Odd situation - SETUID fail
cesar_inac...@yahoo.com.br
Hi, This is a very specific and odd situation, I already discover the workaround (odd too), but I like to try understand the real origin of the problem, if anybody have a explanation, I appreciate.. In small talk , the problem are with SETUID effect ( or not effect in this case). For me , appear be a Bug on OpenSuse (kernel or glibc). I install OpenSuse 11.1 on my new notebook and update the packages and patches, | cmartins@note-cim:~> uname -a | Linux note-cim 2.6.27.7-9-pae #1 SMP 2008-12-04 18:10:04 +0100 i686 i686 i386 GNU/Linux | cmartins@note-cim:~> rpm -q glibc | glibc-2.9-2.11.1 After that I install IDS 11.5 UC3 Developer Edition and try to initialize it with very basic configuration. When I execute the "oninit -iv" with user "informix" I got this (pay attention to ">" ): | informix@note-cim:~> oninit -ivy | Checking group membership to determine server run mode...succeeded | Reading configuration file '/opt/IBM/ids1150uc3de/etc/onconfig.idsmoon'...succeeded >| Creating /INFORMIXTMP/.infxdirs...FAILED | Creating infos file "/opt/IBM/ids1150uc3de/etc/.infos.idsmoon"...succeeded | Linking conf file "/opt/IBM/ids1150uc3de/etc/.conf.idsmoon"...succeeded | Checking config parameters...succeeded | Writing to infos file...succeeded | Allocating and attaching to shared memory...succeeded | Creating resident pool 10570 kbytes...succeeded | Allocating 100016 kbytes for buffer pool of 2K page size...succeeded | Initializing rhead structure...succeeded | Initialization of Encryption...succeeded | tail: cannot open `$INFORMIXDIR/log/online.log' for reading: No such file or directory | touch: cannot touch `/INFORMIXTMP/.idsmoon.alarm': No such file or directory >| awk: cmd. line:1: fatal: cannot open file `/INFORMIXTMP/.idsmoon.alarm' for reading (No such file or directory) >| mv: cannot move `/tmp/.idsmoon.alarm_9782' to `/INFORMIXTMP/.idsmoon.alarm': No such file or directory >| SENDER IS NULL NO MAIL WILL BE SENT >| /opt/IBM/ids1150uc3de/etc/alarmprogram.sh[517]: /INFORMIXTMP/.idsmoon.alarm: cannot create [No such file or directory] | WARNING: server initialization failed, or possibly timed out (if -w was used). | Check the message log, online.log, for errors. Here is the log | informix@note-cim:/opt/IBM/ids1150uc3de/log> cat online.log | 17:33:43 IBM Informix Dynamic Server Started. | 17:33:43 Warning: The IBM IDS Developer Edition license restriction limits | 17:33:43 the total shared memory size for this server to 1048576 KB. | 17:33:43 The size has been reset to the limit to bring up the database server. >| 17:33:44 Could not disable priority aging: errno = 13 | Wed Apr 1 17:33:44 2009 >| 17:33:44 Error: Unable to reset open files limit, must run as super-user | 17:33:44 Event alarms enabled. ALARMPROG = '/opt/IBM/ids1150uc3de/etc/alarmprogram.sh' >| 17:33:44 Assert Failed: net_init.c, line 321, thread 1, errno=13, error in creating /INFORMIXTMP. | 17:33:44 IBM Informix Dynamic Server Version 11.50.UC3DE | 17:33:44 Who: Session(0, @, 0, (nil)) | Thread(1, main_thread, 0, 1) | File: neterrb.c Line: 658 | 17:33:44 stack trace for pid 9819 written to /opt/IBM/ids1150uc3de/tmp/af.3e9cfa8 | 17:33:44 See Also: /opt/IBM/ids1150uc3de/tmp/af.3e9cfa8, shmem.3e9cfa8.0 | 17:33:47 neterrb.c, line 658, thread 1, proc id 9819, net_init.c, line 321, thread 1, errno=13, error in creating /INFORMIXTMP.. | 17:33:47 PANIC: Attempting to bring system down Searching for errno 13 in the /usr/include/asm-generic/errno-base.h | #define EACCES 13 /* Permission denied */ So, for me this appear be a problem with SETUID on binaries , but, when I look them , are all ok! | informix@note-cim:/opt/IBM/ids1150uc3de/log> ls -l $INFORMIXDIR/bin/on* | -rwsr-sr-x 1 root informix 1064326 2009-03-30 16:05 /opt/IBM/ids1150uc3de/bin/onaudit | -rwxr-xr-x 1 informix informix 3916 2008-10-28 03:21 /opt/IBM/ids1150uc3de/bin/onbar | -rwsr-sr-x 1 root informix 2322330 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/onbar_d | -rwxr-sr-x 1 informix informix 1718092 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/oncheck | -rwxr-xr-x 1 informix informix 1633911 2009-03-30 16:05 /opt/IBM/ids1150uc3de/bin/oncmsm | -rwsr-sr-x 1 root informix 2216014 2008-10-28 03:21 /opt/IBM/ids1150uc3de/bin/ondblog | -rwsr-sr-x 1 root informix 1206868 2008-10-28 03:21 /opt/IBM/ids1150uc3de/bin/onedcu | -rwxr-sr-x 1 informix informix 593771 2008-10-28 03:21 /opt/IBM/ids1150uc3de/bin/onedpu | -rwsr-sr-- 1 root informix 15854167 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/oninit | -rwxr-sr-x 1 informix informix 1012653 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/onload | -rwxr-sr-x 1 informix informix 1551144 2009-03-30 16:05 /opt/IBM/ids1150uc3de/bin/onlog | -rwsr-sr-x 1 root informix 1180325 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/onmode | -rwxr-sr-x 1 informix informix 2418013 2009-03-30 16:05 /opt/IBM/ids1150uc3de/bin/onmonitor | -rwxr-sr-x 1 informix informix 1376237 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/onparams | -rwxr-xr-x 1 informix informix 619278 2008-10-21 08:59 /opt/IBM/ids1150uc3de/bin/onpassword | -rwxr-xr-x 1 informix informix 1806361 2008-10-28 03:21 /opt/IBM/ids1150uc3de/bin/onperf | -rwxr-xr-x 1 informix informix 1700699 2009-03-30 16:05 /opt/IBM/ids1150uc3de/bin/onpladm | -rwxr-sr-x 1 informix informix 2461805 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/onpload | -rwsr-sr-x 1 root informix 596092 2009-03-30 16:05 /opt/IBM/ids1150uc3de/bin/onshowaudit | -rwsr-sr-x 1 root informix 2382077 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/onsmsync | -rwsr-s--- 1 root informix 2129434 2009-03-30 16:05 /opt/IBM/ids1150uc3de/bin/onsnmp | -rwxr-sr-x 1 informix informix 1373427 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/onspaces | -rwsr-s--- 1 root informix 585659 2008-10-28 03:21 /opt/IBM/ids1150uc3de/bin/onsrvapd | -rwxr-sr-x 1 informix informix 3882028 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/onstat | -rwsr-sr-x 1 root informix 1955921 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/ontape | -rwxr-sr-x 1 informix informix 1012657 2009-03-30 16:04 /opt/IBM/ids1150uc3de/bin/onunload If I try initialize with "root" the /INFORMIXTMP is created , but others problems appears: | 17:39:29 IBM Informix Dynamic Server Version 11.50.UC3DE Software Serial Number AAA#B000000 | 17:39:29 The chunk '/ifmxdados/L_rootdbs.ch1' must have owner-ID "informix" and group-ID "root". Insisting to use with "root" , after change the group-id of the chunk , apparently all appears works fine and the instance are initialized, when I try to use onstat with "informix" user, this occur: | informix@note-cim:~> onstat - | onstat: Shared memory: permission denied. | | root@note-cim:~# ipcs -mc | ------ Shared Memory Segment Creators/Owners -------- | shmid perms cuid cgid uid gid >| 1343488 660 root root root root >| 1376257 660 root root root root So, to resolve the situation I wrote the C code below , and finally , this way use the IDS on my note: | | cmartins@note-cim:~/fontes/c> cat myexec.c | #include <stdio.h> | #include <unistd.h> | #include <stdlib.h> | | int main(int argc, char *argv[] ) { | if ( argc != 4 ) { | printf("\nInvalid Parameters!\nsyntax: [uid] [gid] [command]\n\n"); | exit(1) ; | } | int i; | printf("argc = %i\n", argc ); | for (i = 0 ; i <= argc-1 ; i++) printf("\targ %i = %s\n", i, argv[i]); | | printf( "\nSetting Effective UID = %s GID = %s\n", argv[1], argv[2]); | setregid(atoi(argv[2]),atoi(argv[2])); // define real/effective groups | //setreuid(0,atoi(argv[2])); // define effective user | printf("Effective / Real UID/GID defined:\n"); | printf("uid=%i \t gid=%i \t euid=%i \t egid=%i \n\n", getuid(), getgid(), geteuid(), getegid()); | | printf("Executing %s\n", argv[3] ); | system(argv[3]); | } | | cmartins@note-cim:~/fontes/c> gcc myexec.c -o myexec | cmartins@note-cim:~/fontes/c> exit | logout | | root@note-cim:~# cp /home/cmartins/fontes/c/myexec /usr/local/bin | `/home/cmartins/fontes/c/myexec' -> `/usr/local/bin/myexec' | root@note-cim:~# chmod ug+s,o+rx /usr/local/bin/myexec | root@note-cim:~# ls -l /usr/local/bin/myexec | -rwsr-sr-x 1 root root 11099 2009-04-03 10:34 /usr/local/bin/myexec | | root@note-cim:~# . env.idsmoon | root@note-cim:~# id informix | uid=1001(informix) gid=1000(informix) groups=16(dialout),33(video),1000(informix) | root@note-cim:~# myexec 1001 1000 "oninit -iyv" | argc = 4 | arg 0 = myexec | arg 1 = 1001 | arg 2 = 1000 | arg 3 = oninit -iyv | | Setting Effective UID = 1001 GID = 1000 | Effective / Real UID/GID defined: | uid=0 gid=1000 euid=0 egid=1000 | | Executing oninit -iyv | ... | informix@note-cim:~# ps -fC oninit | UID PID PPID C STIME TTY TIME CMD >| informix 5025 1 0 10:14 ? 00:00:12 oninit -iyv | root 5026 5025 0 10:14 ? 00:00:00 oninit -iyv | root 5027 5026 0 10:14 ? 00:00:00 oninit -iyv | root 5028 5026 0 10:14 ? 00:00:00 oninit -iyv | root 5029 5026 0 10:14 ? 00:00:00 oninit -iyv | root 5031 5026 0 10:14 ? 00:00:00 oninit -iyv | root 5032 5026 0 10:14 ? 00:00:00 oninit -iyv | root 5033 5026 0 10:14 ? 00:00:00 oninit -iyv | informix@note-cim:~# ipcs -mc | | ------ Shared Memory Segment Creators/Owners -------- | shmid perms cuid cgid uid gid >| 1605632 660 root informix root informix >| 1638401 660 root informix root informix | | informix@note-cim:~> onstat - | | IBM Informix Dynamic Server Version 11.50.UC3DE -- On-Line -- Up 00:33:36 -- 144144 Kbytes And to shutdown the instance I need to use the "myexec" otherwise if I try shut with "informix" user the shared memory is not released. So, anyone have a explanation for this??? Cesar |
Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10 - Celebridades - Música - Esportes
H5N1
Do you have /INFORMIXTMP/ directory (in root directory) with proper
rights?
Cesar Inacio Martins
| In this specific example , the /INFORMIXTMP don't exist because is the first installation . And each test executed where the IDS have the capability to create, I remove the directory for next tests... --- Em sex, 3/4/09, H5N1 <mwawrzy...@to.aster.pl> escreveu: |
|
Cesar Inacio Martins
Fernando Nunes
> Veja quais são os assuntos do momento no Yahoo! + Buscados: Top 10
> - Celebridades
> <http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/celebridades/>
> - Música
> <http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/m%C3%BAsica/>
> - Esportes
> <http://br.rd.yahoo.com/mail/taglines/mail/*http://br.maisbuscados.yahoo.com/esportes/>
>
I believe this could be related to SELINUX... it's a security feature that can
prevent processes from doing a lot of stuff... Even privilege processes (even
root).
There is a way to turn it off. Be very careful when playing with is. If you
make a mistake you can close your system... even from "you".
I don0t recall how to manage it, but Google should know. There is a command to
work with it and some file in /etc I believe...
Regards.
--
Fernando Nunes
Portugal
http://informix-technology.blogspot.com
My email works... but I don't check it frequently...
Cesar Inacio Martins
| Hi Fernando, So far I know the OpenSuse (Ubuntu and others distros) don't have SELINUX anymore, it are replaced for Novell AppArmor and I do not have the AppArmor installed. --- Em sex, 3/4/09, Fernando Nunes <domus...@gmail.com> escreveu: |
|
|
Jonathan Leffler
> This is a very specific and odd situation, I already discover the
> workaround (odd too), but I like to try understand the real origin of the
> problem, if anybody have a explanation, I appreciate..
> In small talk , the problem are with SETUID effect ( or not effect in this
> case).
> For me , appear be a Bug on OpenSuse (kernel or glibc).
> I install OpenSuse 11.1 on my new notebook and update the packages and
> patches,
Relatively unlikely to be a bug in OpenSuSE; that is an audacious
claim and would need more backing than what you've shown here (though
what you've shown is interesting).
> | cmartins@note-cim:~> uname -a
> | Linux note-cim 2.6.27.7-9-pae #1 SMP 2008-12-04 18:10:04 +0100 i686 i686
> i386 GNU/Linux
> | cmartins@note-cim:~> rpm -q glibc
> | glibc-2.9-2.11.1
>
> After that I install IDS 11.5 UC3 Developer Edition and try to initialize
> it with very basic configuration.
> When I execute the "oninit -iv" with user "informix" I got this (pay
> attention to ">" ):
>
> | informix@note-cim:~> oninit -ivy
> | Checking group membership to determine server run mode...succeeded
> | Reading configuration file
> '/opt/IBM/ids1150uc3de/etc/onconfig.idsmoon'...succeeded
>>| Creating /INFORMIXTMP/.infxdirs...FAILED
So, it appears that for some reason, oninit does not have sufficient
privileges to create /INFORMIXTMP.
I checked on my Solaris machine; if /INFORMIXTMP does not exist, it is
created. For some reason as yet unexplained, your system was unable
to create it.
> | Creating infos file
> "/opt/IBM/ids1150uc3de/etc/.infos.idsmoon"...succeeded
> | Linking conf file "/opt/IBM/ids1150uc3de/etc/.conf.idsmoon"...succeeded
> | Checking config parameters...succeeded
> | Writing to infos file...succeeded
> | Allocating and attaching to shared memory...succeeded
> | Creating resident pool 10570 kbytes...succeeded
> | Allocating 100016 kbytes for buffer pool of 2K page size...succeeded
> | Initializing rhead structure...succeeded
> | Initialization of Encryption...succeeded
> | tail: cannot open `$INFORMIXDIR/log/online.log' for reading: No such file
> or directory
You're supposed to have the online.log file already created before running IDS.
> | touch: cannot touch `/INFORMIXTMP/.idsmoon.alarm': No such file or
> directory
That's a consequential failure.
>>| awk: cmd. line:1: fatal: cannot open file `/INFORMIXTMP/.idsmoon.alarm'
>> for reading (No such file or directory)
>>| mv: cannot move `/tmp/.idsmoon.alarm_9782' to
>> `/INFORMIXTMP/.idsmoon.alarm': No such file or directory
>>| SENDER IS NULL NO MAIL WILL BE SENT
>>| /opt/IBM/ids1150uc3de/etc/alarmprogram.sh[517]:
>> /INFORMIXTMP/.idsmoon.alarm: cannot create [No such file or directory]
More consequential failures.
> | WARNING: server initialization failed, or possibly timed out (if -w was
> used).
> | Check the message log, online.log, for errors.
>
>
>
> Here is the log
>
> | informix@note-cim:/opt/IBM/ids1150uc3de/log> cat online.log
> | 17:33:43 IBM Informix Dynamic Server Started.
> | 17:33:43 Warning: The IBM IDS Developer Edition license restriction
> limits
> | 17:33:43 the total shared memory size for this server to 1048576 KB.
> | 17:33:43 The size has been reset to the limit to bring up the database
> server.
>>| 17:33:44 Could not disable priority aging: errno = 13
> | Wed Apr 1 17:33:44 2009
>>| 17:33:44 Error: Unable to reset open files limit, must run as super-user
> | 17:33:44 Event alarms enabled. ALARMPROG =
> '/opt/IBM/ids1150uc3de/etc/alarmprogram.sh'
>>| 17:33:44 Assert Failed: net_init.c, line 321, thread 1, errno=13, error
>> in creating /INFORMIXTMP.
errno 13 ENOPERM Permission denied.
> | 17:33:44 IBM Informix Dynamic Server Version 11.50.UC3DE
> | 17:33:44 Who: Session(0, @, 0, (nil))
> | Thread(1, main_thread, 0, 1)
> | File: neterrb.c Line: 658
> | 17:33:44 stack trace for pid 9819 written to
> /opt/IBM/ids1150uc3de/tmp/af.3e9cfa8
> | 17:33:44 See Also: /opt/IBM/ids1150uc3de/tmp/af.3e9cfa8,
> shmem.3e9cfa8.0
> | 17:33:47 neterrb.c, line 658, thread 1, proc id 9819, net_init.c, line
> 321, thread 1, errno=13, error in creating /INFORMIXTMP..
> | 17:33:47 PANIC: Attempting to bring system down
I'm not convinced that it should be giving an AF - that's a bug in
IDS. It can decide not to run; that's legitimate. But it should not
give an AF.
> Searching for errno 13 in the /usr/include/asm-generic/errno-base.h
> | #define EACCES 13 /* Permission denied */
>
> So, for me this appear be a problem with SETUID on binaries , but, when I
> look them , are all ok!
>
> | informix@note-cim:/opt/IBM/ids1150uc3de/log> ls -l $INFORMIXDIR/bin/on*
[...]
> | -rwsr-sr-- 1 root informix 15854167 2009-03-30 16:04
> /opt/IBM/ids1150uc3de/bin/oninit
[...]
Those are the correct permissions. Questions arising:
* Is the /opt file system mounted with SUID and SGID disabled?
> If I try initialize with "root" the /INFORMIXTMP is created , but others
> problems appears:
>
> | 17:39:29 IBM Informix Dynamic Server Version 11.50.UC3DE Software Serial
> Number AAA#B000000
> | 17:39:29 The chunk '/ifmxdados/L_rootdbs.ch1' must have owner-ID
> "informix" and group-ID "root".
That is an odd error message. Which group is listed for user informix
in the /etc/passwd file (or equivalent)? If the group is 0 rather
than informix, then you have 'officially' misconfigured your machine;
the primary group for user informix (the one listed in /etc/passwd)
must be group informix (because the server takes a short-cut and
assumes that the group listed in /etc/passwd for user informix is
group informix). It is a bug on my list of 'to be fixed one day - but
it does not hurt anyone'. However, the second half of the sentence
might be shown to be incorrect.
> Insisting to use with "root" , after change the group-id of the chunk ,
> apparently all appears works fine and the instance are initialized, when I
> try to use onstat with "informix" user, this occur:
> | informix@note-cim:~> onstat -
> | onstat: Shared memory: permission denied.
> |
> | root@note-cim:~# ipcs -mc
> | ------ Shared Memory Segment Creators/Owners --------
> | shmid perms cuid cgid uid gid
>>| 1343488 660 root root root root
>>| 1376257 660 root root root root
So the shared memory segments are created by root, not informix. And
SGID informix programs won't be able to attach to the shared memory.
The group problem could again be related to the password file entry.
That seems to deny the 'informix is listed in root group' theory.
It leaves us with:
* Is /opt a separate mounted file system with SUID and SGID disabled?
* Is there something weird about /INFORMIXTMP or the permissions (ACLs?) on /
Since you were creating and removing /INFORMIXTMP, it probably isn't
that. (To reproduce the crash, though, we may have to create a file
or device called /INFORMIXTMP so that the creation of
/INFORMIXTMP/.infxdirs fails.) Are you using ACLs at all? Could your
system be doing so without you knowing? Would ACLs prevent a
root-owned process from working?
Also, Linux has another UID, the fsuid or file system uid (see
setfsuid()). I wonder if that is being affected somehow?
Finally (for now), there are, I believe, some authority-based
mechanisms called capabilities
(http://linuxreviews.org/man/capabilities/) for controlling users. I
wonder if any of those are being applied to root, somehow?
Nothing definitive - lots of questions.
However, I stand by my initial observation - the problem is more
likely to be setup than a bug in the o/s per se. It is extremely
unlikely to be such a fundamental bug in the o/s.
At this point, I'm inclined to think that /opt may be mounted with
SUID and SGID disabled. But that's speculation. Check by running
'mount' (no arguments).
--
Jonathan Leffler #include <disclaimer.h>
Email: jlef...@earthlink.net, jlef...@us.ibm.com
Guardian of DBD::Informix v2008.0513 -- http://dbi.perl.org/
"Blessed are we who can laugh at ourselves, for we shall never cease
to be amused."
NB: Please do not use this email for correspondence.
I don't necessarily read it every week, even.
Bob Hope - "You know you are getting old when the candles cost more
than the cake."
cesar_inac...@yahoo.com.br
| Hi Jonathan, Thanks a lot for your answer and questions. My answers are below , if miss some information , please tell me. 1) I'm not using ACL. Is enable by default at the mount in /etc/fstab and just to sure this is not the reason I remove all "acl" options and restart my computer. The same effect occur. 2) About /opt mount: The /opt is part of / (root) : | root@note-cim:/# ls -ld /opt | drwxr-xr-x 6 root root 4096 2009-03-18 09:48 /opt | root@note-cim:/# mount | /dev/sda1 on / type ext2 (rw,noatime,relatime,acl,user_xattr) | /proc on /proc type proc (rw) | sysfs on /sys type sysfs (rw) | debugfs on /sys/kernel/debug type debugfs (rw) | udev on /dev type tmpfs (rw) | devpts on /dev/pts type devpts (rw,mode=0620,gid=5) | /dev/sda3 on /var type ext2 (rw,noatime,relatime,acl,user_xattr) | /dev/sdb2 on /dados type ext2 | (rw,nosuid,nodev,noatime,relatime,acl,user_xattr) | /tmp on /tmp type tmpfs (rw,size=400M) | /dev/sdc2 on /media/SD type vfat | rw,noexec,nosuid,nodev,noatime,relatime,gid=100,umask=0002,utf8=true) | fusectl on /sys/fs/fuse/connections type fusectl (rw) | gvfs-fuse-daemon on /home/cmartins/.gvfs type fuse.gvfs-fuse-daemon | (rw,nosuid,nodev,user=cmartins) 3) Informix group | root@note-cim:/# grep informix /etc/group | dialout:x:16:cmartins,informix | video:x:33:cmartins,informix | informix:!:1000: | | root@note-cim:/# grep informix /etc/passwd | informix:x:1001:1000:DBSA Informix:/home/informix:/bin/bash 4) About /INFORMIXTMP creation. Looking the / (root) mount: | root@note-cim:~# ls -la / |head -n3 | total 104 | drwxr-xr-x 23 root root 4096 2009-04-05 11:40 . | drwxr-xr-x 23 root root 4096 2009-04-05 11:40 .. I don't create /INFORMIXTMP manually , I just remove it with "rm -rf /INFORMIXTMP" . They are created just when I execute the "oninit" with "root" or "root + myexec" . Here is the permission of /INFORMIXTMP when execute "oninit" with "root" and "myexec": | root@note-cim:/# id | uid=0(root) gid=0(root) groups=0(root) | | root@note-cim:/# rm -rf /INFORMIXTMP | removed `/INFORMIXTMP/.infxdirs' | removed `/INFORMIXTMP/.idsmoon.alarm' | removed directory: `/INFORMIXTMP' | | root@note-cim:/# echo $INFORMIXSERVER | idsmoon | | root@note-cim:/# chown :root /ifmxdados/* | root@note-cim:/# oninit -iy | root@note-cim:/# onstat - | | IBM Informix Dynamic Server Version 11.50.UC3DE -- On-Line -- Up 00:00:42 -- 144144 Kbytes | | root@note-cim:/# ls -la /INFORMIXTMP | total 12 | drwxrwxr-t 2 informix informix 4096 2009-04-05 12:30 . | drwxr-xr-x 24 root root 4096 2009-04-05 12:30 .. | -rw-rw-r-- 1 root root 22 2009-04-05 12:30 .infxdirs | srwxrwx--- 1 root root 0 2009-04-05 12:30 VP.idsmoon.010100s | | root@note-cim:/# onmode -ky | | root@note-cim:/# chown :informix /ifmxdados/* | | root@note-cim:/# rm -rf /INFORMIXTMP | removed `/INFORMIXTMP/.infxdirs' | removed `/INFORMIXTMP/.idsmoon.alarm' | removed directory: `/INFORMIXTMP' | | root@note-cim:/# myexec 1001 1000 "oninit -iy" |
| argc = 4 | arg 0 = myexec | arg 1 = 1001 | arg 2 = 1000 | arg 3 = oninit -iy | |
| | Setting Effective UID = 1001 GID = 1000 | Effective / Real UID/GID defined: | uid=0 gid=1000 euid=0 egid=1000 | | Executing oninit -iy | |
| | root@note-cim:/# ls -la /INFORMIXTMP/ | total 12 | drwxrwxr-t 2 informix informix 4096 2009-04-05 12:37 . | drwxr-xr-x 24 root root 4096 2009-04-05 12:37 .. | -rw-rw-r-- 1 root informix 22 2009-04-05 12:37 .infxdirs | srwxrwx--- 1 root informix 0 2009-04-05 12:37 VP.idsmoon.010100s | 5) Now, about the setfsuid , I don't know if the test I executed is the expected for you, I replace the setregid to setfsuid and setfsgid , this is part of the C code (myexec2.c): | 5 int main(int argc, char *argv[] ) { | 6 if ( argc != 4 ) { | 7 printf("\nInvalid Parameters!\nsyntax: [uid] [gid] [command]\n\n"); | 8 exit(1) ; | 9 } | 10 int i,old_uid, old_gid; | 11 old_uid=0; | 12 old_gid=0; | 13 printf("argc = %i\n", argc ); | 14 for (i = 0 ; i <= argc-1 ; i++) printf("\targ %i = %s\n", i, argv[i]); | 15 | 16 printf( "\nSetting FS UID = %s GID = %s\n", argv[1], argv[2]); | 17 old_uid=setfsuid(atoi(argv[1])); // define FS user | 18 old_gid=setfsgid(atoi(argv[2])); // define FS group | 19 printf("Old FS UID/GID : "); | 20 printf("uid=%i \t gid=%i\n\n", old_uid, old_gid); | 21 old_uid=setfsuid(atoi(argv[1])); // define FS user | 22 old_gid=setfsgid(atoi(argv[2])); // define FS group | 23 printf("NEW FS UID/GID : "); | 24 printf("uid=%i \t gid=%i\n\n", old_uid, old_gid); | 25 | 26 printf("Executing %s\n", argv[3] ); | 27 system(argv[3]); | 28 } | There is the execution with "root" user, for me I don't see any effect : | root@note-cim:/# rm -rf /INFORMIXTMP/ | removed `/INFORMIXTMP/.infxdirs' | removed `/INFORMIXTMP/.idsmoon.alarm' | removed directory: `/INFORMIXTMP' | | root@note-cim:/# myexec2 1001 1000 "oninit -ivy" | argc = 4 | arg 0 = myexec2 |
| | arg 1 = 1001 | arg 2 = 1000 |
| | arg 3 = oninit -ivy | | Setting FS UID = 1001 GID = 1000 | Old FS UID/GID : uid=0 gid=0 | | NEW FS UID/GID : uid=1001 gid=1000 | | Executing oninit -ivy |
| Checking group membership to determine server run mode...succeeded | Reading configuration file '/opt/IBM/ids1150uc3de/etc/onconfig.idsmoon'...succeeded |
| | Creating /INFORMIXTMP/.infxdirs...succeeded |
| | Creating infos file
"/opt/IBM/ids1150uc3de/etc/.infos.idsmoon"...succeeded | Linking conf file "/opt/IBM/ids1150uc3de/etc/.conf.idsmoon"...succeeded | Checking config parameters...succeeded | Writing to infos file...succeeded | Allocating and attaching to shared memory...succeeded | Creating resident pool 10570 kbytes...succeeded | Allocating 100016 kbytes for buffer pool of 2K page size...succeeded | Initializing rhead structure...succeeded | Initialization of Encryption...succeeded |
| | Initializing ASF...succeeded | Initializing Dictionary Cache and SPL Routine Cache...succeeded | Bringing up ADM VP...succeeded | Creating VP classes...succeeded | Onlining 0 additional cpu vps...succeeded | Onlining 2 IO vps...succeeded | Forking main_loop thread...succeeded | Initializing DR structures...succeeded | Forking 1 'soctcp' listener threads...succeeded | Starting tracing...succeeded | Initializing 8 flushers...succeeded | FAILED |
| | | WARNING: server initialization failed, or possibly timed out (if -w was used). | Check the message log, online.log, for errors. | |
| | root@note-cim:/# onstat
-m | shared memory not initialized for INFORMIXSERVER 'idsmoon' | | Message Log File: /opt/IBM/ids1150uc3de/log/online.log | 13:24:21 Warning: The IBM IDS Developer Edition license restriction limits | 13:24:21 the total shared memory size for this server to 1048576 KB. | 13:24:21 The size has been reset to the limit to bring up the database server. | | Sun Apr 5 13:24:22 2009 | | 13:24:22 Event alarms enabled. ALARMPROG = '/opt/IBM/ids1150uc3de/etc/alarmprogram.sh' | 13:24:22 Booting Language <c> from module <> | 13:24:22 Loading Module <CNULL> | 13:24:22 Booting Language <builtin> from module <> | 13:24:22 Loading Module <BUILTINNULL> | 13:24:27 DR: DRAUTO is 0 (Off) | 13:24:27 DR: ENCRYPT_HDR is 0 (HDR encryption Disabled) | 13:24:27 Event notification facility epoll enabled. | 13:24:28 IBM Informix Dynamic Server Version 11.50.UC3DE Software Serial Number AAA#B000000 | 13:24:28 The chunk '/ifmxdados/L_rootdbs.ch1' must have owner-ID "informix" and group-ID "root". | | 13:24:28 IBM Informix Dynamic Server Stopped. | | 13:24:28 mt_shm_remove: WARNING: may not have removed all/correct segments | | root@note-cim:/# ls -la /INFORMIXTMP/ | total 16 | drwxrwxr-t 2 informix informix 4096 2009-04-05 13:24 . | drwxr-xr-x 24 root root 4096 2009-04-05 13:24 .. | -rw-rw---- 1 informix informix 69 2009-04-05 13:24 .idsmoon.alarm | -rw-rw-r-- 1 root root 22 2009-04-05 13:24 .infxdirs | 6) About the "capabilities" mechanism , I don't know... 7) Just a plus. I'm not expert in C developer , but trying to understand the problem , I execute a "strace -f -o /tmp/trace.informix oninit -iyv" with "informix" user and don't see at any moment a command to change the effectve/real uid/gid to root, so far I know to use the SETUID (to root) this is necessary. | informix@note-cim:~> strace -f -o /tmp/trace.informix oninit -iyv |
| Checking group membership to determine server run mode...succeeded | Reading configuration file '/opt/IBM/ids1150uc3de/etc/onconfig.idsmoon'...succeeded | Creating /INFORMIXTMP/.infxdirs...FAILED |
| | Creating infos file "/opt/IBM/ids1150uc3de/etc/.infos.idsmoon"...succeeded |
| | ... | | root@note-cim:/tmp# egrep -i "[gu]id|INFORMIXTMP" trace.informix | head -20 | 16937 getuid32() = 1001 | 16937 geteuid32() = 1001 | 16937 getgid32() = 1000 | 16937 getegid32() = 1000 | 16937 setuid32(1001) = 0 | 16939 getuid32() = 1001 | 16939 getuid32() = 1001 | 16939 geteuid32() = 1001 | 16939 write(4, "Creating /INFORMIXTMP/.infxdirs."..., 34) = 34 | 16937 <... read resumed> "Creating /INFORMIXTMP/.infxdirs."..., 4096) = 34 | 16939 stat64("/INFORMIXTMP", <unfinished ...> | 16939 mkdir("/INFORMIXTMP", 01775) = -1 EACCES (Permission denied) | 16937 write(1, "Creating /INFORMIXTMP/.infxdirs."..., 41 <unfinished ...> | 16939 getuid32() = 1001 | 16939 geteuid32() = 1001 | |
Vagner
>
> read more »
Cesar
Did you try another release? Whats happened if you install FC1?
Vagner
Cesar Inacio Martins
| Yes, I try IDS 11.50 UC1 Developer. Same behave... --- Em seg, 6/4/09, Vagner <vagner...@ig.com.br> escreveu: |
|
Data: Segunda-feira, 6 de Abril de 2009, 19:22 |
|
|
|