Re: strange pw behaviour
On Friday 02 July 2004 20:25, Charles Swiger wrote: How many groups is the www user in? By default, the system only permits a user to belong to up to 16 groups... That fits. User www is in 19 groups total and gets Permission denied on three. Thanks a lot for the hint Chuck! I found the sysctl knob kern.ngroups, too bad it's read only. I don't think I'm going to reboot and change that, so I'll have to think about another permission model, which seems to be smarter anyway, now that I know about the max groups restriction. Again, thanks a lot for the hint, at least I'm a bit smarter now :) Cheers Jonas ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange pw behaviour
Hi list, must ask again... I'm still stuck with this. It's pretty weird. I have 10 directories each owned by a unique group. All 10 directories are set 750. The groups have been added using pw and user www has been made a member of every group by using pw. This has worked a hundred times. Information is correct in /etc/group. When I open a session as user www by using su and try to list those 10 directories by using 'ls -l *' I get 6 times the directory contents and 4 times 'Permission denied'. ...All directories are 750 and user www is a member of all groups... Looking at 'strings /usr/sbin/pw' I see four CVS tags, the newest three years old. So i don't suspect a bug there. Now what could cause behaviour like this? Where should I keep looking for the problem? Please see the original post too. It seems I'm either missing something here or something is very broken with my jails. On Friday 25 June 2004 15:00, Jonas Sonntag wrote: Any hints would be appreciated. Any comments, too.. thanks ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange pw behaviour
Jonas Sonntag [EMAIL PROTECTED] wrote: Hi list, must ask again... I'm still stuck with this. It's pretty weird. I have 10 directories each owned by a unique group. All 10 directories are set 750. The groups have been added using pw and user www has been made a member of every group by using pw. This has worked a hundred times. Information is correct in /etc/group. When I open a session as user www by using su and try to list those 10 directories by using 'ls -l *' I get 6 times the directory contents and 4 times 'Permission denied'. ...All directories are 750 and user www is a member of all groups... Looking at 'strings /usr/sbin/pw' I see four CVS tags, the newest three years old. So i don't suspect a bug there. Now what could cause behaviour like this? Where should I keep looking for the problem? Please see the original post too. It seems I'm either missing something here or something is very broken with my jails. I saw your previous post, and I'm not sure what's going wrong, but I thought I'd chime in with some guesses, since you're not getting other input. Did you add the users/groups to the jail, or to the host system? Make sure that the group file you added this to is the same group file that is being used by the program. For example, on one of my jail systems, I have /etc/group, which is pretty stock, and /jail/cgi-jail/etc/group, which has special groups for CGI clients, and /jail/frontpage/etc/group which has groups for clients who use frontpage ... etc. Make sure that ownerships show up properly in the environment you're using. For example, if you have a user wmoran with uid 1501 in the host system, then a user wmoran in the jail with uid 1427, you're going to find that the permissions don't work out right, because file permissions are based on uid, and the user name is just displayed to make it human-readable. Group IDs are similar. Administratively, it seems smarter to keep jailed filesystems completely seperate from host filesystems, as it makes filesystem permissions easier to not mess up. Don't access jailed filesystems from the host unless you're confident in your ability not to get confused. Have you looked at /etc/group (or whatever file is applicable) in a text editor to make sure everything is correct? The format is described in man group and is pretty easy to eye parse. HTH. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange pw behaviour
Hi Bill, first of all, thanks for the input! On Friday 02 July 2004 13:58, Bill Moran wrote: Did you add the users/groups to the jail, or to the host system? Make sure that the group file you added this to is the same group file that is being used by the program. For example, on one of my jail systems, I have /etc/group, which is pretty stock, and /jail/cgi-jail/etc/group, which has special groups for CGI clients, and /jail/frontpage/etc/group which has groups for clients who use frontpage ... etc. I'm within the jail only. I'm using pw from the host system, as you can see from the -V switch to pw, but from thereon I'm logging on to the sshd running inside the jail. So I'm talking about user www inside the jail and /etc/group inside the jail. Make sure that ownerships show up properly in the environment you're using. For example, if you have a user wmoran with uid 1501 in the host system, then a user wmoran in the jail with uid 1427, you're going to find that the permissions don't work out right, because file permissions are based on uid, and the user name is just displayed to make it human-readable. Group IDs are similar. I don't have any of the groups on the host system, all of them are inside the jail. Within the jail: All group names are displayed right, according to the entries in /etc/group. User www is a member of all 10 groups. User www can list 6 directories and gets Permission denied on 4 directories. Have you looked at /etc/group (or whatever file is applicable) in a text editor to make sure everything is correct? The format is described in man group and is pretty easy to eye parse. The format is correct, since all modification is done by pw. The text editor part is the funny one: As soon as I move one of my problematic group entries to another position inside the file using vi, it might work and eventually it might break one of the other groups. I just reordered the file so that the entries are sorted by group id which resulted in 7 directories showing and only 3 showing Permission denied. Sounds weird, right? Still I have no indication what's wrong with the other 3... I would suspect it might be a host/jail issue, but since I have none of the groups on the host while some _do_ work this is not it. Also, I'm really only working inside the jail enviroment and everything looks like it should there. As a sidenote: I have null-mounted the directory in which those 10 directories are located to another jail on the same host system where I have the same problem (showing 5, permission denied on 5 here). Since I don't suspect a bug in pw, maybe someone could enlighten me which other programs might be involved here and I could recompile those before I reinstall the whole world to those jails (not that I think reinstalling something will help, but I'm lost here). Thanks again for the input, Best regards Jonas ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange pw behaviour
Jonas Sonntag [EMAIL PROTECTED] wrote: Hi Bill, first of all, thanks for the input! On Friday 02 July 2004 13:58, Bill Moran wrote: Did you add the users/groups to the jail, or to the host system? Make sure that the group file you added this to is the same group file that is being used by the program. For example, on one of my jail systems, I have /etc/group, which is pretty stock, and /jail/cgi-jail/etc/group, which has special groups for CGI clients, and /jail/frontpage/etc/group which has groups for clients who use frontpage ... etc. I'm within the jail only. I'm using pw from the host system, as you can see from the -V switch to pw, but from thereon I'm logging on to the sshd running inside the jail. So I'm talking about user www inside the jail and /etc/group inside the jail. Make sure that ownerships show up properly in the environment you're using. For example, if you have a user wmoran with uid 1501 in the host system, then a user wmoran in the jail with uid 1427, you're going to find that the permissions don't work out right, because file permissions are based on uid, and the user name is just displayed to make it human-readable. Group IDs are similar. I don't have any of the groups on the host system, all of them are inside the jail. Within the jail: All group names are displayed right, according to the entries in /etc/group. User www is a member of all 10 groups. User www can list 6 directories and gets Permission denied on 4 directories. Have you looked at /etc/group (or whatever file is applicable) in a text editor to make sure everything is correct? The format is described in man group and is pretty easy to eye parse. The format is correct, since all modification is done by pw. The text editor part is the funny one: As soon as I move one of my problematic group entries to another position inside the file using vi, it might work and eventually it might break one of the other groups. I just reordered the file so that the entries are sorted by group id which resulted in 7 directories showing and only 3 showing Permission denied. Sounds weird, right? Still I have no indication what's wrong with the other 3... I would suspect it might be a host/jail issue, but since I have none of the groups on the host while some _do_ work this is not it. Also, I'm really only working inside the jail enviroment and everything looks like it should there. As a sidenote: I have null-mounted the directory in which those 10 directories are located to another jail on the same host system where I have the same problem (showing 5, permission denied on 5 here). Since I don't suspect a bug in pw, maybe someone could enlighten me which other programs might be involved here and I could recompile those before I reinstall the whole world to those jails (not that I think reinstalling something will help, but I'm lost here). Well, I tried ... The only other thought I have is that you might have some invalid user names? (I'm really reaching here ...) Can you attach the group file so we can verify the syntax. Beyond that, I'm at a loss. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange pw behaviour
On Friday 02 July 2004 15:09, Bill Moran wrote: The only other thought I have is that you might have some invalid user names? (I'm really reaching here ...) Can you attach the group file so we can verify the syntax. I really don't think so... all entries come from pw and pw get's called the same way every time (from a script) here is a part of the /etc/group file: u186:*:2119:www u188:*:2121:www u189:*:2122:www u197:*:2130:www u192:*:2125:www 'ls -l' as user www shows: drwxr-x--- 4 u186 u186 512 Apr 23 21:56 u186 drwxr-x--- 9 u188 u188 1024 Jul 2 12:32 u188 drwxr-x--- 5 u189 u189 512 Jun 25 14:28 u189 drwxr-x--- 3 u192 u192 512 Jun 6 20:21 u192 drwxr-x--- 11 u197 u197 1024 Jul 2 14:15 u197 'ls -l *' as user www shows something like: u186: total 4 drwxr-xr-x 6 u186 u186 512 Jun 5 16:33 some_dir drwxr-xr-x 4 u186 u186 512 May 11 21:36 another_dir u188: total 16 drwxr-xr-x 12 u188 u188 512 Jul 1 17:17 dir1 drwxr-xr-x 17 u188 u188 1024 Jul 1 17:17 dir2 -rw-r--r-- 1 u188 u188 280 Jun 30 21:59 file.txt u189: ls: u189: Permission denied u192: ls: u192: Permission denied u197: ls: u197: Permission denied Beyond that, I'm at a loss. Me too... I have been using pw to manage user accounts within different jails for quite some time now but never had issues like these.. Thanks anyway. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: strange pw behaviour
On Jul 2, 2004, at 6:47 AM, Jonas Sonntag wrote: must ask again... I'm still stuck with this. It's pretty weird. I have 10 directories each owned by a unique group. All 10 directories are set 750. The groups have been added using pw and user www has been made a member of every group by using pw. This has worked a hundred times. Information is correct in /etc/group. How many groups is the www user in? By default, the system only permits a user to belong to up to 16 groups... -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
strange pw behaviour
Hi questions-list, I'm experiencing some strange behaviour when using pw on a 4.9-STABLE system to add and modify a group within a virtual server running inside a jail as described in the jail man-page. I'm running these commands from a script: pw groupadd newgroup -g 1010 -V /path/to/jail/etc/ pw groupmod newgroup -m www -V /path/to/jail/etc/ chroot /path/to/jail/ apachectl graceful Just like I'm expecting, I get a new entry in /etc/group within the jail looking like this: newgroup:*:1010:www and httpd gracefully restarted from apachectl. Now I would expect that apache should be able to access directories owned by group newgroup with chmod 750 set. This is not the case. Investigating further, I used vipw to give a shell to user www and used su to become www. When I try to enter the directory in question I get Permission denied. Now for the funny part: Back as user root I'm using vi to edit /etc/group by hand and simply move the new entry to another line within the group file, have apache do another graceful restart and everything works fine! su'ing to user www and cd'ing to the directory in question also works as expected. What am I getting wrong here? Why do I need to modify the /etc/group file by hand before this works? Any hints would be appreciated. Thanks and best regards, Jonas ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]