Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
On Tue, 2011-01-18 at 01:27 -0400, Kim Pedersen wrote: [error] Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 250.\nCompilation failed in require at (eval 2) line 1.\n We don't support running RT under taint mode. Remove the PerlTaintCheck line from your mod_perl configuration. - Alex
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
My typo. It should have been perl module. Is the path to/usr/lib/perl5/5.10.1/File/Path.pm readable by the apache user? Each of the directories should be 755 with the perl module being 644. I sometimes get DAG modules installing with a 750 and 640 respectively. Everything passes as root but fails as a user. Keith From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] On Behalf Of Kim Pedersen [li...@kimp.org] Sent: Tuesday, January 18, 2011 12:48 AM Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch Hi Keith, I am not sure I understand 100% what permissions to the perl mode means. But the line calling File::Path in /usr/sbin/webmux.pl refers to $RT::MasonDataDir, which points to /var/cache/rt/mason_data/. The content and permissions of that folder is the following: drwxrwx--- 5 apache apache 38 2011-01-18 01:06 ./ drwxr-xr-x 4 root root 42 2011-01-18 01:06 ../ drwxrwx--- 2 apache apache 6 2011-01-18 01:06 cache/ drwxrwx--- 2 apache apache 6 2011-01-18 01:06 etc/ drwxrwx--- 3 apache apache 50 2011-01-18 01:06 obj/ The obj dir has session related files in it (That are recreated by apache if I empty the folders) all created by apache, and apache also has the permissions to delete the files It looks like webmux.pl is trying to clean out the /var/cache/rt/mason_data/obj folder and failing for some reason, with Insecure dependency in mkdir while running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 108, line 2. if ( $ENV{'MOD_PERL'} !RT-Config-Get('DevelMode')) { # Under static_source, we need to purge the component cache # each time we restart, so newer components may be reloaded. # # We can't do this in FastCGI or we'll blow away the component # root _every_ time a new server starts which happens every few # hits. require File::Path; require File::Glob; my @files = File::Glob::bsd_glob($RT::MasonDataDir/obj/*); File::Path::rmtree([ @files ], 0, 1) if @files; } 1; Kim P On 2011-01-18 02:32, Schincke, Keith D. (JSC-IT)[DB Consulting Group, Inc.] wrote: What are the directory permissions to the perl mode? One of the directories or the Path.pm file may not allow the web process to access the file. Keith Sent from my Verizon Wireless Phone - Reply message - From: Kim Pedersen li...@kimp.orgmailto:li...@kimp.org Date: Mon, Jan 17, 2011 11:28 pm Subject: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Hi everyone,. I am installing a cloned copy of our live 3.8.8 RT installation (To test a restoration/reinstallation and later to play with the 3.9.4 release). The new server is running Apache 2.2.15 with mod_perl 2.0.4 on Mandriva 2010.1 x64, with Postgresql 9.0 - which is the same as the live server. And the RT version is installed from RPM (built from a modified Mandriva .spec file, updated to work with 3.8.8) After installing RT I can't start Apache any longer and I am stuck with the following problem in my apache log: [error] Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 250.\nCompilation failed in require at (eval 2) line 1.\n [error] Can't load Perl file: /usr/sbin/webmux.pl for server www.testserver.com:0http://www.testserver.com:0, exiting... If I run webmux.pl manually as root, there are no Perl errors. A make testdeps from the RT sources show all dependencies being okay as well. The RT config files are the same as on the live server - File::Path is called at the end of webmux.pl, but I am just lost for what to look for / how to troubleshoot this. Any hints / pointers? Regards Kim P
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
LOL - that figures :-) Yes, the path and permissions is alright - I can switch to the Apache user and all the perl modules in /usr/lib/perl5/5.10.1/File are 444, with the path directories being 755 It's Line 250 in /usr/lib/perl5/5.10.1/File/Path.pm that throws off webmux.pl. Could it be some sort of RT/Webmux compatibility issue /bug with Mandriva Perl 5.10.1? - Again the live installation is running with the same version of Perl, and I've compared the Path.pm webmux.pl files between systems and they are identical --- /usr/lib/perl5/5.10.1/File/Path.pm --- if ( -d _ ) { $root = VMS::Filespec::pathify($root) if $Is_VMS; Line 250if (!chdir($root)) { # see if we can escalate privileges to get in # (e.g. funny protection mask such as -w- instead of rwx) $perm = 0; my $nperm = $perm | 0700; if (!($arg-{safe} or $nperm == $perm or chmod($nperm, $root))) { _error($arg, cannot make child directory read-write-exec, $canon); next ROOT_DIR; } elsif (!chdir($root)) { _error($arg, cannot chdir to child, $canon); next ROOT_DIR; } } --- Kim P On 2011-01-18 08:25, Schincke, Keith D. (JSC-IT)[DB Consulting Group, Inc.] wrote: My typo. It should have been perl module. Is the path to/usr/lib/perl5/5.10.1/File/Path.pm readable by the apache user? Each of the directories should be 755 with the perl module being 644. I sometimes get DAG modules installing with a 750 and 640 respectively. Everything passes as root but fails as a user. Keith From: rt-users-boun...@lists.bestpractical.com [rt-users-boun...@lists.bestpractical.com] On Behalf Of Kim Pedersen [li...@kimp.org] Sent: Tuesday, January 18, 2011 12:48 AM Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch Hi Keith, I am not sure I understand 100% what permissions to the perl mode means. But the line calling File::Path in /usr/sbin/webmux.pl refers to $RT::MasonDataDir, which points to /var/cache/rt/mason_data/. The content and permissions of that folder is the following: drwxrwx--- 5 apache apache 38 2011-01-18 01:06 ./ drwxr-xr-x 4 root root 42 2011-01-18 01:06 ../ drwxrwx--- 2 apache apache 6 2011-01-18 01:06 cache/ drwxrwx--- 2 apache apache 6 2011-01-18 01:06 etc/ drwxrwx--- 3 apache apache 50 2011-01-18 01:06 obj/ The obj dir has session related files in it (That are recreated by apache if I empty the folders) all created by apache, and apache also has the permissions to delete the files It looks like webmux.pl is trying to clean out the /var/cache/rt/mason_data/obj folder and failing for some reason, with Insecure dependency in mkdir while running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 108, line 2. if ( $ENV{'MOD_PERL'} !RT-Config-Get('DevelMode')) { # Under static_source, we need to purge the component cache # each time we restart, so newer components may be reloaded. # # We can't do this in FastCGI or we'll blow away the component # root _every_ time a new server starts which happens every few # hits. require File::Path; require File::Glob; my @files = File::Glob::bsd_glob($RT::MasonDataDir/obj/*); File::Path::rmtree([ @files ], 0, 1) if @files; } 1; Kim P On 2011-01-18 02:32, Schincke, Keith D. (JSC-IT)[DB Consulting Group, Inc.] wrote: What are the directory permissions to the perl mode? One of the directories or the Path.pm file may not allow the web process to access the file. Keith Sent from my Verizon Wireless Phone - Reply message - From: Kim Pedersenli...@kimp.orgmailto:li...@kimp.org Date: Mon, Jan 17, 2011 11:28 pm Subject: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com Hi everyone,. I am installing a cloned copy of our live 3.8.8 RT installation (To test a restoration/reinstallation and later to play with the 3.9.4 release). The new server is running Apache 2.2.15 with mod_perl 2.0.4 on Mandriva 2010.1 x64, with Postgresql 9.0 - which is the same as the live server. And the RT version is installed from RPM (built from a modified Mandriva .spec file, updated to work with 3.8.8) After installing RT I can't start Apache any longer and I am stuck with the following problem in my apache log: [error] Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 250.\nCompilation failed in require at (eval 2) line 1.\n [error] Can't load Perl file: /usr/sbin/webmux.pl for server
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
From what I understand of Taint (-T) mode, this has nothing to do with directory permissions, and everything to do with trying to chdir to a variable (representing a directory) that has been marked as being unsafe, i.e. from user input. See perldoc perldiag to find the error message, which then leads you to perldoc perlsec for more about taint mode. That said, I don't know, inside RT, the appropriate way to deal with this. Josh Narins Director of Application Development SeniorBridge 845 Third Ave 7th Floor New York, NY 10022 Tel: (212) 994-6194 Mobile: (917) 488-6248 Fax: (212) 994-4260 jnar...@seniorbridge.com SeniorBridge Managing Complex Chronic Care http://www.seniorbridge.com SeniorBridge Statement of Confidentiality: The contents of this email message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. Any dissemination, distribution or copying of this email by an unintended or mistaken recipient is strictly prohibited. In said event, kindly reply to the sender and destroy all entries of this message and any attachments from your system. Thank you.-Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Kim Pedersen Sent: Tuesday, January 18, 2011 8:39 AM Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch LOL - that figures :-) Yes, the path and permissions is alright - I can switch to the Apache user and all the perl modules in /usr/lib/perl5/5.10.1/File are 444, with the path directories being 755 It's Line 250 in /usr/lib/perl5/5.10.1/File/Path.pm that throws off webmux.pl. Could it be some sort of RT/Webmux compatibility issue /bug with Mandriva Perl 5.10.1? - Again the live installation is running with the same version of Perl, and I've compared the Path.pm webmux.pl files between systems and they are identical --- /usr/lib/perl5/5.10.1/File/Path.pm --- if ( -d _ ) { $root = VMS::Filespec::pathify($root) if $Is_VMS; Line 250if (!chdir($root)) { # see if we can escalate privileges to get in # (e.g. funny protection mask such as -w- instead of rwx) $perm = 0; my $nperm = $perm | 0700; if (!($arg-{safe} or $nperm == $perm or chmod($nperm, $root))) { _error($arg, cannot make child directory read-write-exec, $canon); next ROOT_DIR; } elsif (!chdir($root)) { _error($arg, cannot chdir to child, $canon); next ROOT_DIR; } } --- Kim P On 2011-01-18 08:25, Schincke, Keith D. (JSC-IT)[DB Consulting Group, Inc.] wrote: My typo. It should have been perl module. Is the path to/usr/lib/perl5/5.10.1/File/Path.pm readable by the apache user? Each of the directories should be 755 with the perl module being 644. I sometimes get DAG modules installing with a 750 and 640 respectively. Everything passes as root but fails as a user. Keith From: rt-users-boun...@lists.bestpractical.com [rt-users- boun...@lists.bestpractical.com] On Behalf Of Kim Pedersen [li...@kimp.org] Sent: Tuesday, January 18, 2011 12:48 AM Cc: rt-users@lists.bestpractical.com Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch Hi Keith, I am not sure I understand 100% what permissions to the perl mode means. But the line calling File::Path in /usr/sbin/webmux.pl refers to $RT::MasonDataDir, which points to /var/cache/rt/mason_data/. The content and permissions of that folder is the following: drwxrwx--- 5 apache apache 38 2011-01-18 01:06 ./ drwxr-xr-x 4 root root 42 2011-01-18 01:06 ../ drwxrwx--- 2 apache apache 6 2011-01-18 01:06 cache/ drwxrwx--- 2 apache apache 6 2011-01-18 01:06 etc/ drwxrwx--- 3 apache apache 50 2011-01-18 01:06 obj/ The obj dir has session related files in it (That are recreated by apache if I empty the folders) all created by apache, and apache also has the permissions to delete the files It looks like webmux.pl is trying to clean out the /var/cache/rt/mason_data/obj folder and failing for some reason, with Insecure dependency in mkdir while running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 108, line 2. if ( $ENV{'MOD_PERL'} !RT-Config-Get('DevelMode')) { # Under static_source, we need to purge the component cache # each time we restart, so newer components may be reloaded. # # We can't do this in FastCGI or we'll blow away the component # root _every_ time a new server starts which happens every few # hits.
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
Hi Josh, Thanks for your input - I've just about come to the same point as well, but don't know how to fix either :-/ Kim When the taint mode (-T) is in effect, the . directory is removed from @INC, and the environment variables PERL5LIB and PERLLIB are ignored by Perl. You can still adjust @INC from outside the program by using the -I command line option as explained in perlrun. The two environment variables are ignored because they are obscured, and a user running a program could be unaware that they are set, whereas the -I option is clearly visible and therefore permitted. Another way to modify @INC without modifying the program, is to use the lib pragma, e.g.: perl -Mlib=/foo program The benefit of using -Mlib=/foo over -I/foo, is that the former will automagically remove any duplicated directories, while the later will not. Note that if a tainted string is added to @INC, the following problem will be reported: Insecure dependency in require while running with -T switch ESC[1mCleaning Up Your PathESC[0m For Insecure $ENV{PATH} messages, you need to set $ENV{'PATH'} to a known value, and each directory in the path must be absolute and non- writable by others than its owner and group. You may be surprised to get this message even if the pathname to your executable is fully qualified. This is ESC[4mnotESC[24m generated because you didn't supply a full path to the program; instead, it's generated because you never set your PATH environment variable, or you didn't set it to something that was safe. Because Perl can't guarantee that the executable in question isn't itself going to turn around and execute some other program that is dependent on your PATH, it makes sure you set the PATH. On 2011-01-18 09:47, Josh Narins wrote: From what I understand of Taint (-T) mode, this has nothing to do with directory permissions, and everything to do with trying to chdir to a variable (representing a directory) that has been marked as being unsafe, i.e. from user input. See perldoc perldiag to find the error message, which then leads you to perldoc perlsec for more about taint mode. That said, I don't know, inside RT, the appropriate way to deal with this. Josh Narins Director of Application Development SeniorBridge 845 Third Ave 7th Floor New York, NY 10022 Tel: (212) 994-6194 Mobile: (917) 488-6248 Fax: (212) 994-4260 jnar...@seniorbridge.com SeniorBridge Managing Complex Chronic Care http://www.seniorbridge.com SeniorBridge Statement of Confidentiality: The contents of this email message are intended for the exclusive use of the addressee(s) and may contain confidential or privileged information. Any dissemination, distribution or copying of this email by an unintended or mistaken recipient is strictly prohibited. In said event, kindly reply to the sender and destroy all entries of this message and any attachments from your system. Thank you.-Original Message- Fr
Re: [rt-users] Endless auto-reply loop
On Tue, Jan 18, 2011 at 10:05:08AM -0500, Sean Quinlan wrote: Where Jesse replies: And you can always set up individual addresses to not get mail. Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin pgpJef1PDOzks.pgp Description: PGP signature
Re: [rt-users] Endless auto-reply loop
They aren't a user in RT. The only users within RT are the staff and volunteers for the membership office. The 'clients' are the the thousands of people who join the organization (Interscholastic Equestrian Association), mostly riders and coaches. Because the membership 'office' is actually a group of people who are widely distributed geographically, working out of their homes, keeping track of support requests was becoming a nightmare. Our hope is that RT can centralize the point of communication and tracking open issues. Given that, we configured it so anyone could email in and create a new ticket. Most members of the IEA do have an email address, so I suppose we could add them all 'by hand', but how would we keep the membership in sync, which changes a little all the time and has significant churn every enrollment period (late summer). Thanks, Sean On Tue, Jan 18, 2011 at 11:52 AM, Kevin Falcone falc...@bestpractical.comwrote: On Tue, Jan 18, 2011 at 10:05:08AM -0500, Sean Quinlan wrote: Where Jesse replies: And you can always set up individual addresses to not get mail. Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin
Re: [rt-users] Endless auto-reply loop
On Tue, Jan 18, 2011 at 12:05:06PM -0500, Sean Quinlan wrote: They aren't a user in RT. The only users within RT are the staff and volunteers for the membership office. The 'clients' are the the thousands of people who join the organization (Interscholastic Equestrian Association), mostly riders and coaches. Because the membership 'office' is actually a group of people who are widely distributed geographically, working out of their homes, keeping track of support requests was becoming a nightmare. Our hope is that RT can centralize the point of communication and tracking open issues. Given that, we configured it so anyone could email in and create a new ticket. Most members of the IEA do have an email address, so I suppose we could add them all 'by hand', but how would we keep the membership in sync, which changes a little all the time and has significant churn every enrollment period (late summer). You said you don't want RT emailing a mailing list. To stop it from sending mail to the mailing list: Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin If RT has received or sent mail to an email address, there is a User, believe me. -kevin pgpJhacnREL3z.pgp Description: PGP signature
[rt-users] best order to apply when upgrading
Hi All,What is the best order to upgrade when RTIR and RTFM are installed?RT first then RTFM and RTIR? or RTIR and RTFM first?Best Regards,--Daniel A. MeloGrupo de Resposta a Ataques da IntranetSERPRO - Serviço Federal de Processamento de Dadosdaniel.m...@serpro.gov.br55 81 2126 4220
Re: [rt-users] [Rt-devel] rt-4.0.0rc2 eating so much CPU
On Tue, Jan 18, 2011 at 08:22:03PM +0300, Odhiambo Washington wrote: DevelMode is commented out in my config. Do I have to explicitly turn it off? I have turned it off and here is the MasonX::Profiler result now: http://goo.gl/q6gc3 Can you go to Configuration - Tools - System Information and send that to the list?
Re: [rt-users] Endless auto-reply loop
Ah, my apologies! I went to the Users page and didn't see them, and did not register your instruction to search for them. Thanks for being patient and reposting your instructions. I have done as you suggested, and hopefully that takes care of it. Thanks again, Sean On Tue, Jan 18, 2011 at 12:18 PM, Kevin Falcone falc...@bestpractical.comwrote: On Tue, Jan 18, 2011 at 12:05:06PM -0500, Sean Quinlan wrote: They aren't a user in RT. The only users within RT are the staff and volunteers for the membership office. The 'clients' are the the thousands of people who join the organization (Interscholastic Equestrian Association), mostly riders and coaches. Because the membership 'office' is actually a group of people who are widely distributed geographically, working out of their homes, keeping track of support requests was becoming a nightmare. Our hope is that RT can centralize the point of communication and tracking open issues. Given that, we configured it so anyone could email in and create a new ticket. Most members of the IEA do have an email address, so I suppose we could add them all 'by hand', but how would we keep the membership in sync, which changes a little all the time and has significant churn every enrollment period (late summer). You said you don't want RT emailing a mailing list. To stop it from sending mail to the mailing list: Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin If RT has received or sent mail to an email address, there is a User, believe me. -kevin
[rt-users] Certain RT operations painfully slow.
RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Thanks.
Re: [rt-users] Certain RT operations painfully slow.
On Tue, Jan 18, 2011 at 12:43:47PM -0500, Todd Chapman wrote: RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Todd, What does an EXPLAIN on that select tell you? Thanks. --
Re: [rt-users] Certain RT operations painfully slow.
On Tue, Jan 18, 2011 at 12:48 PM, Jesse Vincent je...@bestpractical.com wrote: On Tue, Jan 18, 2011 at 12:43:47PM -0500, Todd Chapman wrote: RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Todd, What does an EXPLAIN on that select tell you? mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070'))\G *** 1. row *** id: 1 select_type: SIMPLE table: main type: range possible_keys: PRIMARY key: PRIMARY key_len: 4 ref: NULL rows: 20568305 Extra: Using where 1 row in set (0.02 sec) Thanks. --
Re: [rt-users] Certain RT operations painfully slow.
Sorry, forgot the list. Kenn On Tue, Jan 18, 2011 at 9:55 AM, Kenneth Crocker kfcroc...@lbl.gov wrote: Todd, I'm thinking this AdminCc group has a whole bunch of Global rights. That would do it. We did something similar but made it a bit more granular; we create a Global Group for AdminCc but only gave them these rights; *AdminUsers, AssignCustomFields, SeeCustomFields, SeeGroup, ShowConfigTab, ShowScrips, ShowTemplates, WatchAsAdminCc*). Then we created an AdminCc group for each set of Queues that belong to a specific Support Group (like Financial). These AdminCc Sub-groups would be given rights *more specific to the Queues they support*. This saves a lot of time when RT is searching for user privileges per ticket. Global rights that involve Ticket privileges can be real time burners. Hope this helps. Kenn LBNL On Tue, Jan 18, 2011 at 9:43 AM, Todd Chapman t...@chaka.net wrote: RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Thanks.
Re: [rt-users] Modifying History-information?
Johan, Why ShowTicket to everybody? Why not just grant that right to the Requestors and the Support Group (User-defined group) and AdminCc role and Owner role that supports a specific Queue within that Queue GroupRights page? Otherwise, Searches will start taking a LONG TIME, unless you have a small User's list. Kenn LBNL On Mon, Jan 17, 2011 at 2:51 AM, Johan Elmerfjord jelme...@adobe.comwrote: We are about to open up RT for everyone in the company, and are doing this by setting the Privileges: SeeQueue and ShowTicket to the group Everybody. Then we run with External Ldap authentication - so all company users can use the /SelfService/ - interface. We have a little problem though. We have a number of tickets that contains sensitive information. Like Usernames and passwords. Sometimes such info is added by the ticket-requester that doesn't see the harm in doing so. Is there a way for the ticket-owner - or a super-user to go in and delete such info from the history? Either through RT directly - or if there are any other tools available? I'm not found of doing updates in database directly - and before I write a tool to do it - I'll better ask here. Regards, Johan -- *Johan Elmerfjord* | Sr. Systems Administration/Mgr, EMEA | Adobe Systems (OBU) | p. +45 36 98 89 50 x6008 | cell. +46 735 101 444 | joh...@adobe.com
Re: [rt-users] Certain RT operations painfully slow.
Todd, Which causes this long running mysql query: Time: 86 Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Can anyone recommend an approach to fixing this problem? What does an EXPLAIN on that select tell you? mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070'))\G select_type: SIMPLE table: main type: range possible_keys: PRIMARY key: PRIMARY key_len: 4 ref: NULL rows: 20568305 Extra: Using where 1 row in set (0.02 sec) What happens if you add an index on Via? Jesse --
Re: [rt-users] Endless auto-reply loop
On Tue, Jan 18, 2011 at 12:18 PM, Kevin Falcone falc...@bestpractical.comwrote: Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin That appears to have worked perfectly, and if I run into this specific issue again I now know how to quickly resolve it. Thanks, Sean
Re: [rt-users] Certain RT operations painfully slow.
On Tue, Jan 18, 2011 at 1:13 PM, Jesse Vincent je...@bestpractical.com wrote: Todd, Which causes this long running mysql query: Time: 86 Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Can anyone recommend an approach to fixing this problem? What does an EXPLAIN on that select tell you? mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070'))\G select_type: SIMPLE table: main type: range possible_keys: PRIMARY key: PRIMARY key_len: 4 ref: NULL rows: 20568305 Extra: Using where 1 row in set (0.02 sec) What happens if you add an index on Via? I'm considering that, but with 20 million+ rows it will take a non-trivial amount of time. Jesse --
Re: [rt-users] Certain RT operations painfully slow.
And here is the slow query for adding a new member to a group that is AdminCc on a large number of tickets: db: rt3 Command: Query Time: 59 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.MemberId = 541915)) mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.MemberId = 541915))\G *** 1. row *** id: 1 select_type: SIMPLE table: main type: ref possible_keys: CachedGroupMembers3 key: CachedGroupMembers3 key_len: 5 ref: const rows: 417216 Extra: Using where 1 row in set (0.00 sec) Even when the query completes RT takes a long time to complete. Perhaps the query is timing out and RT goes off into the weeds? RT version 3.6.3. On Tue, Jan 18, 2011 at 12:43 PM, Todd Chapman t...@chaka.net wrote: RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Thanks.
Re: [rt-users] Certain RT operations painfully slow.
RT version 3.6.3. You really need to come up to (at least) 3.8 for anyone here at BPS to be able to even hope to help you on this one. We've made many, many improvements to the codepaths you're touching. (To say nothing of how much we've cut down the size of the CachedGroupMembers table.) Best, Jesse
Re: [rt-users] Certain RT operations painfully slow.
Understood. Thanks. On Tue, Jan 18, 2011 at 1:45 PM, Jesse Vincent je...@bestpractical.com wrote: RT version 3.6.3. You really need to come up to (at least) 3.8 for anyone here at BPS to be able to even hope to help you on this one. We've made many, many improvements to the codepaths you're touching. (To say nothing of how much we've cut down the size of the CachedGroupMembers table.) Best, Jesse
Re: [rt-users] Certain RT operations painfully slow.
Todd, Another approach is to dissect DeleteWatcher into its row sql and re-write your script to talk sql directly instead of going through the api ... (Its highly not recommended) but with 20 million rows its an option. The advantages you gain is not having to do as many selects. You may still get queries lasting 86s , but I would bet those will be 50% less than the api. Good luck Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Todd Chapman Sent: 18 January 2011 18:19 To: Jesse Vincent Cc: rt-users Subject: Re: [rt-users] Certain RT operations painfully slow. On Tue, Jan 18, 2011 at 1:13 PM, Jesse Vincent je...@bestpractical.com wrote: Todd, Which causes this long running mysql query: Time: 86 Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Can anyone recommend an approach to fixing this problem? What does an EXPLAIN on that select tell you? mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070'))\G select_type: SIMPLE table: main type: range possible_keys: PRIMARY key: PRIMARY key_len: 4 ref: NULL rows: 20568305 Extra: Using where 1 row in set (0.02 sec) What happens if you add an index on Via? I'm considering that, but with 20 million+ rows it will take a non-trivial amount of time. Jesse --
Re: [rt-users] issues with Taint mode?
Resolved, thanks Alex for your post to the other webmux.pl thread. Needed to comment out the perlswitches section of the mod_perl/apache config. From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Sullivan, Rob Sent: Thursday, January 13, 2011 6:18 PM To: rt-users@lists.bestpractical.com Subject: [rt-users] issues with Taint mode? Greetings. I'm setting up a new RT 3.8.8 instance in a Solaris 10 zone with apache2.2/modperl2.03/Perl5.8.8 (all packages from blastwave). All deps are met and it builds fine. Web server user /group is nobody/nobody, perl -c RT_SiteConfig.pm checks out fine. Apache fails when starting when I add the PerlRequire /opt/rt3/bin/webmux.pl line in the V-host entry with the following error: [Thu Jan 13 17:44:25 2011] [error] Couldn't load RT config file RT_SiteConfig.pm:\n\nInsecure dependency in require while running with -T switch at /opt/rt3/bin/../lib/RT/Config.pm line 562.\nCompilation failed in require at (eval 7) line 1.\n [Thu Jan 13 17:44:25 2011] [error] Can't load Perl file: /opt/rt3/bin/webmux.pl for server rt01.chi1.prlss.net:0, exiting... So it appears that something (setuid?) is trigging taint mode with perl, which causes the app to fail. I should add that I've got RT3.6.6 working with the same build of perl in a different zone, though that RT install also came from blastwave. Same apache/perl/modperl version and config. Is there anything I can do in the config to suppress taint mode, or is there something obvious I'm missing? Here's the httpd-vhost.conf entry NameVirtualHost *:80 # VirtualHost *:80 ServerName rt01.chi1.prlss.net ServerAlias tt.prlss.net ServerAdmin rsulli...@peerlessnetwork.com DocumentRoot /opt/rt3/share/html/ #ErrorLog /var/opt/csw/apache2/log/RT-error_log #CustomLog /var/opt/csw/apache2/log/RT-access_log common #PerlModule Apache::DBI AddDefaultCharset UTF-8 PerlRequire /opt/rt3/bin/webmux.pl Directory /opt/rt3/share/html Order allow,deny Allow from all SetHandler perl-script PerlResponseHandler RT::Mason /Directory /VirtualHost Thanks, Rob
[rt-users] Secure RSS Feeds?
I'm testing the RSS feeds feature in RT and noticed that I can update the feed results in my RSS reader without logging into RT. I'm guessing this is related to the NoAuth that is embedded in the feed location URL. Is there a way to secure all RT RSS feeds so that the user is prompted for their credentials the first time they update the feed during a browser/reader session? Thanks- Lee
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
Hi Alex, Thank you for that clarification. I went grepping for the PerlTaintCheck line in the config files, and it is nowhere to be found. I did find then -T option to perl under Mandriva's mod_perl config file, but it was already set to not be enabled. This is obviously distribution specific - I am not sure if a default has changed somewhere or what. I moved the RT installation to another server (Supposedly identical as well), and things are working fine there. Thank you for your input everyone, I'll leave it at that. Regards, Kim P On 2011-01-18 04:35, Alex Vandiver wrote: On Tue, 2011-01-18 at 01:27 -0400, Kim Pedersen wrote: [error] Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 250.\nCompilation failed in require at (eval 2) line 1.\n We don't support running RT under taint mode. Remove the PerlTaintCheck line from your mod_perl configuration. - Alex