View previous topic :: View next topic |
Author |
Message |
canoedf -
Joined: 25 Oct 2004 Posts: 13 Location: Colorado
|
Posted: Mon Aug 14, 2006 9:51 pm Post subject: X1 (v 2.3.2) on Debian 2.4.27-2-386 trouble with root user |
|
|
It is WORKING:
Getting permissions to actually "stick" for both the user AND group on the executable:
Code: | -rwsr-sr-x 1 abyss abyss 459808 Aug 15 16:04 abyssws |
and making sure the "/etc/passwd" file had the right stuff for the "abyss" user:
Code: | abyss:x:1001:1001::/home/abyss:/bin/bash |
has the application launching with the root user. I am not sure this is what I want.
I want the "abyss" user to run the server with "abyss" rights so I will mail support
another trace to be sure everything is working as designed.
I guess I should not rely on useradd on Debian to properly set the passwd file.
Persistence pays off.......
Update:
I installed Debian Sarge packages:
Code: | Package libg++2.8.1.3-glibc2.2
* stable (libs): The GNU C++ extension library - runtime version
1:2.95.4-22: alpha arm i386 m68k mips mipsel powerpc s390 sparc
Package libstdc++2.10-glibc2.2
* stable (libs): The GNU stdc++ library
1:2.95.4-22: alpha arm i386 m68k mips mipsel powerpc s390 spar
|
I set the "operating system user" in abyss.conf.
I am able to start the webserver as root I select the language and set
the console user and password - the server hangs.
So no real change was observed. The server runs fine as the user "abyss".
Any ideas??
EDIT: I installed a previous version of X1 and it works for either user.
I tried installing X1 (v 2.3.2) as the "abyss" user and as root - setting
permissions and no change - I reviewed the forum and found the tools needed
to produce the reports below. My understanding is that the web server will allow
root to execute the application and then switch to the "operating system user"
to continue running.
EDIT2: here is a log fragment from today....
192.168.0.100 - - [14/Aug/2006:13:48:47 -0600] "GET / HTTP/1.1" 200
1367 "" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.6)
Gecko/20060728 Firefox/1.5.0.6"
192.168.0.100 - - [14/Aug/2006:13:48:47 -0600] "GET /pwrabyss.gif
HTTP/1.1" 200 1895 "http://192.168.0.4:8000/" "Mozilla/5.0 (Windows; U;
Windows NT 5.0; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"
192.168.0.100 - - [14/Aug/2006:13:48:47 -0600] "GET /favicon.ico
HTTP/1.1" 404 403 "" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"
I am running Abyss Web Server X1 (v 2.3.2) under Debian.
This is a fresh install of "Sarge".
The server works when launched by user "abyss" but does not
work properly when launched as "root".
My NMAP, lsof, ls, ps. netstat, uname and abyss.conf are below.
I have been able to get both port 8000 and port 9999 to display but
the server hangs when "root" is running the webserver. The operating
system user has been set to "abyss".
My other server runs Abyss Web Server X1 (v 2.0.6) on CoLinux -
a Debian distribution - and is working just fine as user "abyss"
or "root".
Uname for colinux:
Linux colinux 2.6.10-co-0.6.2 #5 Sat Feb 5 10:19:16 IST 2005 i686 GNU/Linux
Do I need to upgrade Debian "Sarge"?
I would appreciate any help.
Thanks,
Dan
Code: |
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-14 13:26 MDT
Interesting ports on gw (192.168.0.4):
(The 1658 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
25/tcp open smtp
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
9999/tcp open abyss
Nmap finished: 1 IP address (1 host up) scanned in 0.252 seconds
netstat -a -n|grep tcp >> data.txt
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.4:5901 192.168.0.100:4493 ESTABLISHED
lsof -nP|grep TCP >> data.txt
exim4 1337 Debian-exim 4u IPv4 1150 TCP *:25 (LISTEN)
Xrealvnc 1536 root 0u IPv4 1405 TCP *:6001 (LISTEN)
Xrealvnc 1536 root 3u IPv4 1408 TCP *:5901 (LISTEN)
Xrealvnc 1536 root 6u IPv4 97560 TCP
192.168.0.4:5901->192.168.0.100:4493 (ESTABLISHED)
abyssws 3626 abyss 9u IPv4 87729 TCP *:9999 (LISTEN)
abyssws 3626 abyss 10u IPv4 87730 TCP *:8000 (LISTEN)
abyssws 3627 abyss 9u IPv4 87729 TCP *:9999 (LISTEN)
abyssws 3627 abyss 10u IPv4 87730 TCP *:8000 (LISTEN)
abyssws 3628 abyss 9u IPv4 87729 TCP *:9999 (LISTEN)
abyssws 3628 abyss 10u IPv4 87730 TCP *:8000 (LISTEN)
abyssws 3629 abyss 9u IPv4 87729 TCP *:9999 (LISTEN)
abyssws 3629 abyss 10u IPv4 87730 TCP *:8000 (LISTEN)
uname -a >>data.txt
Linux gw 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
ps -e|grep abyssws >> data.txt
3579 pts/1 00:00:00 abyssws
3626 pts/1 00:00:00 abyssws
3627 pts/1 00:00:00 abyssws
3628 pts/1 00:00:00 abyssws
3629 pts/1 00:00:00 abyssws
ls abyssws -lart >> data.txt
-rw-r--r-- 1 abyss abyss 8326 Aug 5 13:02 license.txt
drwxr-xr-x 2 abyss abyss 4096 Aug 5 13:02 lang
drwxr-xr-x 2 abyss abyss 4096 Aug 5 13:02 doc
drwxr-xr-x 2 abyss abyss 4096 Aug 5 13:02 console
-rwxr-xr-x 1 abyss abyss 459808 Aug 5 13:02 abyssws
-rw-r--r-- 1 abyss abyss 582 Aug 5 13:02 Installation Instructions.html
drwxr-xr-x 2 abyss abyss 4096 Aug 5 13:02 log
drwxr-xr-x 7 abyss abyss 4096 Aug 5 13:02 .
-rw------- 1 abyss daemon 11045 Aug 5 13:14 abyss.conf
-rw------- 1 abyss abyss 739 Aug 5 13:14 persist.data
drwxr-xr-x 2 abyss abyss 4096 Aug 5 15:09 htdocs
drwxr-xr-x 57 root root 4096 Aug 14 13:26 ..
gw: /etc/abyssws# su abyss
abyss@gw: /etc/abyssws$ ./abyssws
Abyss Web Server X1 (v 2.3.2)
Copyright (C) Aprelium Technologies - 2001-2006
-- Default host on port 8000 is up and running (Local URL http://127.0.0.1:8000)
Console local URL: http://127.0.0.1:9999
ABYSS.CONF
<?xml version="1.0" encoding="UTF-8"?>
<root>
<server>
<parameters>
<root>
/etc/abyssws/
</root>
<timeout>
30
</timeout>
<maxconn>
20
</maxconn>
<keepalive>
10
</keepalive>
<opsys>
<pidfile>
log/abyssws.pid
</pidfile>
<sysuser>
abyss
</sysuser>
</opsys>
</parameters>
<host>
<names/>
<path>
htdocs/
</path>
<running>
yes
</running>
<id>
1
</id>
<scripting>
<enabled>
yes
</enabled>
<cgi>
<timeout>
30
</timeout>
<useregistry>
no
</useregistry>
<useshebang>
yes
</useshebang>
<errorfile>
log/cgi.log
</errorfile>
</cgi>
<isapi>
<ext>
dll
</ext>
<errorfile>
log/isapi.log
</errorfile>
<debuglevel>
0
</debuglevel>
</isapi>
<fastcgi>
<errorfile>
log/fastcgi.log
</errorfile>
<timeout>
240
</timeout>
<debuglevel>
1
</debuglevel>
</fastcgi>
</scripting>
<ssi>
<extensions>
<ext>
shtml
</ext>
<ext>
shtm
</ext>
<ext>
stm
</ext>
</extensions>
<enabled>
yes
</enabled>
<errormessage/>
<timeformat/>
<abbreviatesize>
yes
</abbreviatesize>
<execcmd>
no
</execcmd>
</ssi>
<log>
<file>
log/access.log
</file>
<extendedformat>
yes
</extendedformat>
<denied/>
</log>
<indexes>
<index>
index.html
</index>
<index>
index.htm
</index>
</indexes>
<antileech>
<paths/>
<redirect/>
<strict>
no
</strict>
<allowed/>
</antileech>
<bindip>
*
</bindip>
<dirlist>
<type>
1
</type>
<scope>
<order>
ad
</order>
<allow>
<path>
/
</path>
</allow>
</scope>
<hidden>
<file>
.*
</file>
</hidden>
</dirlist>
<port>
8000
</port>
</host>
<throttle>
<maxspeed/>
<maxspeedperip/>
</throttle>
<antihack>
<enabled>
no
</enabled>
<threshold>
20
</threshold>
<monitorperiod>
20
</monitorperiod>
<banperiod>
60
</banperiod>
<logfile/>
<denied>
<ip>
127.0.0.1
</ip>
</denied>
</antihack>
</server>
<version>
2.3.2
</version>
<console>
<port>
9999
</port>
<bindip>
*
</bindip>
<ipcontrol>
<order>
ad
</order>
<allow>
192.168.0.1-192.168.255.254
</allow>
<allow>
172.16.0.1-172.31.255.254
</allow>
<allow>
10.0.0.1-10.255.255.254
</allow>
</ipcontrol>
<language>
en
</language>
<login>
abyss
</login>
<password>
a2634afd170438ae8276a18c311c5078
</password>
</console>
</root>
| :?: :?:
Last edited by canoedf on Fri Aug 18, 2006 5:49 pm; edited 6 times in total |
|
Back to top |
|
|
AbyssUnderground -
Joined: 31 Dec 2004 Posts: 3855
|
Posted: Mon Aug 14, 2006 10:00 pm Post subject: |
|
|
I beleive its normal for this to happen but Im not toally sure. Search the forum for more info about launching as root and other users. _________________ Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk |
|
Back to top |
|
|
roganty -
Joined: 08 Jun 2004 Posts: 357 Location: Bristol, UK
|
Posted: Tue Aug 15, 2006 12:37 am Post subject: |
|
|
canoedf, i'm not sure if this will help, but you might need to set abyss up as "sticky"
what this means is that when abyss switches to using the non-root user then it will retain root privileges and will be able to use ports below 1024
im not sure if it is needed, but you might need to change the user of abyssws to root
Code: | chown root:root abyssws |
changing the permissions and the owner of abyssws will require you to be logged in as root
btw, the changes to permissions, and the owner is made to the abyssws executable, not the folder
Edit:
ive just noticed, but you might need to change the user group for abyss.conf to abyss
Code: | chown :abyss abyss.conf |
you may also need to change the file permissions so that the abyss user can read and write to it
Code: | chmod ug+rw abyss.conf
chmod o+r abyss.conf |
^That will also as read permissions to all other users _________________ Anthony R
Roganty | Links-Links.co.uk |
|
Back to top |
|
|
canoedf -
Joined: 25 Oct 2004 Posts: 13 Location: Colorado
|
Posted: Tue Aug 15, 2006 3:22 am Post subject: |
|
|
I tried changing permissions for user:group with no effect.
The root account could not run the server.
I tried the "sticky bit" setting with no effect.
Since the server CAN run as the user "abyss" then it seems likely there is some other issue preventing the user being switched from root to "abyss".
[b]Could this be a GLIBC run time library issue?[/b]
Thanks,
Dan
[quote="roganty"]canoedf, i'm not sure if this will help, but you might need to set abyss up as "sticky"
what this means is that when abyss switches to using the non-root user then it will retain root privileges and will be able to use ports below 1024
[code]chmod ug+s abyssws[/code]
im not sure if it is needed, but you might need to change the user of abyssws to root
[code]chown root:root abyssws[/code]
changing the permissions and the owner of abyssws will require you to be logged in as root
btw, the changes to permissions, and the owner is made to the abyssws executable, not the folder
Edit:
ive just noticed, but you might need to change the user group for abyss.conf to abyss
[code]chown :abyss abyss.conf[/code]
you may also need to change the file permissions so that the abyss user can read and write to it
[code]chmod ug+rw abyss.conf
chmod o+r abyss.conf[/code]
^That will also as read permissions to all other users[/quote] |
|
Back to top |
|
|
aprelium -
Joined: 22 Mar 2002 Posts: 6800
|
Posted: Tue Aug 15, 2006 2:36 pm Post subject: Re: X1 (v 2.3.2) on Debian 2.4.27-2-386 trouble with root |
|
|
canoedf,
When you run the server from your root account, it will initialize itself with root privileges (mainly to access ports < 1024) and then will switch to the less privileged user account configured in Operating System user for security reasons.
It would help if you can reproduce the hang conditions and run abyssws using strace as follows:
Code: | strace -otrace.txt ./abyssws --slave |
This will produce a very large file trace.txt which contains all the system calls issued by Abyss Web Server. --slave will prevent the server from running the anticrash protection which will help us follow a single process.
Please compress trace.txt (using the command bzip2 -9 trace.txt) and send it to support@aprelium.com with a reference to this forum thread. _________________ Support Team
Aprelium - http://www.aprelium.com |
|
Back to top |
|
|
|