please help with 'operation not permitted' error

[Don]

I would greatly appreciate any help I can get to troubleshoot an error
I am getting in setting up Vista on Ubuntu and connecting using CPRS
on Windows. I think I am only slightly off and the smart folks on
this group must have seen such an issue before.

Using Nancy Anthracite's directions, I setup GTM and VISTA on Ubuntu
and get a netstat showing a listener on port 9230.

I setup CPRS (latest available) on my Microsoft Windows box (My OS is
MSVista not XP). I also created a log file for xinetd at /home/vista/
xinetd.log.

When I try to connect from Windows, I get the dreaded WSACONNRESET
error.
Even though on the Ubuntu I do see that a connection attempt
(apparently successful) was made. The file /home/vista/xinetd.log
shows entries like this corresponding to each connection request:

09/4/22@04:30:04: START: WVEHR-gui pid=794 from=xxx.xx.xx.xx

The above listing seems to match the log_on_success setting in my
xinetd.conf. However my daemon.log and syslog in /var/log show an
error like this for each connection request:

Apr 22 04:30:04 ubuntu-vm xinetd[389]: setuid failed: Operation not
permitted (errno = 1)

The main reason I created a xinetd.conf is to troubleshoot the error
that I noticed in my syslog.

After google search for debugging clues, I started gtm and did a D
^XTER, it said no error was logged. If I do a D VIEW^XWBDLOG it also
shows nothing.

How do I interpret the error message or go about troubleshooting?
Would appreciate any help.

[David Whitten]

On Thu, Apr 23, 2009 at 12:33 PM, Don <svk...@gmail.com> wrote:
>
> I would greatly appreciate any help I can get to troubleshoot an error
> I am getting in setting up Vista on Ubuntu and connecting using CPRS
> on Windows.  I think I am only slightly off and the smart folks on
> this group must have seen such an issue before.
>
> Using Nancy Anthracite's directions, I setup GTM and VISTA on Ubuntu
> and get a netstat showing a listener on port 9230.
>
> I setup CPRS (latest available) on my Microsoft Windows box (My OS is
> MSVista not XP).  I also created a log file for xinetd at /home/vista/
> xinetd.log.
>
> When I try to connect from Windows, I get the dreaded WSACONNRESET
> error.
> Even though on the Ubuntu I do see that a connection attempt
> (apparently successful) was made.  The file /home/vista/xinetd.log
> shows entries like this corresponding to each connection request:
>
>  09/4/22@04:30:04: START: WVEHR-gui pid=794 from=xxx.xx.xx.xx
>
> The above listing seems to match the log_on_success setting in my
> xinetd.conf. However my daemon.log and syslog in /var/log show an
> error like this for each connection request:
>
>  Apr 22 04:30:04 ubuntu-vm xinetd[389]:  setuid failed: Operation not
> permitted (errno = 1)
>

This message says that after the xinetd (xinet daemon) got woken up,
that it tried to change the process to be a particular user identification
setuid="set u id" but it failed because the operation was not permitted.
This is something that is totally out of the VistA realm and in the area
of Linux gurus. Probably a good start is to list out your WVEHR-gui
script, which is probably in the xinetd

one script that has that name, that I could find is:

#!/bin/sh
#WVEHR-gui: This is a file to run RPCBroker as a Linux service
#
#make sure of our directory
cd /home/vista/EHR
date >> /home/vista/EHR/WVEHR-gui.log
#Get the GTM profile
. /home/vista/EHR/env2
#Run routine
$gtm_dist/mumps -run GTMLNX^XWBTCPM 2>>/home/vista/EHR/WVEHR-gui.log
#

The file for this has this permissions:

$ ls -l WVEHR-gui
-rw-r--r-- 1 vista vista 288 2008-07-11 22:33 WVEHR-gui

as you can see, this script doesn't have any information about setting the
user id. All of that information is in the configuration file setup for xinetd.
I found one in /etc/xinetd.d (which is where I expected to find it, but it might
be in a different place on your system)

$ ls -l /etc/xinetd.d/WVEHR-gui
-rw-r--r-- 1 root root 267 2008-04-23 19:07 /etc/xinetd.d/WVEHR-gui

$ cat /etc/xinetd.d/WVEHR-gui
service WVEHR-gui
{
port = 9230
socket_type = stream
protocol = tcp
user = vista
server = /bin/sh
server_args = /home/vista/EHR/WVEHR-gui
type = UNLISTED
wait = no
disable = no
}

you see how it says user = vista ?
that tells the xinet daemon to change the user identification to "vista"
when it recognizes activitie on port = 9230 and run the program
/home/vista/EHR/WVEHR-gui using the shell program /bin/sh

when I look up the user vista in /etc/passwd I find:
$ grep vista /etc/passwd
vista:x:501:501::/home/vista:/bin/bash

and, looking at the group, I find:

$ grep vista /etc/group
vista:x:501:

Does your system look like this?

David

> The main reason I created a xinetd.conf is to troubleshoot the error
> that I noticed in my syslog.
>
> After google search for debugging clues, I started gtm and did a D
> ^XTER, it said no error was logged.  If I do a D VIEW^XWBDLOG it also
> shows nothing.
>
> How do I interpret the error message or go about troubleshooting?

since this is an xinetd error, you might want to look at the xinetd logs...

grep xinetd /var/log/messages | more

but is looks like you already know about /var/log and found it in
daemon.log and syslog

> Would appreciate any help.
>
>
> >
>

[Don]

David,

Thanks a ton for your detailed response.

My /etc/xinetd.d/WVEHR-gui file is identical to yours in its
permissions and file-content.

My /home/vista/EHR/WVEHR-gui file is identical to your in its file-
content. Its permissions are slightly more relaxed than yours; it has
execute permissions for everyone:

$ ls -l /home/vista/EHR/WVEHR-gui
-rwxr-xr-x 1 vista vista 288 2008-02-06 01:24 WVEHR-gui

My /home/vista/EHR/WVEHR-gui.log file has read and write permissions
for everyone. Nothing got written to it in all my connection
attempts.

What is somewhat different is my user vista's settings in the /etc/
passwd and /etc/group files. I gave a name (VISTA Installer) to the
vista user and I see that the user-id is 1001 instead of 501 for you.
(I would have guessed your user-id would be greater than 999 as
indicated here: www.penguin-soft.com/penguin/man/8/adduser.html).

$ grep vista /etc/passwd
vista:x:1001:1001:VISTA Installer,,,:/home/vista:/bin/bash

$ grep vista /etc/group
adm:x:4:vmplanet,vista
lpadmin:x:108:vmplanet,vista
admin:x:123:vmplanet,vista
vista:x:1001:

The /etc/group settings show as above because I added the user 'vista'
to additional groups - adm, admin, lpadmin - hoping to get past my
troubles. (I saw a comment in the /etc/sudoers file that "Members of
the admin group may gain root privileges".)

Does your vista user have any special permissions like ability to do
sudo?
Any other ideas?

Thanks
Don

On Apr 23, 12:52 pm, David Whitten <whit...@worldvista.org> wrote:

[Don]

OK, I finally solved my connectivity problem - after nearly 2 days!

I guess the issue was that the user that started xinetd was not vista
and somehow (I don't know how) he couldn't perform a successful setuid
on the process that xinetd launched for the WVEHR-gui. Once I was
able to start the xinetd daemon as vista, there was no need to setuid
to the user vista (I suppose so this issue was resolved).

Now the CPRS gui is able to connect and I see the CPRS screen (though
I ran into a different issue: patient selection list flag not set).

Hope this helps save time for others who might encounter this
scenario.

Don

[K.S. Bhaskar]

On 04/23/2009 05:41 PM, Don wrote:
>
> OK, I finally solved my connectivity problem - after nearly 2 days!
>
> I guess the issue was that the user that started xinetd was not vista
> and somehow (I don't know how) he couldn't perform a successful setuid
> on the process that xinetd launched for the WVEHR-gui. Once I was
> able to start the xinetd daemon as vista, there was no need to setuid
> to the user vista (I suppose so this issue was resolved).
>
> Now the CPRS gui is able to connect and I see the CPRS screen (though
> I ran into a different issue: patient selection list flag not set).
>
> Hope this helps save time for others who might encounter this
> scenario.

[KSB] My hope was that people will look at how a Toaster is put together
(and ask questions on hardhats when they can't figure something out) and
learn from it so that they don't have to struggle for two days. I guess
I was not too successful in your case, Don! Anyway, glad you figured it
out.

Regards
-- Bhaskar

_____________

The information contained in this message is proprietary and/or confidential. If you are not the
intended recipient, please: (i) delete the message and all copies; (ii) do not disclose,
distribute or use the message in any manner; and (iii) notify the sender immediately. In addition,
please be aware that any message addressed to our domain is subject to archiving and review by
persons other than the intended recipient. Thank you.
_____________

[David Whitten]

The PATIENT SELECTION LIST field is a pretty common problem.
Many times when people set up a new user they don't go through
all the pages of the process, and so they never set the fields up
that they need to. This field is on page 4, so unless you
know that you need to go there, many people don't do it.
You can leave PATIENT SELECTION LIST
blank, as I recall, but you need to put a NO in the field
RESTRICT PATIENT SELECTION for things to work okay.

Here are the fields using Raw FileMan:

Select OPTION: ENTER OR EDIT FILE ENTRIES
INPUT TO WHAT FILE: NEW PERSON//
EDIT WHICH FIELD: ALL//
Select NEW PERSON NAME: DUMMY, PERSON
NAME: DUMMY, PERSON// ^101.01 RESTRICT PATIENT SELECTION
RESTRICT PATIENT SELECTION: NO// ?
Choose from:
0 NO
1 YES
RESTRICT PATIENT SELECTION: NO// ??
Answer 'YES' to restrict this user to selecting only those patients
associated with the list pointed to by the PATIENT SELECTION LIST field
(#101.02).

Choose from:
0 NO
1 YES
RESTRICT PATIENT SELECTION: NO//
PATIENT SELECTION LIST: ?
You cannot select a personal-type list.
Answer with OE/RR LIST NAME, or UPPER CASE, or USER
Do you want the entire OE/RR LIST List? N (No)
PATIENT SELECTION LIST:

Normally, you wouldn't use raw FileMan, but rather you would use the
screen options:

D ^XUP

Setting up programmer environment
This is a TEST account.

Terminal Type set to: C-VT100

You have 163 new messages.
Select OPTION NAME:XUSEREDIT
1 XUSEREDIT Edit an Existing User
2 XUSEREDITSELF Edit User Characteristics
CHOOSE 1-2: 1 XUSEREDIT Edit an Existing User
Edit an Existing User
Select NEW PERSON NAME: DUMMY, PERSON

Edit an Existing User
NAME: DUMMY, PERSON
Page 1 of 5
_______________________________________________________________________________
NAME... DUMMY, PERSON INITIAL: DP
TITLE: SAMPLE JOB NICK NAME:
SSN: 000009000 DOB:
DEGREE: MAIL CODE: 001
DISUSER: TERMINATION DATE:
Termination Reason:

PRIMARY MENU OPTION: XMUSER
Select SECONDARY MENU OPTIONS: OR CPRS GUI CHART
Want to edit ACCESS CODE (Y/N): FILE MANAGER ACCESS CODE:
Want to edit VERIFY CODE (Y/N):

Select DIVISION: SAMPLE SITE
SERVICE/SECTION: MEDICINE
_______________________________________________________________________________
Exit Save Next Page Refresh

Enter a command or '^' followed by a caption to jump to a specific field.


COMMAND: N Press <PF1>H for help Insert

Edit an Existing User
NAME: DUMMY, PERSON Page 2 of 5
_______________________________________________________________________________

TIMED READ (# OF SECONDS): 900

MULTIPLE SIGN-ON: ALLOWED MULTIPLE SIGN-ON LIMIT:
ASK DEVICE TYPE AT SIGN-ON: DON'T ASK AUTO MENU: YES, MENUS GENERATED
PROHIBITED TIMES FOR SIGN-ON: TYPE-AHEAD: ALLOWED
AUTO SIGN-ON:
Preferred Editor: SCREEN EDITOR - VA FILEMAN

ALLOWED TO USE SPOOLER: PAC:
CAN MAKE INTO A MAIL MESSAGE:

FILE RANGE:
ALWAYS SHOW SECONDARIES:
_______________________________________________________________________________
Exit Save Next Page Refresh

Enter a command or '^' followed by a caption to jump to a specific field.


COMMAND: N Press <PF1>H for help Insert


Edit an Existing User
NAME: DUMMY, PERSON Page 3 of 5
_______________________________________________________________________________
PROHIBITED TIMES FOR SIGN-ON:

PHONE: OFFICE PHONE:
COMMERCIAL PHONE: FAX NUMBER:
VOICE PAGER: DIGITAL PAGER:
LANGUAGE:

Person Class Effective Expired






_______________________________________________________________________________
Exit Save Next Page Refresh

Enter a command or '^' followed by a caption to jump to a specific field.


COMMAND: N Press <PF1>H for help Insert

Edit an Existing User
NAME: DUMMY, PERSON Page 4 of 5
_______________________________________________________________________________
RESTRICT PATIENT SELECTION: NO OE/RR LIST:

CPRS TAB ACCESS:
Name Description Effective Date Expiration Date
COR CPRS GUI "core" tabs. OCT 22,2006









_______________________________________________________________________________
Exit Save Next Page Refresh

Enter a command or '^' followed by a caption to jump to a specific field.


COMMAND: N Press <PF1>H for help Insert
Edit an Existing User
NAME: DUMMY, PERSON Page 5 of 5
_______________________________________________________________________________
PERMANENT ADDRESS:
Street 1:
Street 2:
Street 3:
City:
State:
Zip Code:
E-Mail Address:
Is this person an active Trainee?:
VHA Training Fac.:
Start Date of Training: Last Training Month & Year:
Trainee Inactive (Date):
Program of Study:
Target Degree Lvl:
_______________________________________________________________________________

[Don]

Thanks for the information.

[Don]

David,

That fixed my 'patient selection list' issue and I can use it just
fine now. I was going by Nancy Anthacite's writeup and didn't see
that in it, though it did include adding a new person as the system
manager. I will write her to suggest the addition.

Thanks again for your kind help.

Don

> ...
>
> read more »

[Nancy Anthracite]

I just added it.

--
Nancy Anthracite