[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[LDM #VWJ-362177]: ldm will not start - hupsyslog issue?

Hi Chris,

Steve Emmerson, Mike Schmidt (head Unidata system administrator), and I have
been looking at the LDM setup on blizzard, and we know know what is going on:

'setuid root' applications located in /home/ldm/bin will not run as
root even though their permissions look correct:

> ls -alt bin/hupsyslog bin/ldmd
-rwsr-xr-x. 1 root users 114359 Aug 14 16:15 bin/ldmd
-rwsr-xr-x. 1 root users 11199 Aug 14 16:15 /home/ldm/bin/hupsyslog

and the mount of /data/home on /home does not specify notsetuid:

> mount
 ...
/data/local on /usr/local type none (rw,bind,_netdev)

It must be the case that the system that is making /data/home available is
configure to not allow routines to run with setuid root.

We proved this assertion to be the case by copying 'hupsyslog' from the
/home/ldm/bin directory to /bin and verifying that the user 'ldm' can
run the copy successfully:

<as 'root'>
cp /home/ldm/bin/hupsyslog /bin
chmod u+s /bin/hupsyslog

<as 'ldm'>
> which hupsyslog
/home/ldm/bin/hupsyslog

> hupsyslog
hupsyslog: couldn't open /var/run/syslogd.pid

> /bin/hupsyslog
-- no errors, no warnings

<as 'root'>
# tail -2 /var/log/messages
Aug 15 15:44:01 blizzard kernel: type=1400 audit(1345059841.816:49054): avc:  
denied  { open } for  pid=20011 comm="httpd" name="Image2.jpg" dev=dm-6 
ino=125175197 scontext=unconfined_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
Aug 15 15:47:13 blizzard rsyslogd: [origin software="rsyslogd" 
swVersion="5.8.10" x-pid="25194" x-info="http://www.rsyslog.com";] rsyslogd was 
HUPed

Recommended solution:

Since the LDM server 'ldmd' also needs to run with setuid root permission (at
startup to get port 388 only; it then reverts to running as 'ldm'), the LDM
will not run correctly when installed in /home.  We recommend, therefore, that
the HOME directory of 'ldm' be moved to a local file system.  Example of what
we would do:

<as 'root'>
mkdir /local
mkdir /local/ldm
chown ldm:users /local/ldm

Install the LDM in /local/ldm AND make sure that the LDM queue is also
located in /local/ldm (e.g., in /local/ldm/var/queues).

NB: when you make this move, you will have to change accounting information
for 'ldm':

<as 'root'>
vipw
-- change the HOME directory for 'ldm' from /home/ldm to /local/ldm

After the LDM is moved to a file system where running setuid programs
is allowed, the LDM will start and run correctly, and hupsyslog will
successfully send a HUP signal to the rsyslogd daemon thus allow for
LDM log files to be rotated.

We are happy to make the various changes for you.  Please let us know
if you would like us to do the work (we would send a step-by-step list of
exactly what we did) or if you would rather do the work yourself.

Cheers,

Tom
--
****************************************************************************
Unidata User Support                                    UCAR Unidata Program
(303) 497-8642                                                 P.O. Box 3000
address@hidden                                   Boulder, CO 80307
----------------------------------------------------------------------------
Unidata HomePage                       http://www.unidata.ucar.edu
****************************************************************************


Ticket Details
===================
Ticket ID: VWJ-362177
Department: Support LDM
Priority: Normal
Status: Closed