From: Johnny L. W. <jo...@ma...> - 2002-08-26 18:33:20
|
On Mon, 26 Aug 2002, Craig Barratt wrote: > > change suggested in an earlier thread. Then, I get a page with a Status/PC > > Summary/etc on the left side. There's a green bar across the top that says > > "Error:Wrong user: my userid is 48, instead of 541 (backuppc)" > > > > Now then, my permissions on BackupPC_Admin are as follows: > > > > -r-sr-xr-x 1 backuppc bacuppc 83096 Aug 23 13:59 BackupPC_Admin > > > > And permissions on config.pl have also been changed so I could get it > > readable enough to allow me to see the error messages generated by > > BackupPC_Admin. > > > > NOW for the freaky part: > > > > [root@hylafax httpd]# ls -l /bin | grep perl > > lrwxrwxrwx 1 root root 13 Aug 16 13:35 perl -> > > /usr/bin/perl > > -rws--x--x 1 root root 790752 Aug 23 14:10 sperl5.6.0 > > [root@hylafax httpd]# > > > > There's also a copy of sperl5.6.0 in /usr/bin. Still, I'm getting errors > > about being the wrong user. What's the deal? > > Ok, there is some problem with setuid perl scripts on your machine. And > you are not alone: several other users have had similar problems. But > lots of other users have not. > > One solution is to switch to mod_perl: by running apache as user backuppc > in the first place you avoid the need for setuid. In my current environment, this would be all but impossible. The machine I'm setting this up on is mission-critical and I can't just change the webserver out willy-nilly. If there was a minor problem that took the regular apache down for 10 minutes, I'd hear about it from at least 3 managers. :) > But I would like to get to the bottom of this. > > Please create a short test program, testsetuid, that looks like this: > > #!/bin/perl > > printf("My userid is $> (%s)\n", (getpwuid($>))[0]); > > then chown it to backuppc and chmod u+s: > > root# chown backuppc testsetuid > root# chmod u+s testsetuid > root# ls -l testsetuid > -rwsr-xr-x 1 backuppc wheel 76 Aug 26 09:46 testsetuid* > Ok. Copied and pasted the script exactly from this email into a file, and did this: [root@hylafax backuppc]# chown backuppc:backuppc testsetuid [root@hylafax backuppc]# chmod u+s testsetuid [root@hylafax backuppc]# chmod u+x testsetuid [root@hylafax backuppc]# ls -l testsetuid -rwsr--r-- 1 backuppc backuppc 68 Aug 26 13:09 testsetuid > Now run this program as a normal user. > > - What uid does it print? [root@hylafax backuppc]# ./testsetuid My userid is 0 (root) [root@hylafax backuppc]# su jeff [jeff@hylafax backuppc]$ ./testsetuid bash: ./testsetuid: Permission denied [jeff@hylafax backuppc]$ Therefore, I'll assume you meant something a little more like: [root@hylafax backuppc]# chmod a+s testsetuid [root@hylafax backuppc]# chmod a+x testsetuid [root@hylafax backuppc]# su jeff [jeff@hylafax backuppc]$ ls -l testsetuid -rwsr-sr-x 1 backuppc backuppc 68 Aug 26 13:09 testsetuid [jeff@hylafax backuppc]$ ./testsetuid My userid is 542 (jeff) [jeff@hylafax backuppc]$ > - If it doesn't print backuppc, try changing the first line of the script > to be: > > #!/usr/bin/sperl5.6.0 [Edit stuff] [root@hylafax backuppc]# ls -l testsetuid -rwsr-sr-x 1 backuppc backuppc 74 Aug 26 13:16 testsetuid [root@hylafax backuppc]# ./testsetuid My userid is 541 (backuppc) [root@hylafax backuppc]# su jeff [jeff@hylafax backuppc]$ ./testsetuid My userid is 541 (backuppc) [jeff@hylafax backuppc]$ > If this works, then change the first line of BackupPC_Admin to the > same thing and see if it now works. [Edit Stuff] [root@hylafax cgi-bin]# ls -l BackupPC_Admin -r-sr-sr-x 1 backuppc backuppc 83102 Aug 26 13:17 BackupPC_Admin Ran it from the web, got an error about the backuppc daemon not running. Lemme go start that and try again.... * The server's PID is 29147 on host hylafax.internal.booksys.com, version 1.5.0, started at 8/26 13:31. * This status was generated at 8/26 13:31. * PCs will be next queued at 8/26 14:00. * Other info: o 0 pending backup requests from last scheduled wakeup, o 0 pending user backup requests, o 0 pending command requests, o Pool is 0.00GB comprising 0 files and 1 directories (as of 8/20 22:30), o Pool hashing gives 0 repeated files with longest chain 0, o Nightly cleanup removed 0 files of size 0.00GB (around 8/20 22:30), o Pool file system was recently at 61% (8/20 22:30), today's max is 61% (8/20 22:30) and yesterday's max was 61% > - If the original test does print backuppc, then it looks like it is > something specific to setuid cgi scripts in apache. I'm not exactly sure what we've discovered here, but it looks like the web interface is working now. :) --Me |