but I'm not sure how to proceed since it doesn't appear to be running/active... Regards, Adam
list Adam Goryachev
▸
On 29/03/2011 4:15 PM, Josh Luthman wrote:
So (user) hobbit is in group adm ll shows the file is owned by group adm (user) hobbit can not read the file?
Yep, that's the problem.... (or at least, it has me befuddled).... Thanks, Adam
list David Baldwin
▸
On 29/03/11 4:16 PM, Adam Goryachev wrote:
On 29/03/2011 3:59 PM, FORD Alan wrote:Not sure what Linux you are running, but have you looked SELinux This could be causing you your access issues. Check this link out on ways to turn it off to see if it is the culprit. http://www.crypt.gen.nz/selinux/disable_selinux.htmlThe machine has a /selinux directory, but no files inside, running echo 0 > /selinux/enforce has no effect (other than creating the file)... I don't have any selinux commands like setenforce or similar As I said, I'm using Debian Lenny, AKAIK, this doesn't enable selinux by default, and I don't think it is running. Is there any other way to see what is happening or why? This was one of the things I initially thought it might be, but I'm not sure how to proceed since it doesn't appear to be running/active...
What do you get when you do: # su - hobbit $ id -a $ strace head -1 /var/log/messages $ ltrace head -1 /var/log/messages Thanks, David.
▸
-- David Baldwin - IT Unit Australian Sports Commission www.ausport.gov.au Tel 02 62147830 Fax 02 62141830 PO Box 176 Belconnen ACT 2616 user-cbbf693f2c89@xymon.invalid Leverrier Street Bruce ACT 2617 Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list Phil Crooker
So, to be clear, you su as the user hobbit and change to that directory and cannot read the file?
On 3/29/2011 at 3:49 PM, in message
<user-7cfb931ad3d2@xymon.invalid>,
▸
Adam Goryachev <user-eaec2ffb4cbc@xymon.invalid> wrote:On 29/03/2011 4:15 PM, Josh Luthman wrote:So (user) hobbit is in group adm ll shows the file is owned by group adm (user) hobbit can not read the file?Yep, that's the problem.... (or at least, it has me befuddled).... Thanks, Adam
list Phil Crooker
▸
So, to be clear, you su as the user hobbit and change to that directory and cannot read the file?
Sorry didn't read the original email..... Just ignore that question. Is it just *this* user or *this* directory? Have you tried creating another user in the adm group or create another (unrelated) directory with the same rights? This is odd. cheers, Phil.
▸
On 3/29/2011 at 3:49 PM, in message
<user-7cfb931ad3d2@xymon.invalid>, Adam Goryachev <user-eaec2ffb4cbc@xymon.invalid> wrote:
On 29/03/2011 4:15 PM, Josh Luthman wrote:So (user) hobbit is in group adm ll shows the file is owned by group adm (user) hobbit can not read the file?Yep, that's the problem.... (or at least, it has me befuddled).... Thanks, Adam
list Adam Goryachev
On 29/03/2011 4:26 PM, David Baldwin wrote:
What do you get when you do:
Thanks for the ideas, please see below for the results:
# su - hobbit
$ id -a
host:~# su - hobbit
hobbit at host:~$ id -a
uid=1000(hobbit) gid=104(hobbit) groups=4(adm),104(hobbit),244(blahblah)
$ strace head -1 /var/log/messages
hobbit at host:~$ strace head -1 /var/log/messages
execve("/usr/bin/head", ["head", "-1", "/var/log/messages"], [/* 11 vars*/]) = 0
brk(0) = 0x8052000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
mmap2(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7fcc000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=17335, ...}) = 0
mmap2(NULL, 17335, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fc7000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
directory)
open("/lib/i686/nosegneg/libc.so.6", O_RDONLY) = 3
read(3,
"\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260e\1\0004\0\0\0\4"..., 512)
= 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1425828, ...}) = 0
mmap2(NULL, 1431152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
0) = 0xb7e69000
mmap2(0xb7fc1000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x158) = 0xb7fc1000
mmap2(0xb7fc4000, 9840, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fc4000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7e68000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e686b0,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7fc1000, 4096, PROT_READ) = 0
munmap(0xb7fc7000, 17335) = 0
open("/usr/lib/locale/locale-archive", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=347504, ...}) = 0
mmap2(NULL, 347504, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7e13000
close(3) = 0
brk(0) = 0x8052000
brk(0x8073000) = 0x8073000
open("/var/log/messages", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission
denied)
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2586, ...}) = 0
mmap2(NULL, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
-1, 0) = 0xb7d13000
read(3, "# Locale name alias data base.\n# "..., 1048576) = 2586
read(3, ""..., 1048576) = 0
close(3) = 0
munmap(0xb7d13000, 1048576) = 0
open("/usr/share/locale/en_AU/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
write(2, "head: "..., 6head: ) = 6
write(2, "cannot open `/var/log/messages' f"..., 43cannot open
`/var/log/messages' for reading) = 43
open("/usr/share/locale/en_AU/LC_MESSAGES/libc.mo", O_RDONLY) = -1
ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT
(No such file or directory)
write(2, ": Permission denied"..., 19: Permission denied) = 19
write(2, "\n"..., 1
) = 1
close(1) = 0
close(2) = 0
exit_group(1) = ?
$ ltrace head -1 /var/log/messages hobbit at host:~$ ltrace head -1 /var/log/messages
__libc_start_main(0x8049a70, 3, 0xbfffeb84, 0x804ef10, 0x804ef00
<unfinished ...>
setlocale(6,
"") = "en_AU"
bindtextdomain("coreutils",
"/usr/share/locale") = "/usr/share/locale"
textdomain("coreutils")
= "coreutils"
__cxa_atexit(0x804b3a0, 0, 0, 0xb7f64ff4,
0xbfffeae8) = 0
__ctype_b_loc()
= 0xb7e0a690
__errno_location()
= 0xb7e0a68c
__strtoull_internal(0xbfffef08, 0xbfffc934, 10, 0,
0xbfffc934) = 1
getopt_long(2, 0xbfffeb88, "c:n:qv0123456789", 0x804f7a0,
NULL) = -1
open64("/var/log/messages", 0,
01001170471) = -1
__errno_location()
= 0xb7e0a68c
__errno_location()
= 0xb7e0a68c
__ctype_get_mb_cur_max(0x804833c, 0xbfffc914, 0xb7f8d7c4, 0,
0xb7f709e0) = 1
dcgettext(0, 0x804fc09, 5, 0xb7e2e900,
0xb7e0a68c) = 0x804fc09
dcgettext(0, 0x804fc0b, 5, 0xb7e2e900,
0x804fc09) = 0x804fc0b
strlen("'")
= 1
dcgettext(0, 0x804f15b, 5, 0x804f7a0,
0) = 0x804f15b
__errno_location()
= 0xb7e0a68c
error(0, 13, 0x804f15b, 0x8051480, 0head: cannot open
`/var/log/messages' for reading: Permission denied
) = 0
exit(1 <unfinished ...>
__fpending(0xb7f654e0, 0xb7f8cff4, 0x80485ac, 0xb7f64ff4,
1) = 0
fclose(0xb7f654e0)
= 0
__fpending(0xb7f65580, 0xb7f8cff4, 0x80485ac, 0xb7f64ff4,
1) = 0
fclose(0xb7f65580)
= 0
+++ exited (status 1) +++
list Adam Goryachev
▸
On 29/03/2011 4:51 PM, Phil Crooker wrote:
So, to be clear, you su as the user hobbit and change to that directory and cannot read the file?Sorry didn't read the original email..... Just ignore that question. Is it just *this* user or *this* directory? Have you tried creating another user in the adm group or create another (unrelated) directory with the same rights? This is odd.
host:~# mkdir /blah host:~# cd /blah/ host:/blah# touch test host:/blah# chgrp adm test host:/blah# chmod 640 test host:/blah# ls -l total 0 -rw-r----- 1 root adm 0 2011-03-29 17:15 test host:/blah# su - hobbit hobbit at host:~$ cat /blah/test cat: /blah/test: Permission denied Looks like any file in any directory has the same problem.... Thanks, Adam
list Ford Alan
Ok try looking at this link in regards to Debian ACLs http://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux Its towards the bottom :-) Alan
▸
From: Adam Goryachev [mailto:user-eaec2ffb4cbc@xymon.invalid] Sent: Tuesday, 29 March 2011 3:16 PM To: FORD Alan Cc: xymon at xymon.com Subject: Re: [Xymon] Hobbit Permission Problem On 29/03/2011 3:59 PM, FORD Alan wrote: Not sure what Linux you are running, but have you looked SELinux This could be causing you your access issues. Check this link out on ways to turn it off to see if it is the culprit. http://www.crypt.gen.nz/selinux/disable_selinux.html The machine has a /selinux directory, but no files inside, running echo 0 > /selinux/enforce has no effect (other than creating the file)... I don't have any selinux commands like setenforce or similar As I said, I'm using Debian Lenny, AKAIK, this doesn't enable selinux by default, and I don't think it is running. Is there any other way to see what is happening or why? This was one of the things I initially thought it might be, but I'm not sure how to proceed since it doesn't appear to be running/active... Regards, Adam This email (including all attachments) may contain personal information and is intended solely for the named addressee. It is confidential and may be subject to legal or other professional privilege and any confidentiality or privilege is not waived or lost because this email has been sent to you by mistake. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Any personal Information in this email must be handled in accordance with the Privacy Act 1988 (Cth). If you have received it in error, please let Stanwell Corporation Limited know by reply email, delete it from your system and destroy any copies. Stanwell is not responsible for any changes made to a document other than those made by Stanwell. Stanwell accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. If you have any doubts about the authenticity of an email purportedly sent by us, please contact us immediately. If this is a commercial electronic message within the meaning of the Spam Act 2003 (Cth), you may indicate that you do not wish to receive any further commercial electronic messages from Stanwell by emailing mailto:user-0c0f74357833@xymon.invalid...
list Adam Goryachev
▸
On 29/03/2011 5:24 PM, FORD Alan wrote:
Ok try looking at this link in regards to Debian ACLs http://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux Its towards the bottom :-)
host:/# getfacl var/log/messages # file: var/log/messages # owner: root # group: adm user::rw- group::r-- other::--- Still doesn't look like it, acl package wasn't installed, but after installing it, it doesn't show that ACL's are in use... Thanks, Adam
list Henrik Størner
▸
Den 29-03-2011 08:17, Adam Goryachev skrev:
host:~# mkdir /blah host:~# cd /blah/ host:/blah# touch test host:/blah# chgrp adm test host:/blah# chmod 640 test host:/blah# ls -l total 0 -rw-r----- 1 root adm 0 2011-03-29 17:15 test host:/blah# su - hobbit hobbit at host:~$ cat /blah/test cat: /blah/test: Permission denied
Permissions on /blah ? Assuming the "hobbit" user is a member of group "adm", the /blah directory must have group "adm" and at least group-execute permissions. If group is not "adm", then execute permission for "all". Regards, Henrik
list Adam Goryachev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
▸
On 29/03/11 18:29, Henrik Størner wrote:Den 29-03-2011 08:17, Adam Goryachev skrev:host:~# mkdir /blah host:~# cd /blah/ host:/blah# touch test host:/blah# chgrp adm test host:/blah# chmod 640 test host:/blah# ls -l total 0 -rw-r----- 1 root adm 0 2011-03-29 17:15 test host:/blah# su - hobbit hobbit at host:~$ cat /blah/test cat: /blah/test: Permission deniedPermissions on /blah ? Assuming the "hobbit" user is a member of group "adm", the /blah directory must have group "adm" and at least group-execute permissions. If group is not "adm", then execute permission for "all".
In the above case, the directory was owner root, group root, permissions 655, so it wasn't a directory permission issue. However, this still doesn't resolve or address the original issue of not being able to read /var/log/messages where I Showed the permissions of all the directories and files which *should* have allowed the user to read the file. I'm sure there is something really bizarre going on for me, because this *should* work, and it can't be debian, because I'm sure there are plenty of other people out there running hobbit with debian who have this working properly.... Any other pointers? please? I really don't understand what else to look at... Thanks, Adam - -- Adam Goryachev Website Managers Ph: +XX X XXXX XXXX user-eaec2ffb4cbc@xymon.invalid Fax: +XX X XXXX XXXX www.websitemanagers.com.au -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2TJWgACgkQGyoxogrTyiXjMwCbBe2yRkXfQs9kkAsV62RTdKtD WWEAoNS3GaLEH8CrSTPUI4YlpO9rrvOt =G6kp -----END PGP SIGNATURE-----
list Jeremy Laidman
On Wed, Mar 30, 2011 at 11:43 PM, Adam Goryachev
▸
<user-eaec2ffb4cbc@xymon.invalid> wrote:
Any other pointers? please? I really don't understand what else to look at...
Does "dmesg" show any kernel-level blocking (ACL, SELinux, AppArmor)?
list Adam Goryachev
▸
On 31/03/2011 10:42 AM, Jeremy Laidman wrote:
On Wed, Mar 30, 2011 at 11:43 PM, Adam Goryachev <user-eaec2ffb4cbc@xymon.invalid> wrote:Any other pointers? please? I really don't understand what else to look at...Does "dmesg" show any kernel-level blocking (ACL, SELinux, AppArmor)?
No, it doesn't :( This really has me quite stumped... usually Linux has all the tools to make this sort of debug really simple, but strace and all simply show access denied, an I really don't understand why. Regards, Adam
list Phil Crooker
On 3/30/2011 at 11:13 PM, in message
<user-b8c2bfa742ea@xymon.invalid>,
▸
Adam Goryachev <user-eaec2ffb4cbc@xymon.invalid> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 29/03/11 18:29, Henrik Størner wrote:Den 29-03-2011 08:17, Adam Goryachev skrev:host:~# mkdir /blah host:~# cd /blah/ host:/blah# touch test host:/blah# chgrp adm test host:/blah# chmod 640 test host:/blah# ls -l total 0 -rw-r----- 1 root adm 0 2011-03-29 17:15 test host:/blah# su - hobbit hobbit at host:~$ cat /blah/test cat: /blah/test: Permission deniedPermissions on /blah ? Assuming the "hobbit" user is a member of group "adm", the /blah directory must have group "adm" and at least group-execute permissions. If group is not "adm", then execute permission for "all".In the above case, the directory was owner root, group root, permissions 655, so it wasn't a directory permission issue. However, this still doesn't resolve or address the original issue of not being able to read /var/log/messages where I Showed the permissions of all the directories and files which *should* have allowed the user to read the file. I'm sure there is something really bizarre going on for me, because this *should* work, and it can't be debian, because I'm sure there are plenty of other people out there running hobbit with debian who have this working properly.... Any other pointers? please? I really don't understand what else to look at... Thanks, Adam
Your blah example doesn't work. You need to move /root/blah to / and retry. For me, if I'm troubleshooting this sort of baffling issue, it is important to get something simple that works and then gradually add relevant factors till it doesn't. So, the reason I asked for this test is to determine if that account can access a directory and file other than /var/log/messages with just group permissions. If you can, then there is something going on either with the log directory or the messages file specifically. So, if you su as that user and can then read a file in /blah with just the group permissions (be sure to remove the world rights), then try copying that file to /var/log and see if the user can see it there. If it can, then there is something basically wrong with messages...
list David Baldwin
▸
On 31/03/11 10:46 AM, Adam Goryachev wrote:
On 31/03/2011 10:42 AM, Jeremy Laidman wrote:On Wed, Mar 30, 2011 at 11:43 PM, Adam Goryachev <user-eaec2ffb4cbc@xymon.invalid> wrote:Any other pointers? please? I really don't understand what else to look at...Does "dmesg" show any kernel-level blocking (ACL, SELinux, AppArmor)?No, it doesn't :( This really has me quite stumped... usually Linux has all the tools to make this sort of debug really simple, but strace and all simply show access denied, an I really don't understand why.
Very mysterious. Have you check the mount options, and try doing 'fsck' on the file system? David.
▸
Keep up to date with what's happening in Australian sport visit http://www.ausport.gov.au This message is intended for the addressee named and may contain confidential and privileged information. If you are not the intended recipient please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you receive this message in error, please delete it and notify the sender.
list Adam Goryachev
▸
On 31/03/2011 11:17 AM, Phil Crooker wrote:
On 3/30/2011 at 11:13 PM, in message<user-b8c2bfa742ea@xymon.invalid>, Adam Goryachev <user-eaec2ffb4cbc@xymon.invalid> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 29/03/11 18:29, Henrik Størner wrote:Den 29-03-2011 08:17, Adam Goryachev skrev:host:~# mkdir /blah host:~# cd /blah/ host:/blah# touch test host:/blah# chgrp adm test host:/blah# chmod 640 test host:/blah# ls -l total 0 -rw-r----- 1 root adm 0 2011-03-29 17:15 test host:/blah# su - hobbit hobbit at host:~$ cat /blah/test cat: /blah/test: Permission deniedPermissions on /blah ? Assuming the "hobbit" user is a member of group "adm", the /blah directory must have group "adm" and at least group-execute permissions. If group is not "adm", then execute permission for "all".In the above case, the directory was owner root, group root, permissions 655, so it wasn't a directory permission issue. However, this still doesn't resolve or address the original issue of not being able to read /var/log/messages where I Showed the permissions of all the directories and files which *should* have allowed the user to read the file. I'm sure there is something really bizarre going on for me, because this *should* work, and it can't be debian, because I'm sure there are plenty of other people out there running hobbit with debian who have this working properly.... Any other pointers? please? I really don't understand what else to look at... Thanks, AdamYour blah example doesn't work. You need to move /root/blah to / and retry.
I'm not sure what you mean, I was using /blah.... host:~# mkdir /blah host:~# ls -ld /blah drwxr-xr-x 2 root root 4096 Mar 31 11:23 /blah host:~# echo test > /blah/test host:~# chgrp adm /blah/test host:~# chmod 640 /blah/test host:~# ls -l /blah/test -rw-r----- 1 root adm 5 Mar 31 11:23 /blah/test host:~# cat /blah/test test host:~# su - hobbit hobbit at host:~$ cd /blah hobbit at host:/blah$ ls -la total 12 drwxr-xr-x 2 root root 4096 Mar 31 11:23 . drwxr-xr-x 25 root root 4096 Mar 31 11:23 .. -rw-r----- 1 root adm 5 Mar 31 11:23 test hobbit at host:/blah$ cat test cat: test: Permission denied hobbit at host:~$ id uid=110(hobbit) gid=110(hobbit) groups=0(root),4(adm),110(hobbit) hobbit at host:~$ logout host:~# chgrp testgroup /blah/test host:~# su - adamg adamg at host:~$ cat /blah/test cat: /blah/test: Permission denied adamg at host:~$ ls -l /blah/test -rw-r----- 1 root testgroup 5 Mar 31 11:23 /blah/test adamg at host:~$ id uid=500(adamg) gid=500(adamg) groups=500(adamg),1014(testgroup)
▸
For me, if I'm troubleshooting this sort of baffling issue, it is important to get something simple that works and then gradually add relevant factors till it doesn't. So, the reason I asked for this test is to determine if that account can access a directory and file other than /var/log/messages with just group permissions. If you can, then there is something going on either with the log directory or the messages file specifically. So, if you su as that user and can then read a file in /blah with just the group permissions (be sure to remove the world rights), then try copying that file to /var/log and see if the user can see it there. If it can, then there is something basically wrong with messages...
I'm not sure where to start from, none of these basics seem to be working.... Thanks for all the suggestions Adam
list Adam Goryachev
▸
On 31/03/2011 11:32 AM, David Baldwin wrote:
Have you check the mount options, and try doing 'fsck' on the file system?
sorry to say, but you win The problem was that this is a NFS root system, ie, the entire filesystem is mounted via NFS, and the uid and gid of the hobbit user was different between the NFS client and the NFS server. However, during NFS file requests, only the UID/GID is transmitted or used to determine whether access is granted or denied... Thank you all for your help on this, I had forgotten about this little peculiarity (NFS) as I'm so used to working on the systems all the time as if they are normal stand-alone systems... Apologies for wasting everyone's time too... Regards, Adam
list Ralph Mitchell
On Wed, Mar 30, 2011 at 9:16 PM, Adam Goryachev <user-eaec2ffb4cbc@xymon.invalid
▸
wrote:
On 31/03/2011 11:32 AM, David Baldwin wrote:Have you check the mount options, and try doing 'fsck' on the file system?sorry to say, but you win The problem was that this is a NFS root system, ie, the entire filesystem is mounted via NFS, and the uid and gid of the hobbit user was different between the NFS client and the NFS server. However, during NFS file requests, only the UID/GID is transmitted or used to determine whether access is granted or denied... Thank you all for your help on this, I had forgotten about this little peculiarity (NFS) as I'm so used to working on the systems all the time as if they are normal stand-alone systems... Apologies for wasting everyone's time too...
No worries - now we know something else to watch out for... :) Ralph Mitchell