I am trying to learn Selinux. With a sandbox and using VSFTPD to experiment with, I have a vsfptd server running in Centos. I have annonmous users to place files in /var/ftp/incoming. On a remote machine I can have the user successfully log in but could not place the file on the remove vsftpd server:
$ftp mysql_server
Connected to mysql_server (192.168.1.31).
220 Welcome to blah FTP service.
Name (mysql_server:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer ftp> put atd
local: atd remote: atd
227 Entering Passive Mode (192,168,1,31,19,161).
553 Could not create file.
ftp>
On the VSFTPD server, aureport -a report shows:
[root#mysql_server ftp]# aureport -a
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
4. 04/08/2013 13:30:36 vsftpd unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 21 dir write system_u:object_r:public_content_t:s0 denied 28
5. 04/08/2013 13:34:57 vsftpd unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 2 dir write system_u:object_r:public_content_t:s0 denied 47
I checked the directory and the file contexts look good, so I don't understand why Selinux won't allow vsftpd to write to the incoming directory:
[root#mysql_server ftp]# ls -Z
drwx-wx---. root ftp system_u:object_r:public_content_t:s0 incoming
drwxr-xr-x. root root system_u:object_r:public_content_t:s0 pub
[root#mysql_server ftp]#
You need to run the following commands to allow in SELinux upload and edit files:
setsebool -P allow_ftpd_full_access on
setsebool -P ftp_home_dir on
Your SELinux type is not correct. Use 'public_content_rw_t' instead of 'public_content_t'. Read more on http://beginlinux.com/blog/2008/11/vsftpd-and-selinux-on-centos/
Related
We had some 12 agents (vsts-agent-linux-x64-2.188.4) running on one Az VM (Ubuntu 20.04.2 LTS) as processes (./config.sh && screen ./run.sh). All was well..
I had to run some command related to /tmp folder but it kept showing busy and we suspected that our Agents might be using /tmp. Unfortunately instead of any other clean way of stopping the agents, we killed all processes on this VM manually, including the agents'.
After the /tmp related command ran successfully, I tried running screen ./run.sh from one of the agent directories. And I got an error:
Failed to create CoreCLR, HRESULT: 0x80004005
I also had tried :
.agent2/run.sh and I got the error :
ldd: ./bin/libcoreclr.so: No such file or directory
ldd: ./bin/System.Security.Cryptography.Native.OpenSsl.so: No such file or directory
ldd: ./bin/System.IO.Compression.Native.so: No such file or directory
ldd: ./bin/System.Net.Http.Native.so: No such file or directory
Failed to create CoreCLR, HRESULT: 0x80004005
I even downloaded a new .tar for the agent and ran a fresh ./config . But I get the same error on ./config as well
Is there a solution to this? Please help
export COMPlus_EnableDiagnostics = 0, and then running ./config from the agent directory. worked!
I had this issue when running as the non-privileged user specified in the systemd file but running as root user worked fine.
Finally used:
strace -f -o trace.log /<executable path>/<executable name>
Which led me to:
9183 mknod("/tmp/clr-debug-pipe-9183-8112345738-in", S_IFIFO|0700) = -1 EACCES (Permission denied)
This caused me to compare the /tmp directory between working and non-working boxes.
[<not-working-hostname>]$ ll /
drwxrwxr-x 7 root root 93 Jan 5 21:37 tmp
[<working-hostname>]$ ll /
drwxrwxrwt 7 root root 93 Jan 5 21:59 tmp
(Note the r-x vs rwt)
Fix:
[<hostname>]# chmod 1777 /tmp
For anyone else reading this; it seems the issue was caused by permissions and suexec was part of the issue. Having disabled suexec, all is well again (subject to consequential issues I may find later).
Two files I have in (say) dir1, in /cgi-bin/dashboard-login/ and they use CGI::Session to manage the session.
Both files set a new session like this:
my $session = new CGI::Session(undef, $cgi, {Directory=>"$sessions_dir_location"}) or die CGI::Session->errstr;
This means the second file is actually opening the session created by file1. All good so far.
File 3 is in the same sub-domain but in a different dir (/cgi-bin/dashboard/). It also runs that session string but I get the following error:
Software error:
new(): failed: load(): couldn't retrieve data: retrieve(): couldn't open '/var/www/vhosts/example.com/sessions_storage/cgisess_fc6c62eee135f6cd418defef4516a59c': Permission denied at index line 38.
For help, please send mail to the webmaster (root#localhost), giving this error message and the time and date of the error.
In Filezilla, I see that the file permission is set to "dfr (0640)" for the latest session file but, the previous one has the permissions "adfr (0640)" That adfr file can be opened in filezilla and didn't have any issues when I ran my scripts. Now the session files are being created as "dfr (0640)". IS there a way to set the server (or the CGI::Session), to apply "adfr (0640) permissions?
And, in your experience, is that the likely cause of the problem?
Here you go Håkon Hægland
ls -l /var/www/vhosts/myDomain.com/sessions_storage
-rw-r-----. 1 MyUserName psacln 166 Jan 26 01:22 cgisess_0741489d1010b7ab36f86420e5c58e84
-rw-r-----. 1 apache apache 1769 Jan 26 12:35 cgisess_2d475576f960f6c5407d7a273c02ead1
ls -l /var/www/vhosts/domainName.com/subDomain.myDomain.com/cgi-bin/dashboard-login
-rwxr-xr-x. 1 MyUserName psacln 30628 Jan 26 01:46 login.pl
-rwxr-xr-x. 1 MyUserName psacln 48391 Jan 26 00:49 login-with-pin.pl
ls -l /var/www/vhosts/domainName.com/subDomain.myDomain.com/cgi-bin/dashboard
-rwxr-xr-x. 1 MyUserName psacln 40742 Jan 24 17:47 web_content_manager
For anyone else reading this, it was a permissions issue. It seems to relate to SuExec. Having disabled SuExec, temporarily, until I learn more about directory locations and permissions fully, all is well again.
So I followed [the guide][1] on how to set up a simple mail filter with Postfix, so that I can do a find-replace in the body of outgoing emails. I created a script at /tmp/mailfilter.sh, and changed the /etc/postfix/master.cf file as instructed
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
-o content_filter=filter:dummy
filter unix - n n - 10 pipe
flags=Rq user=filter null_sender=
argv=/tmp/mailfilter.sh -f ${sender} -- ${recipient}
I created a user called filter and made it the owner of the script. But when I tried sending an email, I get the following error:
Jun 7 03:01:53 localhost postfix/qmgr[31288]: 134D944A0673: from=<sender#gmail.com>, size=894, nrcpt=1 (queue active)
Jun 7 03:01:53 localhost pipe[31603]: fatal: pipe_command: execvp /tmp/mailfilter.sh: Permission denied
Jun 7 03:01:53 localhost postfix/pipe[31562]: 134D944A0673: to=<receiver#gmail.com>, relay=filter, delay=8974, delays=8974/0/0/0.01, dsn=4.3.0, status=deferred (temporary failure. Command output: pipe: fatal: pipe_command: execvp /tmp/mailfilter.sh: Permission denied )
Specifically what I'm assuming is relevant is
(temporary failure. Command output: pipe: fatal: pipe_command: execvp /tmp/mailfilter.sh: Permission denied )
/tmp/mailfilter.sh has chmod a+x and is owned by filter. I tried removing everything in it so it's just an empty file, and I still get the permission denied error.
I can't figure out what I'm missing. I've set every permission I can find, but Postfix is doing something arcane that I don't understand.
CentOS uses SELinux as a MAC framework, so maybe you need to set properly the type of your executable. You can check in /var/log/audit/audit.log for any security violation. If SELinux is denying you, you can try this command as root:
chcon -t postfix_pipe_exec_t /tmp/mailfilter.sh
That manual is a good reference: http://linux.die.net/man/8/postfix_selinux
I am running Perl 5.10 on a shared Red Hat Linux 6.2 server. I have asked the root user of the machine to install the Perl DateTime module for me, using the following commands:
perl -MCPAN -e shell
cpan> install DateTime
We were able to successfully install other Perl modules such as Text::CSV before.
But the following error occurred while installing DateTime. Here is the last bits of error log:
Question: It looks like the error might be complaining about not being able to fetch the CHECKSUM file from ftp://ftp.perl.org/pub/CPAN/authors/id/R/RJ/RJBS. However, I have no problem browsing to this exact file from my Internet Explorer. Can someone suggest ways to workaround this? Thanks.
Trying with "/usr/bin/wget -O /root/.cpan/sources/authors/id/R/RJ/RJBS/CHECKSUMS.tmp12173" to get
"ftp://ftp.perl.org/pub/CPAN/authors/id/R/RJ/RJBS/CHECKSUMS.gz"
--2013-06-20 09:30:06-- ftp://ftp.perl.org/pub/CPAN/authors/id/R/RJ/RJBS/CHECKSUMS.gz
=> b/root/.cpan/sources/authors/id/R/RJ/RJBS/CHECKSUMS.tmp12173b
Resolving ftp.perl.org... 203.178.137.175, 163.143.1.21 Connecting to ftp.perl.org|203.178.137.175|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /pub/CPAN/authors/id/R/RJ/RJBS ... done.
==> SIZE CHECKSUMS.gz ... done.
==> PASV ... done. ==> RETR CHECKSUMS.gz ...
No such file bCHECKSUMS.gzb.
Warning: no success downloading '/root/.cpan/sources/authors/id/R/RJ/RJBS/CHECKSUMS.tmp12173'. Giving up on it. at /usr/share/perl5/CPAN/Distribution.pm line
1311
As a last resort we now switch to the external ftp command '/usr/kerberos/bin/ftp'
to get '/root/.cpan/sources/authors/id/R/RJ/RJBS/CHECKSUMS.tmp12173'.
Doing so often leads to problems that are hard to diagnose.
If you're the victim of such problems, please consider unsetting the ftp config variable with
o conf ftp ""
o conf commit
Issuing "/usr/kerberos/bin/ftp -n"
Trying with external ftp to get
ftp://ftp.perl.org/pub/CPAN/authors/id/R/RJ/RJBS/CHECKSUMS
Going to send the dialog
open ftp.perl.org
user anonymous Red Hat, Inc.#localhost.localdomain
lcd /root/.cpan/sources/authors/id/R/RJ/RJBS
cd /
cd pub
cd CPAN
cd authors
cd id
cd R
cd RJ
cd RJBS
bin
get CHECKSUMS CHECKSUMS.tmp12173
quit
Not connected.
Local directory now /root/.cpan/sources/authors/id/R/RJ/RJBS
Not connected.
Not connected.
Not connected.
Not connected.
Not connected.
Not connected.
Not connected.
Not connected.
Not connected.
Not connected.
Bad luck... Still failed!
Can't access URL ftp://ftp.perl.org/pub/CPAN/authors/id/R/RJ/RJBS/CHECKSUMS.
Your urllist is empty! The urllist can be edited. E.g. with 'o conf urllist push ftp://myurl/'
Could not fetch authors/id/R/RJ/RJBS/CHECKSUMS
UPDATE1:
We also tried the o conf ftp "" and o conf commit commands, but we still had an error.
Trying with "/usr/bin/wget -O /root/.cpan/sources/authors/id/R/RJ/RJBS/CHECKSUMS.tmp16529" to get
"http://www.perl.org/CPAN/authors/id/R/RJ/RJBS/CHECKSUMS.gz"
--2013-06-20 13:52:07-- http://www.perl.org/CPAN/authors/id/R/RJ/RJBS/CHECKSUMS.gz
Resolving www.perl.org... 207.171.7.41, 207.171.7.51 Connecting to www.perl.org|207.171.7.41|:80... failed: Connection refused.
Connecting to www.perl.org|207.171.7.51|:80... failed: Connection refused.
Warning: no success downloading '/root/.cpan/sources/authors/id/R/RJ/RJBS/CHECKSUMS.tmp16529'. Giving up on it. at /usr/share/perl5/CPAN/Distribution.pm line
1311
Fetching with LWP:
ftp://ftp.perl.org/pub/CPAN/authors/id/R/RJ/RJBS/CHECKSUMS
Checksum for /root/.cpan/sources/authors/id/R/RJ/RJBS/Test-Fatal-0.010.tar.gz ok Test-Fatal-0.010 Test-Fatal-0.010/README Test-Fatal-0.010/Changes Test-Fatal-0.010/LICENSE Test-Fatal-0.010/dist.ini Test-Fatal-0.010/META.yml Test-Fatal-0.010/MANIFEST Test-Fatal-0.010/t Test-Fatal-0.010/t/basic.t Test-Fatal-0.010/META.json Test-Fatal-0.010/Makefile.PL Test-Fatal-0.010/lib/Test Test-Fatal-0.010/lib/Test/Fatal.pm
Test-Fatal-0.010/t/like-exception.t
Test-Fatal-0.010/t/release-pod-syntax.t
CPAN.pm: Going to build R/RJ/RJBS/Test-Fatal-0.010.tar.gz
Checking if your kit is complete...
Looks good
Warning: prerequisite Try::Tiny 0.07 not found.
Writing Makefile for Test::Fatal
Could not read '/root/.cpan/build/Test-Fatal-0.010-GNYnPy/META.yml'. Falling back to other methods to determine prerequisites
---- Unsatisfied dependencies detected during ----
---- RJBS/Test-Fatal-0.010.tar.gz ----
Try::Tiny [requires]
Shall I follow them and prepend them to the queue of modules we are processing right now? [yes] Running make test
Delayed until after prerequisites
Running make install
Delayed until after prerequisites
Running install for module 'Try::Tiny'
'YAML' not installed, falling back to Data::Dumper and Storable to read prefs '/root/.cpan/prefs'
Running make for D/DO/DOY/Try-Tiny-0.12.tar.gz Fetching with LWP:
http://www.perl.org/CPAN/authors/id/D/DO/DOY/Try-Tiny-0.12.tar.gz
LWP failed with code[500] message[Can't connect to www.perl.org:80 (connect: Connection refused)] Fetching with LWP:
ftp://ftp.perl.org/pub/CPAN/authors/id/D/DO/DOY/Try-Tiny-0.12.tar.gz
LWP failed with code[500] message[]
Fetching with Net::FTP:
ftp://ftp.perl.org/pub/CPAN/authors/id/D/DO/DOY/Try-Tiny-0.12.tar.gz
Catching error: "Timeout at /usr/share/perl5/Net/FTP.pm line 491\cJ" at /usr/share/perl5/CPAN.pm line 391
CPAN::shell() called at -e line 1
did you do what it suggested?
If you're the victim of such problems, please consider unsetting the ftp config variable with
o conf ftp ""
o conf commit
Alternatively, you can download the module as a gz file from the cpan site
uncompress it cd to the directory
do
perl Build.PL
./Build install
or
perl Makefile.PL
make install
accordingly.
This is all that cpan will be doing so you will see if you're missing any packages or modules
incidentally, you don't need to be root if you are happy to install your modules somewhere else. There are plenty of examples to achieve this
When I cap deploy my Symfony2 project, then log into my server I see that the the dev (app_dev.php) runs ok but the prod version (app.php) does not.
The error is
[Tue Jan 03 14:31:48 2012] [error] [client xxx.xxx.xxx.xxx] PHP Fatal error: Uncaught exception 'RuntimeException' with message 'Failed to write cache file "/var/www/example/prod/releases/20120103202539/app/cache/prod/classes.php".' in /var/www/example/prod/releases/20120103202539/app/bootstrap.php.cache:1079\nStack trace:\n#0 /var/www/example/prod/releases/20120103202539/app/bootstrap.php.cache(1017): Symfony\\Component\\ClassLoader\\ClassCollectionLoader::writeCacheFile('/var/www/example/p...', '<?php ????name...')\n#1 /var/www/example/prod/releases/20120103202539/app/bootstrap.php.cache(682): Symfony\\Component\\ClassLoader\\ClassCollectionLoader::load(Array, '/var/www/example/p...', 'classes', false, false, '.php')\n#2 /var/www/example/prod/releases/20120103202539/web/app.php(10): Symfony\\Component\\HttpKernel\\Kernel->loadClassCache()\n#3 {main}\n thrown in /var/www/example/prod/releases/20120103202539/app/bootstrap.php.cache on line 1079
Looking at the recently deployed cache directory I see:
drwxrwxrwx 4 root root 4096 Jan 3 14:28 .
drwxrwxr-x 5 root root 4096 Jan 3 14:28 ..
drwxr-xr-x 6 www-data www-data 4096 Jan 3 14:28 dev
drwxrwxr-x 7 root root 4096 Jan 3 14:28 prod
I can fix the issue with chown -R www-data.www-data prod/ but I wondered if I can stop this from happening in the first place? And why do the directories have different owners?
This happens because your web-server is running by user, who is not able to write to just created cache/prod directory.
There are two solutions, which I know and use. First, add extra commands to run after deployment to Capfile. Capfile will like this:
load 'deploy' if respond_to?(:namespace) # cap2 differentiator
Dir['vendor/bundles/*/*/recipes/*.rb'].each { |bundle| load(bundle) }
load Gem.find_files('symfony2.rb').last.to_s
after "deploy:finalize_update" do
run "sudo chown -R www-data:www-data #{latest_release}/#{cache_path}"
run "sudo chown -R www-data:www-data #{latest_release}/#{log_path}"
run "sudo chmod -R 777 #{latest_release}/#{cache_path}"
end
load 'app/config/deploy'
Second solution is more elegant. You specify correct user, who can write to cache in deploy.rb and make sure that you don't use sudo:
set :user, "anton"
set :use_sudo, false
In the last version of capifony, they've added the option to set writable directories.
Here's the official article which explains what I've written below : http://capifony.org/cookbook/set-permissions.html
You have to deploy using sudo (not a good practice, but it gets the job done)
set :use_sudo, false
# To prompt the sudo password
default_run_options[:pty] = true
and tell capifony which files to make cache and logs folder writable :
set :writable_dirs, ["app/cache", "app/logs"]
set :webserver_user, "www-data"
set :permission_method, :acl
(you have to install acl on your machine, or use :chwon instead of :acl)
EDIT :
I've just realized that this is not enough, the "set_permissions" task is not automatically called, so you have to explicitly run
cap deploy:set_permissions
Or add this line in your deploy.rb :
before "deploy:restart", "deploy:set_permissions"
I solved this problem by adding cache folder to shared folders.
set :shared_children, [app_path + "/cache", app_path + "/logs", web_path + "/uploads", "vendor"]
This way the directory is not recreated each time during deployment, so there is no problem with permissions.
Yes, don't need recreate cache every time after deploy, this solution is logical and pragmatical.
Second solution from Anton - is work if you cache folder permission true in develop environment