X1 (v 2.3.2) on Debian 2.4.27-2-386 trouble with root user

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
canoedf
-


Joined: 25 Oct 2004
Posts: 13
Location: Colorado

PostPosted: Mon Aug 14, 2006 9:51 pm    Post subject: X1 (v 2.3.2) on Debian 2.4.27-2-386 trouble with root user Reply with quote

It is WORKING:

Getting permissions to actually "stick" for both the user AND group on the executable:

Code:
-rwsr-sr-x 1 abyss abyss 459808 Aug 15 16:04 abyssws


and making sure the "/etc/passwd" file had the right stuff for the "abyss" user:

Code:
abyss:x:1001:1001::/home/abyss:/bin/bash


has the application launching with the root user. I am not sure this is what I want.
I want the "abyss" user to run the server with "abyss" rights so I will mail support
another trace to be sure everything is working as designed.

I guess I should not rely on useradd on Debian to properly set the passwd file.

Persistence pays off.......




Update:

I installed Debian Sarge packages:

Code:
Package libg++2.8.1.3-glibc2.2

    * stable (libs): The GNU C++ extension library - runtime version
      1:2.95.4-22: alpha arm i386 m68k mips mipsel powerpc s390 sparc

Package libstdc++2.10-glibc2.2

    * stable (libs): The GNU stdc++ library
      1:2.95.4-22: alpha arm i386 m68k mips mipsel powerpc s390 spar

I set the "operating system user" in abyss.conf.

I am able to start the webserver as root I select the language and set
the console user and password - the server hangs.

So no real change was observed. The server runs fine as the user "abyss".

Any ideas??


EDIT: I installed a previous version of X1 and it works for either user.
I tried installing X1 (v 2.3.2) as the "abyss" user and as root - setting
permissions and no change - I reviewed the forum and found the tools needed
to produce the reports below. My understanding is that the web server will allow
root to execute the application and then switch to the "operating system user"
to continue running.


EDIT2: here is a log fragment from today....
192.168.0.100 - - [14/Aug/2006:13:48:47 -0600] "GET / HTTP/1.1" 200
1367 "" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.6)
Gecko/20060728 Firefox/1.5.0.6"
192.168.0.100 - - [14/Aug/2006:13:48:47 -0600] "GET /pwrabyss.gif
HTTP/1.1" 200 1895 "http://192.168.0.4:8000/" "Mozilla/5.0 (Windows; U;
Windows NT 5.0; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"
192.168.0.100 - - [14/Aug/2006:13:48:47 -0600] "GET /favicon.ico
HTTP/1.1" 404 403 "" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US;
rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6"


I am running Abyss Web Server X1 (v 2.3.2) under Debian.
This is a fresh install of "Sarge".

The server works when launched by user "abyss" but does not
work properly when launched as "root".

My NMAP, lsof, ls, ps. netstat, uname and abyss.conf are below.

I have been able to get both port 8000 and port 9999 to display but
the server hangs when "root" is running the webserver. The operating
system user has been set to "abyss".

My other server runs Abyss Web Server X1 (v 2.0.6) on CoLinux -
a Debian distribution - and is working just fine as user "abyss"
or "root".

Uname for colinux:
Linux colinux 2.6.10-co-0.6.2 #5 Sat Feb 5 10:19:16 IST 2005 i686 GNU/Linux

Do I need to upgrade Debian "Sarge"?

I would appreciate any help.
Thanks,
Dan


Code:

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-08-14 13:26 MDT
Interesting ports on gw (192.168.0.4):
(The 1658 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
25/tcp   open  smtp
5901/tcp open  vnc-1
6001/tcp open  X11:1
8000/tcp open  http-alt
9999/tcp open  abyss

Nmap finished: 1 IP address (1 host up) scanned in 0.252 seconds

netstat -a -n|grep tcp >> data.txt
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:9999            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:6001            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp        0      0 192.168.0.4:5901        192.168.0.100:4493      ESTABLISHED

lsof -nP|grep TCP >> data.txt
exim4     1337 Debian-exim    4u     IPv4       1150               TCP *:25 (LISTEN)
Xrealvnc  1536        root    0u     IPv4       1405               TCP *:6001 (LISTEN)
Xrealvnc  1536        root    3u     IPv4       1408               TCP *:5901 (LISTEN)
Xrealvnc  1536        root    6u     IPv4      97560               TCP

192.168.0.4:5901->192.168.0.100:4493 (ESTABLISHED)
abyssws   3626       abyss    9u     IPv4      87729               TCP *:9999 (LISTEN)
abyssws   3626       abyss   10u     IPv4      87730               TCP *:8000 (LISTEN)
abyssws   3627       abyss    9u     IPv4      87729               TCP *:9999 (LISTEN)
abyssws   3627       abyss   10u     IPv4      87730               TCP *:8000 (LISTEN)
abyssws   3628       abyss    9u     IPv4      87729               TCP *:9999 (LISTEN)
abyssws   3628       abyss   10u     IPv4      87730               TCP *:8000 (LISTEN)
abyssws   3629       abyss    9u     IPv4      87729               TCP *:9999 (LISTEN)
abyssws   3629       abyss   10u     IPv4      87730               TCP *:8000 (LISTEN)

uname -a >>data.txt
Linux gw 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux

ps -e|grep abyssws >> data.txt
 3579 pts/1    00:00:00 abyssws
 3626 pts/1    00:00:00 abyssws
 3627 pts/1    00:00:00 abyssws
 3628 pts/1    00:00:00 abyssws
 3629 pts/1    00:00:00 abyssws

ls abyssws -lart >> data.txt
-rw-r--r--   1 abyss abyss    8326 Aug  5 13:02 license.txt
drwxr-xr-x   2 abyss abyss    4096 Aug  5 13:02 lang
drwxr-xr-x   2 abyss abyss    4096 Aug  5 13:02 doc
drwxr-xr-x   2 abyss abyss    4096 Aug  5 13:02 console
-rwxr-xr-x   1 abyss abyss  459808 Aug  5 13:02 abyssws
-rw-r--r--   1 abyss abyss     582 Aug  5 13:02 Installation Instructions.html
drwxr-xr-x   2 abyss abyss    4096 Aug  5 13:02 log
drwxr-xr-x   7 abyss abyss    4096 Aug  5 13:02 .
-rw-------   1 abyss daemon  11045 Aug  5 13:14 abyss.conf
-rw-------   1 abyss abyss     739 Aug  5 13:14 persist.data
drwxr-xr-x   2 abyss abyss    4096 Aug  5 15:09 htdocs
drwxr-xr-x  57 root  root     4096 Aug 14 13:26 ..

gw: /etc/abyssws# su abyss
abyss@gw: /etc/abyssws$ ./abyssws

Abyss Web Server X1 (v 2.3.2)
Copyright (C) Aprelium Technologies - 2001-2006


-- Default host on port 8000 is up and running (Local URL http://127.0.0.1:8000)

Console local URL: http://127.0.0.1:9999

ABYSS.CONF
<?xml version="1.0" encoding="UTF-8"?>
<root>
   <server>
      <parameters>
         <root>
            /etc/abyssws/
         </root>
         <timeout>
            30
         </timeout>
         <maxconn>
            20
         </maxconn>
         <keepalive>
            10
         </keepalive>
         <opsys>
            <pidfile>
               log/abyssws.pid
            </pidfile>
            <sysuser>
               abyss
            </sysuser>
         </opsys>
      </parameters>
      <host>
         <names/>
         <path>
            htdocs/
         </path>
         <running>
            yes
         </running>
         <id>
            1
         </id>
         <scripting>
            <enabled>
               yes
            </enabled>
            <cgi>
               <timeout>
                  30
               </timeout>
               <useregistry>
                  no
               </useregistry>
               <useshebang>
                  yes
               </useshebang>
               <errorfile>
                  log/cgi.log
               </errorfile>
            </cgi>
            <isapi>
               <ext>
                  dll
               </ext>
               <errorfile>
                  log/isapi.log
               </errorfile>
               <debuglevel>
                  0
               </debuglevel>
            </isapi>
            <fastcgi>
               <errorfile>
                  log/fastcgi.log
               </errorfile>
               <timeout>
                  240
               </timeout>
               <debuglevel>
                  1
               </debuglevel>
            </fastcgi>
         </scripting>
         <ssi>
            <extensions>
               <ext>
                  shtml
               </ext>
               <ext>
                  shtm
               </ext>
               <ext>
                  stm
               </ext>
            </extensions>
            <enabled>
               yes
            </enabled>
            <errormessage/>
            <timeformat/>
            <abbreviatesize>
               yes
            </abbreviatesize>
            <execcmd>
               no
            </execcmd>
         </ssi>
         <log>
            <file>
               log/access.log
            </file>
            <extendedformat>
               yes
            </extendedformat>
            <denied/>
         </log>
         <indexes>
            <index>
               index.html
            </index>
            <index>
               index.htm
            </index>
         </indexes>
         <antileech>
            <paths/>
            <redirect/>
            <strict>
               no
            </strict>
            <allowed/>
         </antileech>
         <bindip>
            *
         </bindip>
         <dirlist>
            <type>
               1
            </type>
            <scope>
               <order>
                  ad
               </order>
               <allow>
                  <path>
                     /
                  </path>
               </allow>
            </scope>
            <hidden>
               <file>
                  .*
               </file>
            </hidden>
         </dirlist>
         <port>
            8000
         </port>
      </host>
      <throttle>
         <maxspeed/>
         <maxspeedperip/>
      </throttle>
      <antihack>
         <enabled>
            no
         </enabled>
         <threshold>
            20
         </threshold>
         <monitorperiod>
            20
         </monitorperiod>
         <banperiod>
            60
         </banperiod>
         <logfile/>
         <denied>
            <ip>
               127.0.0.1
            </ip>
         </denied>
      </antihack>
   
   </server>
   <version>
      2.3.2
   </version>
   <console>
      <port>
         9999
      </port>
      <bindip>
         *
      </bindip>
      <ipcontrol>
         <order>
            ad
         </order>
         <allow>
            192.168.0.1-192.168.255.254
         </allow>
         <allow>
            172.16.0.1-172.31.255.254
         </allow>
         <allow>
            10.0.0.1-10.255.255.254
         </allow>
      </ipcontrol>
      <language>
         en
      </language>
      <login>
         abyss
      </login>
      <password>
         a2634afd170438ae8276a18c311c5078
      </password>
   </console>
</root>
:?: :?:

Last edited by canoedf on Fri Aug 18, 2006 5:49 pm; edited 6 times in total
Back to top View user's profile Send private message
AbyssUnderground
-


Joined: 31 Dec 2004
Posts: 3855

PostPosted: Mon Aug 14, 2006 10:00 pm    Post subject: Reply with quote

I beleive its normal for this to happen but Im not toally sure. Search the forum for more info about launching as root and other users.
_________________
Andy (AbyssUnderground) (previously The Inquisitor)
www.abyssunderground.co.uk
Back to top View user's profile Send private message Visit poster's website
roganty
-


Joined: 08 Jun 2004
Posts: 357
Location: Bristol, UK

PostPosted: Tue Aug 15, 2006 12:37 am    Post subject: Reply with quote

canoedf, i'm not sure if this will help, but you might need to set abyss up as "sticky"
what this means is that when abyss switches to using the non-root user then it will retain root privileges and will be able to use ports below 1024

Code:
chmod ug+s abyssws


im not sure if it is needed, but you might need to change the user of abyssws to root

Code:
chown root:root abyssws


changing the permissions and the owner of abyssws will require you to be logged in as root
btw, the changes to permissions, and the owner is made to the abyssws executable, not the folder

Edit:
ive just noticed, but you might need to change the user group for abyss.conf to abyss

Code:
chown :abyss abyss.conf


you may also need to change the file permissions so that the abyss user can read and write to it

Code:
chmod ug+rw abyss.conf
chmod o+r abyss.conf

^That will also as read permissions to all other users
_________________
Anthony R

Roganty
| Links-Links.co.uk
Back to top View user's profile Send private message Visit poster's website
canoedf
-


Joined: 25 Oct 2004
Posts: 13
Location: Colorado

PostPosted: Tue Aug 15, 2006 3:22 am    Post subject: Reply with quote

I tried changing permissions for user:group with no effect.
The root account could not run the server.

I tried the "sticky bit" setting with no effect.

Since the server CAN run as the user "abyss" then it seems likely there is some other issue preventing the user being switched from root to "abyss".

[b]Could this be a GLIBC run time library issue?[/b]

Thanks,
Dan

[quote="roganty"]canoedf, i'm not sure if this will help, but you might need to set abyss up as "sticky"
what this means is that when abyss switches to using the non-root user then it will retain root privileges and will be able to use ports below 1024

[code]chmod ug+s abyssws[/code]

im not sure if it is needed, but you might need to change the user of abyssws to root

[code]chown root:root abyssws[/code]

changing the permissions and the owner of abyssws will require you to be logged in as root
btw, the changes to permissions, and the owner is made to the abyssws executable, not the folder

Edit:
ive just noticed, but you might need to change the user group for abyss.conf to abyss

[code]chown :abyss abyss.conf[/code]

you may also need to change the file permissions so that the abyss user can read and write to it

[code]chmod ug+rw abyss.conf
chmod o+r abyss.conf[/code]
^That will also as read permissions to all other users[/quote]
Back to top View user's profile Send private message
aprelium
-


Joined: 22 Mar 2002
Posts: 6800

PostPosted: Tue Aug 15, 2006 2:36 pm    Post subject: Re: X1 (v 2.3.2) on Debian 2.4.27-2-386 trouble with root Reply with quote

canoedf,

When you run the server from your root account, it will initialize itself with root privileges (mainly to access ports < 1024) and then will switch to the less privileged user account configured in Operating System user for security reasons.

It would help if you can reproduce the hang conditions and run abyssws using strace as follows:

Code:
strace -otrace.txt ./abyssws --slave


This will produce a very large file trace.txt which contains all the system calls issued by Abyss Web Server. --slave will prevent the server from running the anticrash protection which will help us follow a single process.

Please compress trace.txt (using the command bzip2 -9 trace.txt) and send it to support@aprelium.com with a reference to this forum thread.
_________________
Support Team
Aprelium - http://www.aprelium.com
Back to top View user's profile Send private message Send e-mail
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group