[Bacula-users] Webacula cannot execute bconsole
This way is one way to do it using /etc/sudoers file. Just make sure you read up on sudo beforehand. /etc/sudoers: # group %httpd ALL=NOPASSWD: /usr/bin/bconsole # user httpdALL=NOPASSWD: /usr/bin/bconsole Regardless of which way you go, any outside bconsole access is always dangerous and if the web interface is not proper sanitized it is dangerous no matter if you use sudo, fixing up selinux, etc... I've written php scripts to allow remote DB admins to initiate job scheduling using wget to a web URL and all it does it tell bconsole to schedule a job and who and what type. (To avoid setting up ACL's in bconsole for this purpose) +-- |This was sent by ccs...@hotmail.com via Backup Central. |Forward SPAM to ab...@backupcentral.com. +-- -- LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial Remotely access PCs and mobile devices and provide instant support Improve your efficiency, and focus on delivering more value-add services Discover what IT Professionals Know. Rescue delivers http://p.sf.net/sfu/logmein_12329d2d ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Webacula cannot execute bconsole
I was finally able to resolve this issue, so I wanted to post what worked for me. Because of the numerous changes made to try to fix this, I don't know the minimum changes required to fix it, but my best guess is: 1. verify permissions on Webacula webroot and all contents are: rwxr-xr-x. apache apache 2. reset SELinux contexts on Webacula webroot to defaults 3. change SELinux contexts on Webacula webroot and all contents to: system_u:object_r:httpd_sys_content_t:s0 I don't know if number 2 is required, but I completed 1 and 3 above prior to today, but still got the error. After completing both 2 and 3 today, it worked. Thanks for all the help. On 11/21/2012 7:28 AM, Clark, Patricia A. wrote: From: Ryan Jantz rja...@scifit.commailto:rja...@scifit.com Date: Tuesday, November 20, 2012 6:06 PM To: "bacula-users@lists.sourceforge.netmailto:bacula-users@lists.sourceforge.net" bacula-users@lists.sourceforge.netmailto:bacula-users@lists.sourceforge.net Subject: Re: [Bacula-users] Webacula cannot execute bconsole Hello again. So I've been reading and learning (a little) about SELinux today, but I haven't made much progress. Setting selinux to permissive resolves the error. Selinux context on my /var/www/webacula is: drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 Entries in /var/log/messages are: bconsole: bsock.c:135 Unable to connect to Director daemon on localhost:9101. ERR=Permission denied My interpretation of that error is bconsole is not able to connect to bacula-dir, but I can manually start bconsole. It seems the problem is when apache or webacula tries to start bconsole Selinux context on /usr/sbin/bacula-dir: lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0 Selinux context on /usr/sbin/bconsole -rwxr-x---. root bacula system_u:object_r:bin_t:s0 I'm not sure what permissions need to be modified. Any ideas? Thanks On 11/20/2012 6:31 AM, Ryan Jantz wrote: Yes. I figured out SELinux is the problem. If I disable it, the errors stop. Now to figure out how to configure SELinux so it plays nice with Apache. Thanks On Nov 20, 2012, at 2:17 AM, Rados3aw Korzeniewski rados...@korzeniewski.netmailto:rados...@korzeniewski.net wrote: Hello, 2012/11/19 Ryan Jantz rja...@scifit.commailto:rja...@scifit.com I am able to run the above command in terminal as root and the apache user without any errors. The apache user is a member of the bacula group. (...) Any ideas? Did you restart an apache webserver? best regards -- Rados3aw Korzeniewski rados...@korzeniewski.netmailto:rados...@korzeniewski.net -- SELinux is not a simple modify permissions type of fix. You will need to create the policies within SELinux in order to provide the "permissions" in the extended attributes that allows Webacula to interact with the director. This is not a trivial exercise, but would be quite valuable to the community if successful. This is why many shops don't consistently use SELinux in enforcing mode. Patti Clark Linux System Administrator Research and Development Systems Support Oak Ridge National Laboratory -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov ___ Bacula-users mailing list Bacula-users@l
Re: [Bacula-users] Webacula cannot execute bconsole
From: Ryan Jantz rja...@scifit.commailto:rja...@scifit.com Date: Tuesday, November 20, 2012 6:06 PM To: bacula-users@lists.sourceforge.netmailto:bacula-users@lists.sourceforge.net bacula-users@lists.sourceforge.netmailto:bacula-users@lists.sourceforge.net Subject: Re: [Bacula-users] Webacula cannot execute bconsole Hello again. So I've been reading and learning (a little) about SELinux today, but I haven't made much progress. Setting selinux to permissive resolves the error. Selinux context on my /var/www/webacula is: drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 Entries in /var/log/messages are: bconsole: bsock.c:135 Unable to connect to Director daemon on localhost:9101. ERR=Permission denied My interpretation of that error is bconsole is not able to connect to bacula-dir, but I can manually start bconsole. It seems the problem is when apache or webacula tries to start bconsole Selinux context on /usr/sbin/bacula-dir: lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0 Selinux context on /usr/sbin/bconsole -rwxr-x---. root bacula system_u:object_r:bin_t:s0 I'm not sure what permissions need to be modified. Any ideas? Thanks On 11/20/2012 6:31 AM, Ryan Jantz wrote: Yes. I figured out SELinux is the problem. If I disable it, the errors stop. Now to figure out how to configure SELinux so it plays nice with Apache. Thanks On Nov 20, 2012, at 2:17 AM, Radosław Korzeniewski rados...@korzeniewski.netmailto:rados...@korzeniewski.net wrote: Hello, 2012/11/19 Ryan Jantz rja...@scifit.commailto:rja...@scifit.com I am able to run the above command in terminal as root and the apache user without any errors. The apache user is a member of the bacula group. (...) Any ideas? Did you restart an apache webserver? best regards -- Radosław Korzeniewski rados...@korzeniewski.netmailto:rados...@korzeniewski.net -- SELinux is not a simple modify permissions type of fix. You will need to create the policies within SELinux in order to provide the permissions in the extended attributes that allows Webacula to interact with the director. This is not a trivial exercise, but would be quite valuable to the community if successful. This is why many shops don't consistently use SELinux in enforcing mode. Patti Clark Linux System Administrator Research and Development Systems Support Oak Ridge National Laboratory -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Webacula cannot execute bconsole
Can you do the following? I'm assuming you are on Fedora or RHEL 1) Install the policycoreutils-python 2) Erase the audit log 3) Launch webacula 4) Check for denials In detail # yum -y install policycoreutils-python # /var/log/audit/audit.log [start webacula or whatever] # audit2allow -a Please paste the output here. Probably it can be fixed by a SELinux boolean or a context change on the binary. Regards, --Simone On 21 November 2012 14:28, Clark, Patricia A. clar...@ornl.gov wrote: From: Ryan Jantz rja...@scifit.commailto:rja...@scifit.com Date: Tuesday, November 20, 2012 6:06 PM To: bacula-users@lists.sourceforge.netmailto:bacula-users@lists.sourceforge.net bacula-users@lists.sourceforge.netmailto:bacula-users@lists.sourceforge.net Subject: Re: [Bacula-users] Webacula cannot execute bconsole Hello again. So I've been reading and learning (a little) about SELinux today, but I haven't made much progress. Setting selinux to permissive resolves the error. Selinux context on my /var/www/webacula is: drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 Entries in /var/log/messages are: bconsole: bsock.c:135 Unable to connect to Director daemon on localhost:9101. ERR=Permission denied My interpretation of that error is bconsole is not able to connect to bacula-dir, but I can manually start bconsole. It seems the problem is when apache or webacula tries to start bconsole Selinux context on /usr/sbin/bacula-dir: lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0 Selinux context on /usr/sbin/bconsole -rwxr-x---. root bacula system_u:object_r:bin_t:s0 I'm not sure what permissions need to be modified. Any ideas? Thanks On 11/20/2012 6:31 AM, Ryan Jantz wrote: Yes. I figured out SELinux is the problem. If I disable it, the errors stop. Now to figure out how to configure SELinux so it plays nice with Apache. Thanks On Nov 20, 2012, at 2:17 AM, Radosław Korzeniewski rados...@korzeniewski.netmailto:rados...@korzeniewski.net wrote: Hello, 2012/11/19 Ryan Jantz rja...@scifit.commailto:rja...@scifit.com I am able to run the above command in terminal as root and the apache user without any errors. The apache user is a member of the bacula group. (...) Any ideas? Did you restart an apache webserver? best regards -- Radosław Korzeniewski rados...@korzeniewski.netmailto:rados...@korzeniewski.net -- SELinux is not a simple modify permissions type of fix. You will need to create the policies within SELinux in order to provide the permissions in the extended attributes that allows Webacula to interact with the director. This is not a trivial exercise, but would be quite valuable to the community if successful. This is why many shops don't consistently use SELinux in enforcing mode. Patti Clark Linux System Administrator Research and Development Systems Support Oak Ridge National Laboratory -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson). -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Webacula cannot execute bconsole
Hello, 2012/11/19 Ryan Jantz rja...@scifit.com I am able to run the above command in terminal as root and the apache user without any errors. The apache user is a member of the bacula group. (...) Any ideas? Did you restart an apache webserver? best regards -- Radosław Korzeniewski rados...@korzeniewski.net -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Webacula cannot execute bconsole
Yes. I figured out SELinux is the problem. If I disable it, the errors stop. Now to figure out how to configure SELinux so it plays nice with Apache. Thanks On Nov 20, 2012, at 2:17 AM, Radosław Korzeniewski rados...@korzeniewski.net wrote: Hello, 2012/11/19 Ryan Jantz rja...@scifit.com I am able to run the above command in terminal as root and the apache user without any errors. The apache user is a member of the bacula group. (...) Any ideas? Did you restart an apache webserver? best regards -- Radosław Korzeniewski rados...@korzeniewski.net -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Webacula cannot execute bconsole
Hello again. So I've been reading and learning (a little) about SELinux today, but I haven't made much progress. Setting selinux to permissive resolves the error. Selinux context on my /var/www/webacula is: drwxr-xr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 Entries in /var/log/messages are: bconsole: bsock.c:135 Unable to connect to Director daemon on localhost:9101. ERR=Permission denied My interpretation of that error is bconsole is not able to connect to bacula-dir, but I can manually start bconsole. It seems the problem is when apache or webacula tries to start bconsole Selinux context on /usr/sbin/bacula-dir: lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0 Selinux context on /usr/sbin/bconsole -rwxr-x---. root bacula system_u:object_r:bin_t:s0 I'm not sure what permissions need to be modified. Any ideas? Thanks On 11/20/2012 6:31 AM, Ryan Jantz wrote: Yes. I figured out SELinux is the problem. If I disable it, the errors stop. Now to figure out how to configure SELinux so it plays nice with Apache. Thanks On Nov 20, 2012, at 2:17 AM, Radosaw Korzeniewski rados...@korzeniewski.net wrote: Hello, 2012/11/19 Ryan Jantz rja...@scifit.com I am able to run the above command in terminal as root and the apache user without any errors. The apache user is a member of the bacula group. (...) Any ideas? Did you restart an apache webserver? best regards -- Radosaw Korzeniewski rados...@korzeniewski.net
[Bacula-users] Webacula cannot execute bconsole
Hello, I've been banging around on this for a couple days, searching the web with no solution yet. I'm hoping someone can help. I installed Bacula 5.0.0 on CentOS 6.3 and it works fine. I installed Webacula 5.5.1 and am getting the following error when logging in: ERROR: There was a problem executing bconsole. See below. ERROR Command: /usr/sbin/bconsole -n -c /etc/bacula/bconsole.conf output: Connecting to Director localhost:9101 I am able to run the above command in terminal as root and the apache user without any errors. The apache user is a member of the bacula group. The bacula groups permissions are: r-- on /etc/bacula/bconsle.conf r-x on /usr/sbin/bconsole I also set apache as the owner of /etc/bacula/bconsole.conf and /usr/sbin/bconsole, with no change in bahavior. Related lines in Webacula's config.ini: bacula.sudo = "" bacula.bconsole = "/usr/sbin/bconsole" bacula.bconsolecmd = " -n -c /etc/bacula/bconsole.conf" Any ideas? Thanks -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Webacula cannot execute bconsole
On Mon, Nov 19, 2012 at 12:14 PM, Ryan Jantz rja...@scifit.com wrote: Hello, I've been banging around on this for a couple days, searching the web with no solution yet. I'm hoping someone can help. I installed Bacula 5.0.0 on CentOS 6.3 and it works fine. I installed Webacula 5.5.1 and am getting the following error when logging in: ERROR: There was a problem executing bconsole. See below. ERROR Command: /usr/sbin/bconsole -n -c /etc/bacula/bconsole.conf output: Connecting to Director localhost:9101 Is bacula listening on localhost ? It probably should not be since that could prevent bacula from being a network backup program.. John -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov ___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
Re: [Bacula-users] Webacula cannot execute bconsole
Yes, bconsole is looking for the director using "localhost". All Bacula components and Webacula are running on the same server. I replaced localhost with the servers hostname, same results. Bacula itself seems to be working fine. Prior to installing Webacula I confirmed I was able to backup and restore local volumes as well as data on remote clients. Thanks Ryan On 11/19/2012 11:30 AM, John Drescher wrote: On Mon, Nov 19, 2012 at 12:14 PM, Ryan Jantz rja...@scifit.com wrote: Hello, I've been banging around on this for a couple days, searching the web with no solution yet. I'm hoping someone can help. I installed Bacula 5.0.0 on CentOS 6.3 and it works fine. I installed Webacula 5.5.1 and am getting the following error when logging in: ERROR: There was a problem executing bconsole. See below. ERROR Command: /usr/sbin/bconsole -n -c /etc/bacula/bconsole.conf output: Connecting to Director localhost:9101 Is bacula listening on localhost ? It probably should not be since that could prevent bacula from being a network backup program.. John -- Monitor your physical, virtual and cloud infrastructure from a single web console. Get in-depth insight into apps, servers, databases, vmware, SAP, cloud infrastructure, etc. Download 30-day Free Trial. Pricing starts from $795 for 25 servers or applications! http://p.sf.net/sfu/zoho_dev2dev_nov___ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users