SledgehammerPL's questions

I want to allow one user to run specialscript.sh as root

so in his folder i created

-rwxr----  1 root deployers     142 Jul 16 14:07 specialscript.sh

and in sudoers.d/specialscripts:

user123 ALL=(root) NOPASSWD: /home/user123/specialscript.sh



$ sudo specialscript.sh
Running script as user root
$

perfect

other users can't access to /home/user123 files - so it is secure. if some user moves it to other folder it won't work.

BUT

because user is in group deployers he can see the content of this file (and this is intentional).

BUT he can also edit this file. After save the ownership changed to

-rwxr----  1 user123 user123    142 Jul 16 14:07 specialscript.sh

BUT he can still run it as root...

$ sudo specialscript.sh
Running script as user root
HAHAHA! I CAN RUN rm -rf!
$

for now the only prevention i can see is to change group or remove read (which prevents reading) or chattr +i /home/user123/specialscript.sh

but this is not obvious behaviour...

If I run it /usr/sbin/postgrey with parameteres it works as usual. If i use /etc/init.d/postgrey restart or systemctl restart postgrey - it doesn't.

It looks like it doesn't read /etc/default/postgrey at all, but how to debug this? And if so, how to force it?

/etc/default/postgrey:

POSTGREY_OPTS="--unix /var/spool/postfix/postgrey/socket"

Remote debian buster server, so can't go to console.

Yesterday it worked properly, today it has stopped responding. I can reboot it remotely, so after reboot I can reconnect, but I can only run short command like top and I lose the connection. On top, I found that 100% is clamd, but when I tried to /etc/init.d/clamd-daemon sto I lost the connection before typing last the letter. So I copied it next time, but it doesn't help. I wonder which logs should I try to get (via scp) for better diagnosis....

I created /root/example.sh from here at the host, and with aa-genprof denied it.

# ./example.sh
This is an apparmor example.
./example.sh: line 5: /usr/bin/touch: Permission denied
File created
./example.sh: line 8: /bin/rm: Permission denied
File deleted

great - it works!

But if i copy it into containers (at the same /root folder) it works normal (without any restrictions).

First think is to install apparmor at container, but wait!!! some of processes inside containers logs into host syslog (postdrop is denied to access dynamicmaps.cd.d - and this postdrop is running in container!).

So somehow I have to add example.sh into host apparmor.d, and it should also affect all containers... But how?

After instaling debian buster apparmor made my life harder. But I want to familiar with it, so i try to tune profiles (i'm very debianish, so I hope that it is temporary, next upgrade should fix most problems I suppose).

One of message looks for me very easy:

Jul 25 13:01:03 zenon kernel: audit: type=1400 audit(1564052463.462:1334): apparmor="DENIED" operation="open" profile="/usr/sbin/postdrop" name="/etc/postfix/dynamicmaps.cf.d/" pid=25297 comm="postdrop" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

I thought that I should add /etc/postfix/dynamicmaps.cf.d r, to /etc/apparmor.d/usr.sbin.postdrop

and reload profile ... But still denied. So i thought maybe I should also add /etc/postfix/dynamicmaps.cf.d/* r, to /etc/apparmor.d/usr.sbin.postdrop and reload profile...

But still denied...

Maybe I add it to wrong place???

whole file:

# ------------------------------------------------------------------
#
#    Copyright (C) 2002-2005 Novell/SUSE
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------
# vim:syntax=apparmor

#include <tunables/global>

/usr/sbin/postdrop {
  #include <abstractions/base>
  #include <abstractions/kerberosclient>
  #include <abstractions/nameservice>
  #include <abstractions/postfix-common>

  # This is needed at least for permissions=paranoid
  capability dac_override,
  capability dac_read_search,

  /etc/postfix r,
  /etc/postfix/main.cf r,
  /etc/postfix/dynamicmaps.cf.d r,
  /etc/postfix/dynamicmaps.cf.d/* r,
  /etc/postfix/postfix-script mixr,
  @{PROC}/net/if_inet6 r,
  /usr/sbin/postdrop rmix,
  /var/spool/postfix r,
  /var/spool/postfix/maildrop r,
  /var/spool/postfix/maildrop/* rwl,
  /var/spool/postfix/pid r,
  /var/spool/postfix/public/pickup w,
}

I can't run dovecot in lxc on Buster. I turn off PrivateTmp, but it isn't enough... Still :

[ 4850.883141] audit: type=1400 audit(1563803461.322:34): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=23810 comm="(dovecot)" flags="rw, rslave"

I have a problem with moving into predictable network interfaces - if i rename eth01 into enp1s0 - can't login (interface doesn't starting up). I checked /etc/default/grub for net.ifnames=0 - not found. Also checked /etc/udev/rules.d/70-persistent-net.rules but file doesn't exists.

During reboot my machine hangs on

[ OK ] Removed slice system-postfix.slice

I don't know if problem is with postfix (guess not, because of [ OK ]), but how to find what is next service (which hangs I suppose)

It's still alive - I can keep pressing Ctrl+Alt+Delete and get:

[447.012345] systemd-shutdow: 35 output lines suppresed due to ratelimiting
[447.012346] systemd-shutdown[1]: Sending SIGTERM to remaining processes...
[447.012347] systemd-journal[175]: Received SIGTERM from PID 1 (systemd-shutdow).

Then it freezes for about 90 seconds (suppose DefaultTimeout from system.conf) and then finally reboots. This happens on both systems I've upgraded to Jessie.

The biggest problem is that CLI wizard doesn't work on Debian package. So icinga2 node wizard is impossible.

So i have to edit configs manually, but this is so weird, that after reading i know less then before.

Few questions:

1. what is a difference between satelitte and client?
2. What is a difference between zone and cluster?
3. If set zones and endpoints, should I see hosts on webpanel? Or I have to set it independently?

I want to see all my hosts in one web panel, and I want to manage it from this one master computer.

I think, that I have to run icinga2 on all hosts.

What I did for now:

On master computer I changed zones.conf:

/*
 * Endpoint and Zone configuration for a cluster setup
 * This local example requires `NodeName` defined in
 * constants.conf.
 */

object Endpoint "chart-left" {
  host = "127.0.0.1"
}
object Endpoint "gonzales" {
  host = "W.X.Y.Z"
}

object Zone "master" {
  endpoints = [ "chart-left" ]
}

object Zone "checker" {
  endpoints = [ "gonzales" ]
  parent = "master"
}
/*
 * Defines a global zone containing templates,
 * etc. synced to all nodes, if they accept
 * configuration. All remote nodes need
 * this zone configured too.
 */

/*
object Zone "global-templates" {
  global = true
}
*/

And on client computer zones.conf differs with IP:

/*
 * Endpoint and Zone configuration for a cluster setup
 * This local example requires `NodeName` defined in
 * constants.conf.
 */


object Endpoint "chart-left" {
  host = "A.B.C.D"
}

object Zone "master" {
  endpoints = [ "chart-left" ]
}

object Endpoint "gonzales" {
  host = "127.0.0.1"
}
object Zone ZoneName {
  endpoints = [ "gonzales" ]
  parent = "master"
}
/*
 * Defines a global zone containing templates,
 * etc. synced to all nodes, if they accept
 * configuration. All remote nodes need
 * this zone configured too.
 */

/*
object Zone "global-templates" {
  global = true
}
*/

And in both logs appears some informations:

master:

[2016-04-13 00:47:17 +0200] information/ApiClient: Reconnecting to API endpoint 'gonzales' via host 'W.X.Y.Z' and port 5665

client:

[2016-04-13 00:54:10 +0200] information/ApiListener: New client connection for identity 'chart-left'

But looking at panel I still see only localhost (chart-left) - which is defined in hosts.conf.

The zones.d tree looks like:

zones.d/
  README
  checker/
  global-templates/
  master/ 

without any files in checker/ master/ nor global-templates/

Let's assume I run putty on windows and connect to Debian Jessie remotely. I run Midnight commander, and run long term task. Than got power loss on Windows, so putty connection is lost.

Of course I should use screen, but i forgot.

After reconnection I can see mc in ps ax.

 1864 pts/3    S+     0:10 mc

Is there a way to reconnect to this process? (And is it running?)

Debian stable (Jessie)

I have few containers - in one container there is postgresql. I want to start it first (I hope that my config does it).

After reboot all containers starts, but i can't log in few of them (ssh doesn't starts, console neither). So I have to lxc-stop -n base; lxc-start -n base -d.

After that i can log in, but postgresql is stopped. But log says, that it is stopped by reboot, not by lxc-stop (or lxc-stop doesn't affect logs)

How to find why it isn't started correctly after reboot

I would like to show log, but it is in polish (how to change it into english)?

2016-03-06 09:43:53 CET [825-1] postgres@postgres KATASTROFALNY:  system bazy danych uruchamia się
2016-03-06 09:43:54 CET [831-1] postgres@postgres KATASTROFALNY:  system bazy danych uruchamia się
2016-03-06 09:43:54 CET [837-1] postgres@postgres KATASTROFALNY:  system bazy danych uruchamia się
2016-03-06 09:43:54 CET [595-1] DZIENNIK:  odebrano żądanie inteligentnego zamknięcia
2016-03-06 09:44:15 CET [737-2] DZIENNIK:  system bazy danych nie został poprawnie zamknięty; trwa automatyczne odzyskiwanie
2016-03-06 09:44:17 CET [737-3] DZIENNIK:  record with zero length at 0/A1B44AB8
2016-03-06 09:44:17 CET [737-4] DZIENNIK:  ponowienie nie jest wymagane
2016-03-06 09:44:18 CET [737-5] DZIENNIK:  MultiXact member wraparound protections are now enabled
2016-03-06 09:44:18 CET [951-1] DZIENNIK:  zamykanie 
2016-03-06 09:44:19 CET [951-2] DZIENNIK:  system bazy danych jest zamknięty

lxcconfig:

#Autostart
lxc.start.auto = 1
lxc.start.delay = 0
lxc.start.order = 1000
lxc.group = onboot


lxc.rootfs = /var/lib/lxc/base/rootfs
lxc.tty = 4
lxc.pts = 1024
lxc.arch = amd64
lxc.utsname = base
lxc.cap.drop = sys_module mac_admin mac_override sys_time
lxc.autodev = 1
lxc.kmsg = 0

(...)

How to set dovecot to allow plain auth for some IP? I have lxc-containers - one with roundcube, and one with dovecot. Because the ip are different disable_plaintext_auth = yes disallows plain connection from roundcube. I can't use ssl || tls because internal IP doesn't match ssl cert CommonName (external IP).

So, do yoy have idea how to enable plain for one ip?

How to set up lxc to get /dev/ttyS0 in lxc container.

I add

# /dev/ttyS0
lxc.cgroup.devices.allow = c 4:64 rwm

into config

but nothing works -

If I add manually mknod in running container everything works until reboot - after reboot device ttyS0 disappears

I upgraded server from Wheezy to Jessie, and Apache 2.4 stops working...

Especially on port 443 there's no ssl ....

telnet myhost 443
GET https://myhost
<html><meta http-equiv='Content-Type' content='text/html; charset=utf-8'/><body>Something in /var/www/html/index.html</body></html>>Connection closed by foreign host.

It should be:

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
 Instead use the HTTPS scheme to access this URL, please.<br />
</p>
</body></html>
Connection closed by foreign host.

SSLEngine is on - yesterday everything works properly, but it was Wheezy, not Jessie...

* update * Fresh mind - I found, that connection to :443 is logged to /var/log/apache2/access.log instead of /var/log/apache2-ssl/access.log But why?

After upgrade from squeezy to wheezy my network configuration lost gateway.

(i have lxc containers, and all of wheezy losts, one, which i want to stay squeezy - still have, so i'm sure, that the problem is of wheezy upgrade)

I have to add manually route add default gw x.x.x.x eth0 to bring back - but reboot remove it of course.

What is the correct way to set gateway on wheezy?

my /etc/network/interfaces:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 172.16.0.5
  netmask 255.255.255.0
  gateway 172.16.0.1
  broadcast 172.16.0.255

====================================== added ========================

#netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
172.16.0.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0

I'm definetely sure that wheezy breaks sth. I found, that i have one more squeeze container (not important) which has gateway working - i upgraded it and gateway is lost..

I don't use any NetworkManager (intentionaly) - no gui at all

I don't understand the modes of lxc network.

I'd like to have 4 guests: apache1, apache2, database and frontdoor

frontdoor is a squid which decides which apache should be used

It works perfectly on vservers, when all of guests has a dummy interface (isolated from web) and frontdoor has two interfaces real eth0 and dummy

Now I migrate to lxc, and instead of dummy I use bridge (on host) and mode=veth (on guests)

I'm not happy seeing four vethLIJG3f in ifconfig, but let's see its ok.

the problem is, that I CAN'T get to squid. I'm trying to iptables -t NAT -A PREROUTING -p tcp --dport 80 -j DNAT --to-dest 172.16.0.2 but it simply doesn't work.

I wonder if I should change veth to something else?