Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
On Tue, 2011-01-18 at 01:27 -0400, Kim Pedersen wrote: [error] Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 250.\nCompilation failed in require at (eval 2) line 1.\n We don't support running RT under taint mode. Remove the PerlTaintCheck line from your mod_perl configuration. - Alex
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
My typo. It should have been perl module.
Is the path to/usr/lib/perl5/5.10.1/File/Path.pm readable by the apache user?
Each of the directories should be 755 with the perl module being 644.
I sometimes get DAG modules installing with a 750 and 640 respectively.
Everything passes as root but fails as a user.
Keith
From: rt-users-boun...@lists.bestpractical.com
[rt-users-boun...@lists.bestpractical.com] On Behalf Of Kim Pedersen
[li...@kimp.org]
Sent: Tuesday, January 18, 2011 12:48 AM
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir while running
with -T switch
Hi Keith,
I am not sure I understand 100% what permissions to the perl mode means.
But the line calling File::Path in /usr/sbin/webmux.pl refers to
$RT::MasonDataDir, which points to /var/cache/rt/mason_data/.
The content and permissions of that folder is the following:
drwxrwx--- 5 apache apache 38 2011-01-18 01:06 ./
drwxr-xr-x 4 root root 42 2011-01-18 01:06 ../
drwxrwx--- 2 apache apache 6 2011-01-18 01:06 cache/
drwxrwx--- 2 apache apache 6 2011-01-18 01:06 etc/
drwxrwx--- 3 apache apache 50 2011-01-18 01:06 obj/
The obj dir has session related files in it (That are recreated by apache if
I empty the folders) all created by apache, and apache also has the permissions
to delete the files
It looks like webmux.pl is trying to clean out the /var/cache/rt/mason_data/obj
folder and failing for some reason, with Insecure dependency in mkdir while
running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 108, line 2.
if ( $ENV{'MOD_PERL'} !RT-Config-Get('DevelMode')) {
# Under static_source, we need to purge the component cache
# each time we restart, so newer components may be reloaded.
#
# We can't do this in FastCGI or we'll blow away the component
# root _every_ time a new server starts which happens every few
# hits.
require File::Path;
require File::Glob;
my @files = File::Glob::bsd_glob($RT::MasonDataDir/obj/*);
File::Path::rmtree([ @files ], 0, 1) if @files;
}
1;
Kim P
On 2011-01-18 02:32, Schincke, Keith D. (JSC-IT)[DB Consulting Group, Inc.]
wrote:
What are the directory permissions to the perl mode?
One of the directories or the Path.pm file may not allow the web process to
access the file.
Keith
Sent from my Verizon Wireless Phone
- Reply message -
From: Kim Pedersen li...@kimp.orgmailto:li...@kimp.org
Date: Mon, Jan 17, 2011 11:28 pm
Subject: [rt-users] webmux.pl - Insecure dependency in chdir while running with
-T switch
To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Hi everyone,.
I am installing a cloned copy of our live 3.8.8 RT installation (To test
a restoration/reinstallation and later to play with the 3.9.4 release).
The new server is running Apache 2.2.15 with mod_perl 2.0.4 on Mandriva
2010.1 x64, with Postgresql 9.0 - which is the same as the live server.
And the RT version is installed from RPM (built from a modified Mandriva
.spec file, updated to work with 3.8.8)
After installing RT I can't start Apache any longer and I am stuck with
the following problem in my apache log:
[error] Insecure dependency in chdir while running with -T switch at
/usr/lib/perl5/5.10.1/File/Path.pm line 250.\nCompilation failed in
require at (eval 2) line 1.\n
[error] Can't load Perl file: /usr/sbin/webmux.pl for server
www.testserver.com:0http://www.testserver.com:0, exiting...
If I run webmux.pl manually as root, there are no Perl errors. A make
testdeps from the RT sources show all dependencies being okay as well.
The RT config files are the same as on the live server - File::Path is
called at the end of webmux.pl, but I am just lost for what to look for
/ how to troubleshoot this.
Any hints / pointers?
Regards
Kim P
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
LOL - that figures :-)
Yes, the path and permissions is alright - I can switch to the Apache
user and all the perl modules in /usr/lib/perl5/5.10.1/File are 444,
with the path directories being 755
It's Line 250 in /usr/lib/perl5/5.10.1/File/Path.pm that throws off
webmux.pl. Could it be some sort of RT/Webmux compatibility issue /bug
with Mandriva Perl 5.10.1?
- Again the live installation is running with the same version of
Perl, and I've compared the Path.pm webmux.pl files between systems
and they are identical
--- /usr/lib/perl5/5.10.1/File/Path.pm ---
if ( -d _ ) {
$root = VMS::Filespec::pathify($root) if $Is_VMS;
Line 250if (!chdir($root)) {
# see if we can escalate privileges to get in
# (e.g. funny protection mask such as -w- instead of rwx)
$perm = 0;
my $nperm = $perm | 0700;
if (!($arg-{safe} or $nperm == $perm or chmod($nperm,
$root))) {
_error($arg, cannot make child directory
read-write-exec, $canon);
next ROOT_DIR;
}
elsif (!chdir($root)) {
_error($arg, cannot chdir to child, $canon);
next ROOT_DIR;
}
}
---
Kim P
On 2011-01-18 08:25, Schincke, Keith D. (JSC-IT)[DB Consulting Group,
Inc.] wrote:
My typo. It should have been perl module.
Is the path to/usr/lib/perl5/5.10.1/File/Path.pm readable by the apache user?
Each of the directories should be 755 with the perl module being 644.
I sometimes get DAG modules installing with a 750 and 640 respectively.
Everything passes as root but fails as a user.
Keith
From: rt-users-boun...@lists.bestpractical.com
[rt-users-boun...@lists.bestpractical.com] On Behalf Of Kim Pedersen
[li...@kimp.org]
Sent: Tuesday, January 18, 2011 12:48 AM
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir while running
with -T switch
Hi Keith,
I am not sure I understand 100% what permissions to the perl mode means.
But the line calling File::Path in /usr/sbin/webmux.pl refers to
$RT::MasonDataDir, which points to /var/cache/rt/mason_data/.
The content and permissions of that folder is the following:
drwxrwx--- 5 apache apache 38 2011-01-18 01:06 ./
drwxr-xr-x 4 root root 42 2011-01-18 01:06 ../
drwxrwx--- 2 apache apache 6 2011-01-18 01:06 cache/
drwxrwx--- 2 apache apache 6 2011-01-18 01:06 etc/
drwxrwx--- 3 apache apache 50 2011-01-18 01:06 obj/
The obj dir has session related files in it (That are recreated by apache if
I empty the folders) all created by apache, and apache also has the permissions to delete
the files
It looks like webmux.pl is trying to clean out the /var/cache/rt/mason_data/obj folder
and failing for some reason, with Insecure dependency in mkdir while running with
-T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 108, line 2.
if ( $ENV{'MOD_PERL'} !RT-Config-Get('DevelMode')) {
# Under static_source, we need to purge the component cache
# each time we restart, so newer components may be reloaded.
#
# We can't do this in FastCGI or we'll blow away the component
# root _every_ time a new server starts which happens every few
# hits.
require File::Path;
require File::Glob;
my @files = File::Glob::bsd_glob($RT::MasonDataDir/obj/*);
File::Path::rmtree([ @files ], 0, 1) if @files;
}
1;
Kim P
On 2011-01-18 02:32, Schincke, Keith D. (JSC-IT)[DB Consulting Group, Inc.]
wrote:
What are the directory permissions to the perl mode?
One of the directories or the Path.pm file may not allow the web process to
access the file.
Keith
Sent from my Verizon Wireless Phone
- Reply message -
From: Kim Pedersenli...@kimp.orgmailto:li...@kimp.org
Date: Mon, Jan 17, 2011 11:28 pm
Subject: [rt-users] webmux.pl - Insecure dependency in chdir while running with
-T switch
To: rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
rt-users@lists.bestpractical.commailto:rt-users@lists.bestpractical.com
Hi everyone,.
I am installing a cloned copy of our live 3.8.8 RT installation (To test
a restoration/reinstallation and later to play with the 3.9.4 release).
The new server is running Apache 2.2.15 with mod_perl 2.0.4 on Mandriva
2010.1 x64, with Postgresql 9.0 - which is the same as the live server.
And the RT version is installed from RPM (built from a modified Mandriva
.spec file, updated to work with 3.8.8)
After installing RT I can't start Apache any longer and I am stuck with
the following problem in my apache log:
[error] Insecure dependency in chdir while running with -T switch at
/usr/lib/perl5/5.10.1/File/Path.pm line 250.\nCompilation failed in
require at (eval 2) line 1.\n
[error] Can't load Perl file: /usr/sbin/webmux.pl for server
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
From what I understand of Taint (-T) mode, this has nothing to do with
directory permissions, and everything to do with trying to chdir to a variable
(representing a directory) that has been marked as being unsafe, i.e. from
user input.
See perldoc perldiag to find the error message, which then leads you to
perldoc perlsec for more about taint mode.
That said, I don't know, inside RT, the appropriate way to deal with this.
Josh Narins
Director of Application Development
SeniorBridge
845 Third Ave
7th Floor
New York, NY 10022
Tel: (212) 994-6194
Mobile: (917) 488-6248
Fax: (212) 994-4260
jnar...@seniorbridge.com
SeniorBridge
Managing Complex Chronic Care
http://www.seniorbridge.com
SeniorBridge Statement of Confidentiality: The contents of this email message
are intended for the exclusive use of the addressee(s) and may contain
confidential or privileged information. Any dissemination, distribution or
copying of this email by an unintended or mistaken recipient is strictly
prohibited. In said event, kindly reply to the sender and destroy all entries
of this message and any attachments from your system. Thank you.-Original
Message-
From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-
boun...@lists.bestpractical.com] On Behalf Of Kim Pedersen
Sent: Tuesday, January 18, 2011 8:39 AM
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir while
running with -T switch
LOL - that figures :-)
Yes, the path and permissions is alright - I can switch to the Apache
user and all the perl modules in /usr/lib/perl5/5.10.1/File are 444,
with the path directories being 755
It's Line 250 in /usr/lib/perl5/5.10.1/File/Path.pm that throws off
webmux.pl. Could it be some sort of RT/Webmux compatibility issue /bug
with Mandriva Perl 5.10.1?
- Again the live installation is running with the same version of
Perl, and I've compared the Path.pm webmux.pl files between systems
and they are identical
--- /usr/lib/perl5/5.10.1/File/Path.pm ---
if ( -d _ ) {
$root = VMS::Filespec::pathify($root) if $Is_VMS;
Line 250if (!chdir($root)) {
# see if we can escalate privileges to get in
# (e.g. funny protection mask such as -w- instead of
rwx)
$perm = 0;
my $nperm = $perm | 0700;
if (!($arg-{safe} or $nperm == $perm or chmod($nperm,
$root))) {
_error($arg, cannot make child directory
read-write-exec, $canon);
next ROOT_DIR;
}
elsif (!chdir($root)) {
_error($arg, cannot chdir to child, $canon);
next ROOT_DIR;
}
}
---
Kim P
On 2011-01-18 08:25, Schincke, Keith D. (JSC-IT)[DB Consulting Group,
Inc.] wrote:
My typo. It should have been perl module.
Is the path to/usr/lib/perl5/5.10.1/File/Path.pm readable by the
apache user? Each of the directories should be 755 with the perl module
being 644.
I sometimes get DAG modules installing with a 750 and 640
respectively. Everything passes as root but fails as a user.
Keith
From: rt-users-boun...@lists.bestpractical.com [rt-users-
boun...@lists.bestpractical.com] On Behalf Of Kim Pedersen
[li...@kimp.org]
Sent: Tuesday, January 18, 2011 12:48 AM
Cc: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] webmux.pl - Insecure dependency in chdir
while running with -T switch
Hi Keith,
I am not sure I understand 100% what permissions to the perl mode
means.
But the line calling File::Path in /usr/sbin/webmux.pl refers to
$RT::MasonDataDir, which points to /var/cache/rt/mason_data/.
The content and permissions of that folder is the following:
drwxrwx--- 5 apache apache 38 2011-01-18 01:06 ./
drwxr-xr-x 4 root root 42 2011-01-18 01:06 ../
drwxrwx--- 2 apache apache 6 2011-01-18 01:06 cache/
drwxrwx--- 2 apache apache 6 2011-01-18 01:06 etc/
drwxrwx--- 3 apache apache 50 2011-01-18 01:06 obj/
The obj dir has session related files in it (That are recreated by
apache if I empty the folders) all created by apache, and apache also
has the permissions to delete the files
It looks like webmux.pl is trying to clean out the
/var/cache/rt/mason_data/obj folder and failing for some reason, with
Insecure dependency in mkdir while running with -T switch at
/usr/lib/perl5/5.10.1/File/Path.pm line 108, line 2.
if ( $ENV{'MOD_PERL'} !RT-Config-Get('DevelMode')) {
# Under static_source, we need to purge the component cache
# each time we restart, so newer components may be reloaded.
#
# We can't do this in FastCGI or we'll blow away the component
# root _every_ time a new server starts which happens every few
# hits.
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
Hi Josh,
Thanks for your input - I've just about come to the same point as well,
but don't know how to fix either :-/
Kim
When the taint mode (-T) is in effect, the . directory is
removed
from @INC, and the environment variables PERL5LIB and
PERLLIB are
ignored by Perl. You can still adjust @INC from outside the
program by
using the -I command line option as explained in perlrun. The two
environment variables are ignored because they are obscured, and
a user
running a program could be unaware that they are set, whereas
the -I
option is clearly visible and therefore permitted.
Another way to modify @INC without modifying the program, is to
use the
lib pragma, e.g.:
perl -Mlib=/foo program
The benefit of using -Mlib=/foo over -I/foo, is that the former
will automagically remove any duplicated directories, while the
later
will not.
Note that if a tainted string is added to @INC, the following
problem
will be reported:
Insecure dependency in require while running with -T switch
ESC[1mCleaning Up Your PathESC[0m
For Insecure $ENV{PATH} messages, you need to set $ENV{'PATH'}
to a
known value, and each directory in the path must be absolute and
non-
writable by others than its owner and group. You may be
surprised to
get this message even if the pathname to your executable is fully
qualified. This is ESC[4mnotESC[24m generated because you
didn't supply a full path
to the program; instead, it's generated because you never set
your PATH
environment variable, or you didn't set it to something that was
safe.
Because Perl can't guarantee that the executable in question isn't
itself going to turn around and execute some other program that is
dependent on your PATH, it makes sure you set the PATH.
On 2011-01-18 09:47, Josh Narins wrote:
From what I understand of Taint (-T) mode, this has nothing to do with
directory permissions, and everything to do with trying to chdir to a variable
(representing a directory) that has been marked as being unsafe, i.e. from user
input.
See perldoc perldiag to find the error message, which then leads you to perldoc
perlsec for more about taint mode.
That said, I don't know, inside RT, the appropriate way to deal with this.
Josh Narins
Director of Application Development
SeniorBridge
845 Third Ave
7th Floor
New York, NY 10022
Tel: (212) 994-6194
Mobile: (917) 488-6248
Fax: (212) 994-4260
jnar...@seniorbridge.com
SeniorBridge
Managing Complex Chronic Care
http://www.seniorbridge.com
SeniorBridge Statement of Confidentiality: The contents of this email message
are intended for the exclusive use of the addressee(s) and may contain
confidential or privileged information. Any dissemination, distribution or
copying of this email by an unintended or mistaken recipient is strictly
prohibited. In said event, kindly reply to the sender and destroy all entries
of this message and any attachments from your system. Thank you.-Original
Message-
Fr
Re: [rt-users] Endless auto-reply loop
On Tue, Jan 18, 2011 at 10:05:08AM -0500, Sean Quinlan wrote: Where Jesse replies: And you can always set up individual addresses to not get mail. Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin pgpJef1PDOzks.pgp Description: PGP signature
Re: [rt-users] Endless auto-reply loop
They aren't a user in RT. The only users within RT are the staff and volunteers for the membership office. The 'clients' are the the thousands of people who join the organization (Interscholastic Equestrian Association), mostly riders and coaches. Because the membership 'office' is actually a group of people who are widely distributed geographically, working out of their homes, keeping track of support requests was becoming a nightmare. Our hope is that RT can centralize the point of communication and tracking open issues. Given that, we configured it so anyone could email in and create a new ticket. Most members of the IEA do have an email address, so I suppose we could add them all 'by hand', but how would we keep the membership in sync, which changes a little all the time and has significant churn every enrollment period (late summer). Thanks, Sean On Tue, Jan 18, 2011 at 11:52 AM, Kevin Falcone falc...@bestpractical.comwrote: On Tue, Jan 18, 2011 at 10:05:08AM -0500, Sean Quinlan wrote: Where Jesse replies: And you can always set up individual addresses to not get mail. Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin
Re: [rt-users] Endless auto-reply loop
On Tue, Jan 18, 2011 at 12:05:06PM -0500, Sean Quinlan wrote: They aren't a user in RT. The only users within RT are the staff and volunteers for the membership office. The 'clients' are the the thousands of people who join the organization (Interscholastic Equestrian Association), mostly riders and coaches. Because the membership 'office' is actually a group of people who are widely distributed geographically, working out of their homes, keeping track of support requests was becoming a nightmare. Our hope is that RT can centralize the point of communication and tracking open issues. Given that, we configured it so anyone could email in and create a new ticket. Most members of the IEA do have an email address, so I suppose we could add them all 'by hand', but how would we keep the membership in sync, which changes a little all the time and has significant churn every enrollment period (late summer). You said you don't want RT emailing a mailing list. To stop it from sending mail to the mailing list: Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin If RT has received or sent mail to an email address, there is a User, believe me. -kevin pgpJhacnREL3z.pgp Description: PGP signature
[rt-users] best order to apply when upgrading
Hi All,What is the best order to upgrade when RTIR and RTFM are installed?RT first then RTFM and RTIR? or RTIR and RTFM first?Best Regards,--Daniel A. MeloGrupo de Resposta a Ataques da IntranetSERPRO - Serviço Federal de Processamento de Dadosdaniel.m...@serpro.gov.br55 81 2126 4220
Re: [rt-users] [Rt-devel] rt-4.0.0rc2 eating so much CPU
On Tue, Jan 18, 2011 at 08:22:03PM +0300, Odhiambo Washington wrote: DevelMode is commented out in my config. Do I have to explicitly turn it off? I have turned it off and here is the MasonX::Profiler result now: http://goo.gl/q6gc3 Can you go to Configuration - Tools - System Information and send that to the list?
Re: [rt-users] Endless auto-reply loop
Ah, my apologies! I went to the Users page and didn't see them, and did not register your instruction to search for them. Thanks for being patient and reposting your instructions. I have done as you suggested, and hopefully that takes care of it. Thanks again, Sean On Tue, Jan 18, 2011 at 12:18 PM, Kevin Falcone falc...@bestpractical.comwrote: On Tue, Jan 18, 2011 at 12:05:06PM -0500, Sean Quinlan wrote: They aren't a user in RT. The only users within RT are the staff and volunteers for the membership office. The 'clients' are the the thousands of people who join the organization (Interscholastic Equestrian Association), mostly riders and coaches. Because the membership 'office' is actually a group of people who are widely distributed geographically, working out of their homes, keeping track of support requests was becoming a nightmare. Our hope is that RT can centralize the point of communication and tracking open issues. Given that, we configured it so anyone could email in and create a new ticket. Most members of the IEA do have an email address, so I suppose we could add them all 'by hand', but how would we keep the membership in sync, which changes a little all the time and has significant churn every enrollment period (late summer). You said you don't want RT emailing a mailing list. To stop it from sending mail to the mailing list: Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin If RT has received or sent mail to an email address, there is a User, believe me. -kevin
[rt-users] Certain RT operations painfully slow.
RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Thanks.
Re: [rt-users] Certain RT operations painfully slow.
On Tue, Jan 18, 2011 at 12:43:47PM -0500, Todd Chapman wrote: RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Todd, What does an EXPLAIN on that select tell you? Thanks. --
Re: [rt-users] Certain RT operations painfully slow.
On Tue, Jan 18, 2011 at 12:48 PM, Jesse Vincent je...@bestpractical.com wrote: On Tue, Jan 18, 2011 at 12:43:47PM -0500, Todd Chapman wrote: RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Todd, What does an EXPLAIN on that select tell you? mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070'))\G *** 1. row *** id: 1 select_type: SIMPLE table: main type: range possible_keys: PRIMARY key: PRIMARY key_len: 4 ref: NULL rows: 20568305 Extra: Using where 1 row in set (0.02 sec) Thanks. --
Re: [rt-users] Certain RT operations painfully slow.
Sorry, forgot the list. Kenn On Tue, Jan 18, 2011 at 9:55 AM, Kenneth Crocker kfcroc...@lbl.gov wrote: Todd, I'm thinking this AdminCc group has a whole bunch of Global rights. That would do it. We did something similar but made it a bit more granular; we create a Global Group for AdminCc but only gave them these rights; *AdminUsers, AssignCustomFields, SeeCustomFields, SeeGroup, ShowConfigTab, ShowScrips, ShowTemplates, WatchAsAdminCc*). Then we created an AdminCc group for each set of Queues that belong to a specific Support Group (like Financial). These AdminCc Sub-groups would be given rights *more specific to the Queues they support*. This saves a lot of time when RT is searching for user privileges per ticket. Global rights that involve Ticket privileges can be real time burners. Hope this helps. Kenn LBNL On Tue, Jan 18, 2011 at 9:43 AM, Todd Chapman t...@chaka.net wrote: RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Thanks.
Re: [rt-users] Modifying History-information?
Johan, Why ShowTicket to everybody? Why not just grant that right to the Requestors and the Support Group (User-defined group) and AdminCc role and Owner role that supports a specific Queue within that Queue GroupRights page? Otherwise, Searches will start taking a LONG TIME, unless you have a small User's list. Kenn LBNL On Mon, Jan 17, 2011 at 2:51 AM, Johan Elmerfjord jelme...@adobe.comwrote: We are about to open up RT for everyone in the company, and are doing this by setting the Privileges: SeeQueue and ShowTicket to the group Everybody. Then we run with External Ldap authentication - so all company users can use the /SelfService/ - interface. We have a little problem though. We have a number of tickets that contains sensitive information. Like Usernames and passwords. Sometimes such info is added by the ticket-requester that doesn't see the harm in doing so. Is there a way for the ticket-owner - or a super-user to go in and delete such info from the history? Either through RT directly - or if there are any other tools available? I'm not found of doing updates in database directly - and before I write a tool to do it - I'll better ask here. Regards, Johan -- *Johan Elmerfjord* | Sr. Systems Administration/Mgr, EMEA | Adobe Systems (OBU) | p. +45 36 98 89 50 x6008 | cell. +46 735 101 444 | joh...@adobe.com
Re: [rt-users] Certain RT operations painfully slow.
Todd, Which causes this long running mysql query: Time: 86 Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Can anyone recommend an approach to fixing this problem? What does an EXPLAIN on that select tell you? mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070'))\G select_type: SIMPLE table: main type: range possible_keys: PRIMARY key: PRIMARY key_len: 4 ref: NULL rows: 20568305 Extra: Using where 1 row in set (0.02 sec) What happens if you add an index on Via? Jesse --
Re: [rt-users] Endless auto-reply loop
On Tue, Jan 18, 2011 at 12:18 PM, Kevin Falcone falc...@bestpractical.comwrote: Configuration - Users, search for the user, leave the username as the email address and then blank out the email address of the user record. -kevin That appears to have worked perfectly, and if I run into this specific issue again I now know how to quickly resolve it. Thanks, Sean
Re: [rt-users] Certain RT operations painfully slow.
On Tue, Jan 18, 2011 at 1:13 PM, Jesse Vincent je...@bestpractical.com wrote: Todd, Which causes this long running mysql query: Time: 86 Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Can anyone recommend an approach to fixing this problem? What does an EXPLAIN on that select tell you? mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070'))\G select_type: SIMPLE table: main type: range possible_keys: PRIMARY key: PRIMARY key_len: 4 ref: NULL rows: 20568305 Extra: Using where 1 row in set (0.02 sec) What happens if you add an index on Via? I'm considering that, but with 20 million+ rows it will take a non-trivial amount of time. Jesse --
Re: [rt-users] Certain RT operations painfully slow.
And here is the slow query for adding a new member to a group that is AdminCc on a large number of tickets: db: rt3 Command: Query Time: 59 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.MemberId = 541915)) mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.MemberId = 541915))\G *** 1. row *** id: 1 select_type: SIMPLE table: main type: ref possible_keys: CachedGroupMembers3 key: CachedGroupMembers3 key_len: 5 ref: const rows: 417216 Extra: Using where 1 row in set (0.00 sec) Even when the query completes RT takes a long time to complete. Perhaps the query is timing out and RT goes off into the weeds? RT version 3.6.3. On Tue, Jan 18, 2011 at 12:43 PM, Todd Chapman t...@chaka.net wrote: RT Users, A few years ago we started adding a group as AdminCc to many tickets. It made sense for our process and seemed like a good idea at the time. Fast forward to today. This group is AdminCc on many, many tickets. Now when we add a new member to the group it can take 15 minutes for the add to complete, usually with the web interface timing out. To alleviate this situation I wrote a script to remove this group from many old tickets, but this too is taking a long time to complete. Here's the key line from the script: my ($status, $msg) = $t-DeleteWatcher(PrincipalId = $pid, Type = AdminCc, Silent = 1); Which causes this long running mysql query: Command: Query Time: 86 State: Sending data Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Ouch. Can anyone recommend an approach to fixing this problem? Thanks.
Re: [rt-users] Certain RT operations painfully slow.
RT version 3.6.3. You really need to come up to (at least) 3.8 for anyone here at BPS to be able to even hope to help you on this one. We've made many, many improvements to the codepaths you're touching. (To say nothing of how much we've cut down the size of the CachedGroupMembers table.) Best, Jesse
Re: [rt-users] Certain RT operations painfully slow.
Understood. Thanks. On Tue, Jan 18, 2011 at 1:45 PM, Jesse Vincent je...@bestpractical.com wrote: RT version 3.6.3. You really need to come up to (at least) 3.8 for anyone here at BPS to be able to even hope to help you on this one. We've made many, many improvements to the codepaths you're touching. (To say nothing of how much we've cut down the size of the CachedGroupMembers table.) Best, Jesse
Re: [rt-users] Certain RT operations painfully slow.
Todd, Another approach is to dissect DeleteWatcher into its row sql and re-write your script to talk sql directly instead of going through the api ... (Its highly not recommended) but with 20 million rows its an option. The advantages you gain is not having to do as many selects. You may still get queries lasting 86s , but I would bet those will be 50% less than the api. Good luck Roy -Original Message- From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users- boun...@lists.bestpractical.com] On Behalf Of Todd Chapman Sent: 18 January 2011 18:19 To: Jesse Vincent Cc: rt-users Subject: Re: [rt-users] Certain RT operations painfully slow. On Tue, Jan 18, 2011 at 1:13 PM, Jesse Vincent je...@bestpractical.com wrote: Todd, Which causes this long running mysql query: Time: 86 Info: SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070')) Can anyone recommend an approach to fixing this problem? What does an EXPLAIN on that select tell you? mysql explain SELECT main.* FROM CachedGroupMembers main WHERE ((main.Via = '28522070')) AND ((main.id != '28522070'))\G select_type: SIMPLE table: main type: range possible_keys: PRIMARY key: PRIMARY key_len: 4 ref: NULL rows: 20568305 Extra: Using where 1 row in set (0.02 sec) What happens if you add an index on Via? I'm considering that, but with 20 million+ rows it will take a non-trivial amount of time. Jesse --
Re: [rt-users] issues with Taint mode?
Resolved, thanks Alex for your post to the other webmux.pl thread. Needed to comment out the perlswitches section of the mod_perl/apache config. From: rt-users-boun...@lists.bestpractical.com [mailto:rt-users-boun...@lists.bestpractical.com] On Behalf Of Sullivan, Rob Sent: Thursday, January 13, 2011 6:18 PM To: rt-users@lists.bestpractical.com Subject: [rt-users] issues with Taint mode? Greetings. I'm setting up a new RT 3.8.8 instance in a Solaris 10 zone with apache2.2/modperl2.03/Perl5.8.8 (all packages from blastwave). All deps are met and it builds fine. Web server user /group is nobody/nobody, perl -c RT_SiteConfig.pm checks out fine. Apache fails when starting when I add the PerlRequire /opt/rt3/bin/webmux.pl line in the V-host entry with the following error: [Thu Jan 13 17:44:25 2011] [error] Couldn't load RT config file RT_SiteConfig.pm:\n\nInsecure dependency in require while running with -T switch at /opt/rt3/bin/../lib/RT/Config.pm line 562.\nCompilation failed in require at (eval 7) line 1.\n [Thu Jan 13 17:44:25 2011] [error] Can't load Perl file: /opt/rt3/bin/webmux.pl for server rt01.chi1.prlss.net:0, exiting... So it appears that something (setuid?) is trigging taint mode with perl, which causes the app to fail. I should add that I've got RT3.6.6 working with the same build of perl in a different zone, though that RT install also came from blastwave. Same apache/perl/modperl version and config. Is there anything I can do in the config to suppress taint mode, or is there something obvious I'm missing? Here's the httpd-vhost.conf entry NameVirtualHost *:80 # VirtualHost *:80 ServerName rt01.chi1.prlss.net ServerAlias tt.prlss.net ServerAdmin rsulli...@peerlessnetwork.com DocumentRoot /opt/rt3/share/html/ #ErrorLog /var/opt/csw/apache2/log/RT-error_log #CustomLog /var/opt/csw/apache2/log/RT-access_log common #PerlModule Apache::DBI AddDefaultCharset UTF-8 PerlRequire /opt/rt3/bin/webmux.pl Directory /opt/rt3/share/html Order allow,deny Allow from all SetHandler perl-script PerlResponseHandler RT::Mason /Directory /VirtualHost Thanks, Rob
[rt-users] Secure RSS Feeds?
I'm testing the RSS feeds feature in RT and noticed that I can update the feed results in my RSS reader without logging into RT. I'm guessing this is related to the NoAuth that is embedded in the feed location URL. Is there a way to secure all RT RSS feeds so that the user is prompted for their credentials the first time they update the feed during a browser/reader session? Thanks- Lee
Re: [rt-users] webmux.pl - Insecure dependency in chdir while running with -T switch
Hi Alex, Thank you for that clarification. I went grepping for the PerlTaintCheck line in the config files, and it is nowhere to be found. I did find then -T option to perl under Mandriva's mod_perl config file, but it was already set to not be enabled. This is obviously distribution specific - I am not sure if a default has changed somewhere or what. I moved the RT installation to another server (Supposedly identical as well), and things are working fine there. Thank you for your input everyone, I'll leave it at that. Regards, Kim P On 2011-01-18 04:35, Alex Vandiver wrote: On Tue, 2011-01-18 at 01:27 -0400, Kim Pedersen wrote: [error] Insecure dependency in chdir while running with -T switch at /usr/lib/perl5/5.10.1/File/Path.pm line 250.\nCompilation failed in require at (eval 2) line 1.\n We don't support running RT under taint mode. Remove the PerlTaintCheck line from your mod_perl configuration. - Alex
