unable to run logrotate postscripts command with substitute user - logrotate

logrotate(3.8.6) on RHEL7 is giving me PAM Auth rejections when running postscripts command with substitute user.
same configuration works fine when i force logrotate from shell as root, but failing with below error when logrotate is executed by cron
logrotate config
/var/log/rabbitmq/*.log {
su rabbitmq rabbitmq
daily
dateext
dateyesterday
missingok
rotate 7
compress
delaycompress
notifempty
sharedscripts
postrotate
su rabbitmq -s /bin/sh "echo"-c
endscript
}
content in /var/log/secure
May 3 22:57:01 ip-10-6-78-5 su: pam_unix(su:auth): auth could not identify password for [rabbitmq]
May 3 22:57:01 ip-10-6-78-5 su: pam_unix(su:auth): auth could not identify password for [rabbitmq]
May 3 22:57:01 ip-10-6-78-5 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "rabbitmq"
May 3 22:57:01 ip-10-6-78-5 su: pam_succeed_if(su:auth): requirement "uid >= 1000" not met by user "rabbitmq"
May 3 22:57:01 ip-10-6-78-5 su: FAILED SU (to rabbitmq) root on none
May 3

Could you try to add sudo before su and use -c parameter for su command, so your commands should looks like:
sudo su rabbitmq -c '/bin/sh "echo"-c'

Related

postgresql cp archive command failed as rsync permission denied

I'm trying to set postgresql db setup (version - 10) via ansible and when i was trying to start postgresql db cluster after recovery.conf file i'm getting permission denied error
i'm trying this via anasible and below is the module information
- name: Starting the postgresql db cluster on standby host
command: 'su - postgres -c "pg_ctl -D {{ data_dir }} start"'
when: inventory_hostname == (groups['pgdb']|sort())[1]
Error message:
2021-06-19 13:46:56.129 UTC [90381] DETAIL: The failed archive command was: cp pg_wal/000000010000000000000001 /data/archives/testarchives/000000010000000000000001 && /bin/rsync -a pg_wal/000000010000000000000001 postgres#10.0.1.120:/data/archives/testarchives/000000010000000000000001
2021-06-19 13:46:56.130 UTC [77934] LOG: archiver process (PID 90381) exited with exit code 1
sh: /bin/rsync: Permission denied
2021-06-19 13:47:56.227 UTC [90385] FATAL: archive command failed with exit code 126
It is clearly stating it is not able to execute rsync command as postgres user.But don't know how to fix this
Tried below first but no luck
- name: Starting the postgresql db cluster on standby host
command: "pg_ctl -D {{ data_dir }} start"
when: inventory_hostname == (groups['pgdb']|sort())[1]
become_user: postgres
My recovery.conf file is as eblow
$ cat recovery.conf
standby_mode = 'on'
primary_conninfo = 'user=postgres host=10.0.1.120 port=5432'
restore_command = 'cp -i /data/archives/testarchives/%f %p'
trigger_file = '/tmp/testtrigger_file'
recovery_target_timeline = 'latest'
archive_cleanup_command = 'pg_archivecleanup -d /data/archives/kongarchives %r 2>>/data/archives/cleanup.log'
But if i manually execute the same command then it is working
[ec2-user#ip-10-0-2-98 ~]$ sudo su - postgres
Last login: Sat Jun 19 15:31:25 UTC 2021 on pts/0
[postgres#ip-10-0-2-98 ~]$ cd /data/dbdata/testdata/
[postgres#ip-10-0-2-98]$ cp pg_wal/000000010000000000000004 /data/archives/testarchives/000000010000000000000004 && /bin/rsync -a pg_wal/000000010000000000000004 postgres#10.0.1.120:/data/archives/testarchives/000000010000000000000004
[postgres#ip-10-0-2-98]$
You are probably a victim of SELinux or something like it, in which the same system OS account can have different permissions depending on whether it is running as a daemon or from a command line. Try running below command after this my issue was fixed,
sudo setenforce 0
refer:https://wiki.gentoo.org/wiki/SELinux/Tutorials/Permissive_versus_enforcing
Can you try below.
- name: Starting the postgresql db cluster on standby host
command: 'sudo -u postgres psql -c "pg_ctl -D {{ data_dir }} start"'
when: inventory_hostname == (groups['pgdb']|sort())[1]

Create a file as one user and edit it as another user

Im writing a shell to automate a process this shell will be run as root or as another user but not as the postgres user (meaning the user will just run the script)
What i did as a postgres user while testing was
touch /var/lib/postgresql/10/main/recovery.conf
sudo nano recovery.conf (wrote some content )
ctrl +O
However whenever I try to do this by using the following lines in my shell as as another user (including root)
sudo -H -u postgres bash -c "touch /var/lib/postgresql/10/main/recovery.conf"
The file is created as postgres user which is what i intended, and then i run
sudo -H -u postgres bash -c echo "content" > /var/lib/postgresql/10/main/recovery.conf
and get a
-bash: /var/lib/postgresql/10/main/recovery.conf: Permission denied
How come I can create the file but not put content on it?
I already tried giving 775 and 777 permisions using chmod
chmod 775 recovery.conf
as the psotgres user and i get
-rwxrwxr-x 1 postgres postgres 133 May 11 22:11 recovery.conf
to this file as a postgres user and still the error persists so im confused about whats going on
At the second line where you try to put the "echo" command, please use:
/var/lib/postgresql/10/main/recovery.conf
With a / at the beginning

kinit(v5): Key table entry not found while getting initial credentials

I followed following steps to setup KDC & kerberos. Now while kinit facing following issue.
OS - SUSE 11
1. zypper install krb5 krb5-server krb5-client
2. Updated krb5.conf with proper realm details.
3. kdb5_util create -s <kerberos database created. password provided on prompt>
4. echo "*/admin#EMEA.EBS.CORPINTRA.NET" >> /var/lib/kerberos/krb5kdc/kadm5.acl <provided permission to principals>
5. rckrb5kdc restart & then rckadmind restart
6. kadmin.local -q "addprinc admin/admin" <creating principal>
7. kadmin.local -q "list_principals" <verified principals>
8. kinit admin/admin#EMEA.EBS.CORPINTRA.NET <initalise>
9. klist
Create kerberos user:
10. kadmin.local
- addprinc himansu#EMEA.EBS.CORPINTRA.NET
(provide passwrd, when prompted)
11. ktutil
- addent -password -p himansu#EMEA.EBS.CORPINTRA.NET -k 1 -e RC4-HMAC
- wkt himansu.keytab
- q
12. ls -lrt himansu.keytab
13. kinit -kt himansu.keytab himansu#EMEA.EBS.CORPINTRA.NET
EXCEPTION:
kinit(v5): Key table entry not found while getting initial credentials

celery user permission denied to /bin/celery

I am trying to daemonize a celery configuration on an aws instance.
Following the celery docs, I have:
/etc/init.d/celeryd
/etc/default/celerybeat
I've created both a celery user and celery group and set permissions like so:
sudo chown -R celery:celery /var/log/celery/
sudo chown -R celery:celery /var/run/celery/
sudo chown celery:celery /home/sfree/meampy/bin/celery
When I check the file's permissions, it looks good:
(meampy)[]$ ls -l /home/sfree/meampy/bin/celery
-rwxrwxrwx 1 celery celery 237 Sep 13 15:15 /home/sfree/meampy/bin/celery
But when I run the script:
sudo sh -x /etc/init.d/celeryd start
...
Starting celeryd...
+ _chuid -f /var/log/celery/beat.log -l INFO --detach --pidfile=/var/run/celery/beat.pid
+ su celery -c '/home/sfree/meampy/bin/celery beat -f /var/log/celery/beat.log -l INFO --detach --pidfile=/var/run/celery/beat.pid'
bash: /home/sfree/meampy/bin/celery: Permission denied
+ exit 0
If I run the offending line solo, I get the same error.
meampy is the name of my virtualenv. Is the virtualenv the reason I am running into permission problems?
EDIT: the permissions on the virtualenv:
lrwxrwxrwx 1 sfree www-data 24 Sep 1 19:49 meampy -> /usr/local/python/meampy
I added the celery user to the www-data group, still same error
Because virtualenv meampy is belong to sfree, you should modify your celery config file (/etc/default/celeryd)
set
CELERYD_USER="sfree"
CELERYD_GROUP="sfree"
and do not forget
sudo chown -R sfree:sfree /var/log/celery/
sudo chown -R sfree:sfree /var/run/celery/

FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied

I believe I ended up mixing up permissions at /etc/ssl directories tree as the last modification was made on 18th November and a day after I could not get my PostgreSQL to work.
When I type in
sudo service postgresql start
I get
FATAL: could not access private key file “/etc/ssl/private/ssl-cert-snakeoil.key”: Permission denied
Checking permissions
~$ sudo -i
~$ ls -la /etc/ssl/private
drw-r----- 2 root ssl-cert 4096 Nov 18 21:10 .
-rwxrwxrwx 1 postgres postgres 1704 Set 4 11:26 ssl-cert-snakeoil.key
Checking group composition
~$ id postgres
uid=114(postgres) gid=127(postgres) groups=127(postgres),114(ssl-cert)
Also I noticed that my ssl-cert-snakeoil.pem file at /etc/ssl/certs/ doesn't have a symlink. I don't know if this makes any difference...
Please, help me sort this out.
Thanks.
Edit: Should it be posted on serverfault instead?
Try adding postgres user to the group ssl-cert
Run the below code to fix your issue:
# > It happened to me and it turned out that I removed erroneously the postgres user from "ssl-cert" group, set it back with
sudo gpasswd -a postgres ssl-cert
# Fixed ownership and mode
sudo chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
sudo chmod 740 /etc/ssl/private/ssl-cert-snakeoil.key
# now postgresql starts! (and install command doesn't fail anymore)
sudo /etc/init.d/postgresql start
courtsey to GabLeRoux
Check the output of
$ sudo -u postgres
$ cd /etc/ssl/private
$ ls
If the response is "Permission denied" do
$ chown postgres:ssl-cert /etc/ssl/private/
$ chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key
Only thing that will work if you have changed permissions for /etc/ssl/private
mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private
Copy this whole command (It's a one line code).
If this doesn't work for you, ckeck your postgres user groups by groups postgres and make sure your postgres user have ssl-cert root postgres (Order doesn't matter).
Now lets check your file permissions on ssl/private :
$ ls -la /etc/ssl/
> drwx------ 2 postgres root private
If this is not the output change your permissions with sudo chmod -R 700 /etc/ssl/private and for owners chown -R postgres:root /etc/ssl/private
//Now check permissions on ssl-cert-snakeoil.key,
//which will be inside your **private** directory.
$ ls -la /etc/ssl/private/ssl-cert-snakeoil.key
> -rwx------ 1 postgres root /etc/ssl/private/ssl-cert-snakeoil.key
I was suffering from this issue when attempting to start Postgresql on a remote docker instance. I eventually tracked down the crazy solution here. Basically you have to recreate the directories, chown on it's own doesn't work:
mkdir /etc/ssl/private-copy; mv /etc/ssl/private/* /etc/ssl/private-copy/; rm -r /etc/ssl/private; mv /etc/ssl/private-copy /etc/ssl/private; chmod -R 0700 /etc/ssl/private; chown -R postgres /etc/ssl/private
This error was preventing my PostgreSQL server from running locally.
The following worked for me:
sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key
sudo chmod 600 /etc/ssl/private/ssl-cert-snakeoil.key
Also make sure that /etc/ssl/private has enough permissions.
Some programs can be incredibly pedantic and cost you valuable hours. By running journalctl after sudo systemctl start postgresql I'd see various errors like:
FATAL: could not load private key file "/etc/ssl/private/ssl-cert-snakeoil.key": Permission denied
FATAL: private key file "/etc/ssl/private/ssl-cert-snakeoil.key" must be owned by the database user or root
FATAL: private key file "/etc/ssl/private/ssl-cert-snakeoil.key" has group or world access
DETAIL: File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
I couldn't make it with work sudo chmod root:root, so I had to settle for sudo chmod postgres:postgres.
EDIT
I haven't tried it, but running deleting and regenerating the snakeoil certificate might work as well:
make-ssl-cert generate-default-snakeoil --force-overwrite
(You may have to run it with sudo, don't know.)
Try setting permissions on the .key file to 600. Postgres doesn't like key files with group or world permissions set. You may also need to change the owner to postgres, though I'm not sure about that.
I am running the postgres server in WSL, and I was facing the error with the ssl-cert file. I managed to make it work by changing the owner of the file to the postgres user I had created, adding the expected user and group IDs to the user as required of the application (111 and 116, respectively, as gleaned from helpful error messages), and voila, I have an active server from within WSL.
sudo useradd postgres
sudo usermod -u 111 -g 116 -a -G ssl-cert postgres
sudo chown postgres /etc/ssl/private/ssl-cert-snakeoil.key
After running the above, there were two more files the user running the server (postgres for me) needed permission to access, both residing in /var/postgresql. I used sudo chown -- twice more to give ownership to postgres. Running sudo service postgresql start will tell you which files you'll need to transfer ownership of through any error messages.
I had other certificates under /etc/ssl/private and hence, changing permissions recursively was out of question.
I tried adding postgres user to ssl-cert group that didn't help either.
I modified the permission of /etc/ssl/private to 716, basically saying that anyone else other than root (user) and ssl-cert (group) can read and execute the directory.
sudo chmod 716 /etc/ssl/private
Then, I modified the ownership of ssl-cert-snakeoil.key
sudo chown postgres:postgres /etc/ssl/private/ssl-cert-snakeoil.key
This worked for me, basically a combination of the answers by #devops and #Noushad