Hi,

I've discovered monit a few months ago and I am really delighted with it. However, last week I've found a weird problem which, honestly, I do not know how to solve.

I have some machines running Ubuntu 12.04, so the monit version is not the latest. Monit should make sure that a certain program runs owned by a certain unprivileged user. One of this program's plugins needs to access the serial port, but I am constantly getting permission errors. If I run the program directly with the same user, I do not get any errors. Let me explain how the user and group permissions are:

 * The serial port device is "/dev/ttyS0". Owner: root. Group: dialout.
   Permissions 660. This is the standard configuration for the serial
   ports in Ubuntu
 * The user main group is its own (for instance, user "sinho", group
   "sinho"), but it belongs to the group "dialout" nevertheless.

Please find attached a monit configuration file ("test_python_monit") and a python program ("test.py") that I've used to demonstrate the issue. I'm using "process" and not "program", because the monit version in 12.04 does not yet support a "program" check with arguments. In order to run this in your computer, you should change "test_python_monit" to include the actual path to the "test.py" file in your system, and your own user name.

All in all, the results I get with this test (which are the same as with the real program) are like this. Using the attached configuration file and running "monit validate":

   'python' process is not running
   'python' trying to restart
   'python' start: /usr/bin/python
   User: 1000
   Group: 1000
   Efective User: 1000
   Efective Group: 1000
   Serial port owner 0 can read, can write and cannot execute
   Serial port group 20 can read, can write and cannot execute
   Serial port others cannot read, cannot write and cannot execute
   Can we read? No
   Can we write? No
   Can we execute? No

Running the "test.py" script directly, I get:

   User: 1000
   Group: 1000
   Efective User: 1000
   Efective Group: 1000
   Serial port owner 0 can read, can write and cannot execute
   Serial port group 20 can read, can write and cannot execute
   Serial port others cannot read, cannot write and cannot execute
   Can we read? Yes
   Can we write? Yes
   Can we execute? No

So I guess the issue is that, with monit, the additional groups are not taken into account for some reason. But changing the group in the monit configuration is not an option, because the program I am using does some kind of user authorization using the group permissions.

Any idea of how this can be solved?

Thanks for your help
--
Rubén Pérez Vázquez

*Universität zu Köln*
/Regionales Rechenzentrum (RRZK)/
Weyertal 121, Raum 4.05
D-50931 Köln
✆: +49-221-470-89603
check process python matching "^python [a-zA-Z/]*test.py$" 
      start program = "/usr/bin/python 
/home/sinho/workspace/monit_permissions/test.py"
      as uid sinho and gid sinho with timeout 30 seconds
      stop program = "/bin/echo"
      as uid sinho and gid sinho with timeout 30 seconds


#! /usr/bin/env python
# -*- coding: utf-8 -*-

import os
import stat

port="/dev/ttyS0"

print "User: {}\nGroup: {}\nEfective User: {}\nEfective Group: {}".format(os.getuid(), os.getgid(), os.geteuid(), os.getegid())
perm = os.stat(port)
print "Serial port owner {} can{} read, can{} write and can{} execute".format(perm.st_uid, *[ "" if perm.st_mode & mask else "not" for mask in [stat.S_IRUSR, stat.S_IWUSR, stat.S_IXUSR]])
print "Serial port group {} can{} read, can{} write and can{} execute".format(perm.st_gid, *[ "" if perm.st_mode & mask else "not" for mask in [stat.S_IRGRP, stat.S_IWGRP, stat.S_IXGRP]])
print "Serial port others can{} read, can{} write and can{} execute".format(*[ "" if perm.st_mode & mask else "not" for mask in [stat.S_IROTH, stat.S_IWOTH, stat.S_IXOTH]])
print "Can we read? {}".format("Yes" if os.access(port, os.R_OK) else "No")
print "Can we write? {}".format("Yes" if os.access(port, os.W_OK) else "No")
print "Can we execute? {}".format("Yes" if os.access(port, os.X_OK) else "No")
--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general

Reply via email to