From Ondrej.Valousek at s3group.com Tue Nov 1 11:14:23 2016 From: Ondrej.Valousek at s3group.com (Ondrej Valousek) Date: Tue, 1 Nov 2016 10:14:23 +0000 Subject: [mpm-itk] ITK use case Message-ID: Hi all, I have presented ITK use case and experience (for DAV SVN specifically) on my page here: https://ovalousek.wordpress.com/ in case someone is interested :) Ondrej ----- The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications at s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sam.Langdon at lbsltd.co.uk Mon Nov 14 18:37:36 2016 From: Sam.Langdon at lbsltd.co.uk (Sam Langdon) Date: Mon, 14 Nov 2016 17:37:36 +0000 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> Message-ID: <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> I'm trying to run SSH through a PHP script on a vhost using mpm_itk on Apache/Ubuntu (with the ultimate aim of using rsync to sync a directory on another server via SSH), but it's failing even with a simple SSH version check, with the message: PRIV_END: seteuid: Operation not permitted The PHP script executes the SSH version check like this: exec("ssh -V 2>&1",$out); I've discovered that if I disable the mpm_itk module, SSH appears to work again via the PHP script. I suppose mpm_itk is trying to change the effective user id after SSH starts and SSH understandably doesn't like that. Any thoughts on how to make it work would be very welcome. Many thanks, Sam Langdon Please consider the environment. Do you really need to print this email? Click here for company information http://www.lbsltd.co.uk/ or here for our Email Disclaimer http://www.lbsltd.co.uk/EmailDisclaimer.htm Littlehampton Book Services Limited. Registered Office: Faraday Close, Durrington, Worthing, West Sussex, BN13 3RB. Registered in England No. 250744 -------------- next part -------------- An HTML attachment was scrubbed... URL: From sgunderson at bigfoot.com Mon Nov 14 18:47:37 2016 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 14 Nov 2016 18:47:37 +0100 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> Message-ID: <20161114174736.GA17919@sesse.net> On Mon, Nov 14, 2016 at 05:37:36PM +0000, Sam Langdon wrote: > I'm trying to run SSH through a PHP script on a vhost using mpm_itk on > Apache/Ubuntu (with the ultimate aim of using rsync to sync a directory on > another server via SSH), but it's failing even with a simple SSH version > check, with the message: > > PRIV_END: seteuid: Operation not permitted This is strange. Why would the ssh client want to seteuid()? It doesn't do that there, and /usr/bin/ssh shouldn't be setuid in any way. Apart from that, it sounds like the seccomp sandbox is limiting you, so you could try fiddling with LimitUIDRange/LimitGIDRange. /* Steinar */ -- Homepage: https://www.sesse.net/ From Sam.Langdon at lbsltd.co.uk Mon Nov 14 19:15:07 2016 From: Sam.Langdon at lbsltd.co.uk (Sam Langdon) Date: Mon, 14 Nov 2016 18:15:07 +0000 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <20161114174736.GA17919@sesse.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> Message-ID: <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> Thanks for the quick response Steinar. I assumed mpm-itk calls seteuid behind the scenes for the user impersonation and SSH sees that as an issue, but I may have assumed very wrongly! I've tried setting the LimitUIDRange/LimitGIDRange in my /etc/apache2/conf-enabled/security.conf, by including all likely ids (0 6000) and restricting so it doesn't include any of the relevant ones (2000 2001), but the best I can get is an error with the latter. If it's any clue, my sshd_config file contents is as follows: # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 1024 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication no # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes -----Original Message----- From: mpm-itk [mailto:mpm-itk-bounces at err.no] On Behalf Of Steinar H. Gunderson Sent: 14 November 2016 17:48 To: mpm-itk at err.no Subject: Re: [mpm-itk] MPM-ITK problems with SSH On Mon, Nov 14, 2016 at 05:37:36PM +0000, Sam Langdon wrote: > I'm trying to run SSH through a PHP script on a vhost using mpm_itk on > Apache/Ubuntu (with the ultimate aim of using rsync to sync a > directory on another server via SSH), but it's failing even with a > simple SSH version check, with the message: > > PRIV_END: seteuid: Operation not permitted This is strange. Why would the ssh client want to seteuid()? It doesn't do that there, and /usr/bin/ssh shouldn't be setuid in any way. Apart from that, it sounds like the seccomp sandbox is limiting you, so you could try fiddling with LimitUIDRange/LimitGIDRange. /* Steinar */ -- Homepage: https://www.sesse.net/ _______________________________________________ mpm-itk mailing list mpm-itk at err.no http://lists.err.no/mailman/listinfo/mpm-itk Please consider the environment. Do you really need to print this email? Click here for company information http://www.lbsltd.co.uk/ or here for our Email Disclaimer http://www.lbsltd.co.uk/EmailDisclaimer.htm Littlehampton Book Services Limited. Registered Office: Faraday Close, Durrington, Worthing, West Sussex, BN13 3RB. Registered in England No. 250744 From sgunderson at bigfoot.com Mon Nov 14 19:26:39 2016 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 14 Nov 2016 19:26:39 +0100 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> Message-ID: <20161114182639.GA20929@sesse.net> On Mon, Nov 14, 2016 at 06:15:07PM +0000, Sam Langdon wrote: > Thanks for the quick response Steinar. I assumed mpm-itk calls seteuid > behind the scenes for the user impersonation and SSH sees that as an issue, > but I may have assumed very wrongly! mpm-itk does call setuid (not seteuid) behind the scenes, but there's no way SSH can know that; it's over by the time the ssh binary gets called. > I've tried setting the LimitUIDRange/LimitGIDRange in my > /etc/apache2/conf-enabled/security.conf, by including all likely ids (0 > 6000) Try including all of them? LimitUIDRange 0 4294967295, and the same for LimitGIDRange. (I assume security.conf was some file you created yourself.) > and restricting so it doesn't include any of the relevant ones (2000 > 2001), but the best I can get is an error with the latter. What do you get at worst, then? > If it's any clue, my sshd_config file contents is as follows: sshd_config isn't relevant for the SSH client. An interesting question is what uid it actually tries to; strace will tell you. /* Steinar */ -- Homepage: https://www.sesse.net/ From Sam.Langdon at lbsltd.co.uk Mon Nov 14 20:17:11 2016 From: Sam.Langdon at lbsltd.co.uk (Sam Langdon) Date: Mon, 14 Nov 2016 19:17:11 +0000 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <20161114182639.GA20929@sesse.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> <20161114182639.GA20929@sesse.net> Message-ID: <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> > Thanks for the quick response Steinar. I assumed mpm-itk calls seteuid > behind the scenes for the user impersonation and SSH sees that as an > issue, but I may have assumed very wrongly! mpm-itk does call setuid (not seteuid) behind the scenes, but there's no way SSH can know that; it's over by the time the ssh binary gets called. SL: Understood - odd indeed! > I've tried setting the LimitUIDRange/LimitGIDRange in my > /etc/apache2/conf-enabled/security.conf, by including all likely ids > (0 > 6000) Try including all of them? LimitUIDRange 0 4294967295, and the same for LimitGIDRange. SL: I've given it a go, but it doesn't resolve the error (I get exactly the same response) (I assume security.conf was some file you created yourself.) SL: It came with my Apache install out of the box - just has a few security settings and seemed like a reasonable place for me to add these kind of restrictions > and restricting so it doesn't include any of the relevant ones (2000 > 2001), but the best I can get is an error with the latter. What do you get at worst, then? SL: I get an 'internal server error' when I restrict to uids that don't include the www-data and hukadmin ids I'm using. Delving into it further, this is what appears in the generic Apache error log (nothing in the log specified in the vhost) when I do this: [Mon Nov 14 17:23:55.002807 2016] [unixd:alert] [pid 4672] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Mon Nov 14 17:23:55.003414 2016] [unixd:alert] [pid 4673] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Mon Nov 14 17:23:55.004280 2016] [unixd:alert] [pid 4674] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Mon Nov 14 17:23:55.005097 2016] [unixd:alert] [pid 4675] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Mon Nov 14 17:23:55.005748 2016] [mpm_prefork:notice] [pid 4668] AH00163: Apache/2.4.7 (Ubuntu) mpm-itk/2.4.6-01 PHP/5.5.9-1ubuntu4.9 OpenSSL/1.0.1f configured -- resuming normal operations [Mon Nov 14 17:23:55.005815 2016] [core:notice] [pid 4668] AH00094: Command line: '/usr/sbin/apache2' [Mon Nov 14 17:23:55.005918 2016] [unixd:alert] [pid 4676] (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 33 [Mon Nov 14 17:23:56.413329 2016] [mpm_itk:warn] [pid 4681] (itkmpm: pid=4681 uid=0, gid=0) itk_post_perdir_config(): setgid(33): Operation not permitted [Mon Nov 14 17:23:56.413410 2016] [mpm_itk:notice] [pid 4681] This is most likely due to the current LimitGIDRange setting. These errors don't appear when the uids include mine (nor do any other errors I can find in log files, other than the PRIV_END: seteuid: Operation not permitted that comes back via out). > If it's any clue, my sshd_config file contents is as follows: sshd_config isn't relevant for the SSH client. An interesting question is what uid it actually tries to; strace will tell you. SL: I hadn't come across strace before (I wouldn't consider myself a Linux expert!) - I've just had a quick Google and run it via the PHP script and it's come back with a lot of info, below, which has just blown my mind slightly. Does this mean much to you? execve("/usr/bin/ssh", ["ssh", "-V"], [/* 9 vars */]) = 0 brk(0) = 0x7f553521b000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa6000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=28772, ...}) = 0 mmap(NULL, 28772, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5534ef8000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0[\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=134296, ...}) = 0 mmap(NULL, 2238192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5534ab8000 mprotect(0x7f5534ad8000, 2093056, PROT_NONE) = 0 mmap(0x7f5534cd7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1f000) = 0x7f5534cd7000 mmap(0x7f5534cd9000, 5872, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5534cd9000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\356\5\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=1930528, ...}) = 0 mmap(NULL, 4040856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f55346d8000 mprotect(0x7f553488a000, 2093056, PROT_NONE) = 0 mmap(0x7f5534a89000, 155648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b1000) = 0x7f5534a89000 mmap(0x7f5534aaf000, 14488, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5534aaf000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=14664, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa5000 mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f55344d0000 mprotect(0x7f55344d3000, 2093056, PROT_NONE) = 0 mmap(0x7f55346d2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f55346d2000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\36\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=100728, ...}) = 0 mmap(NULL, 2195784, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f55342b0000 mprotect(0x7f55342c8000, 2093056, PROT_NONE) = 0 mmap(0x7f55344c7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f55344c7000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320:\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=101240, ...}) = 0 mmap(NULL, 2206376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5534090000 mprotect(0x7f55340a7000, 2097152, PROT_NONE) = 0 mmap(0x7f55342a7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f55342a7000 mmap(0x7f55342a9000, 6824, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f55342a9000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\255\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=285848, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa4000 mmap(NULL, 2381504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533e48000 mprotect(0x7f5533e8b000, 2097152, PROT_NONE) = 0 mmap(0x7f553408b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x43000) = 0x7f553408b000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\37\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1840928, ...}) = 0 mmap(NULL, 3949248, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533a80000 mprotect(0x7f5533c3b000, 2093056, PROT_NONE) = 0 mmap(0x7f5533e3a000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ba000) = 0x7f5533e3a000 mmap(0x7f5533e40000, 17088, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5533e40000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\27\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=252032, ...}) = 0 mmap(NULL, 2347200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533840000 mprotect(0x7f553387d000, 2093056, PROT_NONE) = 0 mmap(0x7f5533a7c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3c000) = 0x7f5533a7c000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\4\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=831616, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa3000 mmap(NULL, 2927488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533570000 mprotect(0x7f553362c000, 2097152, PROT_NONE) = 0 mmap(0x7f553382c000, 61440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xbc000) = 0x7f553382c000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 @\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=186824, ...}) = 0 mmap(NULL, 2285720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533340000 mprotect(0x7f553336c000, 2093056, PROT_NONE) = 0 mmap(0x7f553356b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2b000) = 0x7f553356b000 mmap(0x7f553356e000, 152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f553356e000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\24\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=14592, ...}) = 0 mmap(NULL, 2109896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533138000 mprotect(0x7f553313b000, 2093056, PROT_NONE) = 0 mmap(0x7f553333a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f553333a000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@(\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=43672, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa2000 mmap(NULL, 2139112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5532f28000 mprotect(0x7f5532f32000, 2093056, PROT_NONE) = 0 mmap(0x7f5533131000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f5533131000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \20\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=14256, ...}) = 0 mmap(NULL, 2109456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5532d20000 mprotect(0x7f5532d22000, 2097152, PROT_NONE) = 0 mmap(0x7f5532f22000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f5532f22000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0po\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=141574, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa1000 mmap(NULL, 2217264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5532b00000 mprotect(0x7f5532b19000, 2093056, PROT_NONE) = 0 mmap(0x7f5532d18000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7f5532d18000 mmap(0x7f5532d1a000, 13616, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5532d1a000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534f07000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534f05000 arch_prctl(ARCH_SET_FS, 0x7f5534f05840) = 0 mprotect(0x7f5533e3a000, 16384, PROT_READ) = 0 mprotect(0x7f5532d18000, 4096, PROT_READ) = 0 mprotect(0x7f5532f22000, 4096, PROT_READ) = 0 mprotect(0x7f55346d2000, 4096, PROT_READ) = 0 mprotect(0x7f5533131000, 4096, PROT_READ) = 0 mprotect(0x7f553333a000, 4096, PROT_READ) = 0 mprotect(0x7f553356b000, 8192, PROT_READ) = 0 mprotect(0x7f55342a7000, 4096, PROT_READ) = 0 mprotect(0x7f553382c000, 53248, PROT_READ) = 0 mprotect(0x7f5533a7c000, 4096, PROT_READ) = 0 mprotect(0x7f553408b000, 4096, PROT_READ) = 0 mprotect(0x7f55344c7000, 4096, PROT_READ) = 0 mprotect(0x7f5534a89000, 110592, PROT_READ) = 0 mprotect(0x7f5534cd7000, 4096, PROT_READ) = 0 mprotect(0x7f55351a1000, 12288, PROT_READ) = 0 mprotect(0x7f5534f02000, 4096, PROT_READ) = 0 munmap(0x7f5534ef8000, 28772) = 0 set_tid_address(0x7f5534f05b10) = 6260 set_robust_list(0x7f5534f05b20, 24) = 0 futex(0x7ffffa0ea6f0, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f5534f05840) = -1 EAGAIN (Resource temporarily unavailable) rt_sigaction(SIGRTMIN, {0x7f5532b069f0, [], SA_RESTORER|SA_SIGINFO, 0x7f5532b10340}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x7f5532b06a80, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f5532b10340}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 statfs("/sys/fs/selinux", 0x7ffffa0ea6c0) = -1 ENOENT (No such file or directory) statfs("/selinux", 0x7ffffa0ea6c0) = -1 ENOENT (No such file or directory) brk(0) = 0x7f553521b000 brk(0x7f553523c000) = 0x7f553523c000 open("/proc/filesystems", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534f01000 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tr"..., 1024) = 328 read(3, "", 1024) = 0 close(3) = 0 munmap(0x7f5534f01000, 4096) = 0 open("/dev/null", O_RDWR) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/6260/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3 getdents(3, /* 8 entries */, 32768) = 192 close(5) = 0 close(15) = 0 getdents(3, /* 0 entries */, 32768) = 0 close(3) = 0 getuid() = 1001 geteuid() = 1001 write(2, "PRIV_END: seteuid: Operation not"..., 44PRIV_END: seteuid: Operation not permitted ) = 44 exit_group(255) = ? +++ exited with 255 +++ /* Steinar */ -- Homepage: https://www.sesse.net/ _______________________________________________ mpm-itk mailing list mpm-itk at err.no http://lists.err.no/mailman/listinfo/mpm-itk Please consider the environment. Do you really need to print this email? Click here for company information http://www.lbsltd.co.uk/ or here for our Email Disclaimer http://www.lbsltd.co.uk/EmailDisclaimer.htm Littlehampton Book Services Limited. Registered Office: Faraday Close, Durrington, Worthing, West Sussex, BN13 3RB. Registered in England No. 250744 From sgunderson at bigfoot.com Mon Nov 14 20:21:51 2016 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 14 Nov 2016 20:21:51 +0100 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> <20161114182639.GA20929@sesse.net> <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> Message-ID: <20161114192151.GA23920@sesse.net> On Mon, Nov 14, 2016 at 07:17:11PM +0000, Sam Langdon wrote: > mpm-itk does call setuid (not seteuid) behind the scenes, but there's no > way SSH can know that; it's over by the time the ssh binary gets called. > SL: Understood - odd indeed! Please quote text in the normal way; the way you started writing, it's not easy to see which is your new text. > SL: I hadn't come across strace before (I wouldn't consider myself a Linux > expert!) - I've just had a quick Google and run it via the PHP script and > it's come back with a lot of info, below, which has just blown my mind > slightly. Does this mean much to you? You joined everything into one long line, which seemingly got cut, so the seteuid call wasn't included. (Possibly, you tried to interpret strace's output as HTML, which it isn't.) Please see if you can get it correctly across. /* Steinar */ -- Homepage: https://www.sesse.net/ From Sam.Langdon at lbsltd.co.uk Mon Nov 14 22:35:39 2016 From: Sam.Langdon at lbsltd.co.uk (Sam Langdon) Date: Mon, 14 Nov 2016 21:35:39 +0000 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <20161114192151.GA23920@sesse.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> <20161114182639.GA20929@sesse.net> <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> <20161114192151.GA23920@sesse.net> Message-ID: <2707F514C9E0814D868A99932C975A023219D10A@GBDCS02EXM01.hachette.hluk.net> > From: mpm-itk [mailto:mpm-itk-bounces at err.no] On Behalf Of Steinar H. > Gunderson > Sent: 14 November 2016 19:22 > Please quote text in the normal way; the way you started writing, it's not > easy to see which is your new text. Sure - will do. I'm using Outlook, which doesn't quote in replies by default, but should be more readable now. > You joined everything into one long line, which seemingly got cut, so the > seteuid call wasn't included. (Possibly, you tried to interpret strace's output > as HTML, which it isn't.) Please see if you can get it correctly across. Sorry, you're quite right - I copied and pasted the output straight from the browser. I've pasted the source output below and it's a bit more readable (although still doesn't mean a lot to me!): execve("/usr/bin/ssh", ["ssh", "-V"], [/* 9 vars */]) = 0 brk(0) = 0x7f553521b000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa6000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=28772, ...}) = 0 mmap(NULL, 28772, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5534ef8000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0[\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=134296, ...}) = 0 mmap(NULL, 2238192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5534ab8000 mprotect(0x7f5534ad8000, 2093056, PROT_NONE) = 0 mmap(0x7f5534cd7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1f000) = 0x7f5534cd7000 mmap(0x7f5534cd9000, 5872, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5534cd9000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\356\5\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=1930528, ...}) = 0 mmap(NULL, 4040856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f55346d8000 mprotect(0x7f553488a000, 2093056, PROT_NONE) = 0 mmap(0x7f5534a89000, 155648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b1000) = 0x7f5534a89000 mmap(0x7f5534aaf000, 14488, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5534aaf000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=14664, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa5000 mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f55344d0000 mprotect(0x7f55344d3000, 2093056, PROT_NONE) = 0 mmap(0x7f55346d2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f55346d2000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\36\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=100728, ...}) = 0 mmap(NULL, 2195784, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f55342b0000 mprotect(0x7f55342c8000, 2093056, PROT_NONE) = 0 mmap(0x7f55344c7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f55344c7000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320:\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=101240, ...}) = 0 mmap(NULL, 2206376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5534090000 mprotect(0x7f55340a7000, 2097152, PROT_NONE) = 0 mmap(0x7f55342a7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f55342a7000 mmap(0x7f55342a9000, 6824, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f55342a9000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\255\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=285848, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa4000 mmap(NULL, 2381504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533e48000 mprotect(0x7f5533e8b000, 2097152, PROT_NONE) = 0 mmap(0x7f553408b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x43000) = 0x7f553408b000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\37\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1840928, ...}) = 0 mmap(NULL, 3949248, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533a80000 mprotect(0x7f5533c3b000, 2093056, PROT_NONE) = 0 mmap(0x7f5533e3a000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ba000) = 0x7f5533e3a000 mmap(0x7f5533e40000, 17088, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5533e40000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\27\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=252032, ...}) = 0 mmap(NULL, 2347200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533840000 mprotect(0x7f553387d000, 2093056, PROT_NONE) = 0 mmap(0x7f5533a7c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3c000) = 0x7f5533a7c000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\4\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=831616, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa3000 mmap(NULL, 2927488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533570000 mprotect(0x7f553362c000, 2097152, PROT_NONE) = 0 mmap(0x7f553382c000, 61440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xbc000) = 0x7f553382c000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 @\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=186824, ...}) = 0 mmap(NULL, 2285720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533340000 mprotect(0x7f553336c000, 2093056, PROT_NONE) = 0 mmap(0x7f553356b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2b000) = 0x7f553356b000 mmap(0x7f553356e000, 152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f553356e000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\24\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=14592, ...}) = 0 mmap(NULL, 2109896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5533138000 mprotect(0x7f553313b000, 2093056, PROT_NONE) = 0 mmap(0x7f553333a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f553333a000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@(\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=43672, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa2000 mmap(NULL, 2139112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5532f28000 mprotect(0x7f5532f32000, 2093056, PROT_NONE) = 0 mmap(0x7f5533131000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f5533131000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \20\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0644, st_size=14256, ...}) = 0 mmap(NULL, 2109456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5532d20000 mprotect(0x7f5532d22000, 2097152, PROT_NONE) = 0 mmap(0x7f5532f22000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f5532f22000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0po\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=141574, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534fa1000 mmap(NULL, 2217264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f5532b00000 mprotect(0x7f5532b19000, 2093056, PROT_NONE) = 0 mmap(0x7f5532d18000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7f5532d18000 mmap(0x7f5532d1a000, 13616, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f5532d1a000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534f07000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534f05000 arch_prctl(ARCH_SET_FS, 0x7f5534f05840) = 0 mprotect(0x7f5533e3a000, 16384, PROT_READ) = 0 mprotect(0x7f5532d18000, 4096, PROT_READ) = 0 mprotect(0x7f5532f22000, 4096, PROT_READ) = 0 mprotect(0x7f55346d2000, 4096, PROT_READ) = 0 mprotect(0x7f5533131000, 4096, PROT_READ) = 0 mprotect(0x7f553333a000, 4096, PROT_READ) = 0 mprotect(0x7f553356b000, 8192, PROT_READ) = 0 mprotect(0x7f55342a7000, 4096, PROT_READ) = 0 mprotect(0x7f553382c000, 53248, PROT_READ) = 0 mprotect(0x7f5533a7c000, 4096, PROT_READ) = 0 mprotect(0x7f553408b000, 4096, PROT_READ) = 0 mprotect(0x7f55344c7000, 4096, PROT_READ) = 0 mprotect(0x7f5534a89000, 110592, PROT_READ) = 0 mprotect(0x7f5534cd7000, 4096, PROT_READ) = 0 mprotect(0x7f55351a1000, 12288, PROT_READ) = 0 mprotect(0x7f5534f02000, 4096, PROT_READ) = 0 munmap(0x7f5534ef8000, 28772) = 0 set_tid_address(0x7f5534f05b10) = 6260 set_robust_list(0x7f5534f05b20, 24) = 0 futex(0x7ffffa0ea6f0, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f5534f05840) = -1 EAGAIN (Resource temporarily unavailable) rt_sigaction(SIGRTMIN, {0x7f5532b069f0, [], SA_RESTORER|SA_SIGINFO, 0x7f5532b10340}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x7f5532b06a80, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f5532b10340}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 statfs("/sys/fs/selinux", 0x7ffffa0ea6c0) = -1 ENOENT (No such file or directory) statfs("/selinux", 0x7ffffa0ea6c0) = -1 ENOENT (No such file or directory) brk(0) = 0x7f553521b000 brk(0x7f553523c000) = 0x7f553523c000 open("/proc/filesystems", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f5534f01000 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tr"..., 1024) = 328 read(3, "", 1024) = 0 close(3) = 0 munmap(0x7f5534f01000, 4096) = 0 open("/dev/null", O_RDWR) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/6260/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3 getdents(3, /* 8 entries */, 32768) = 192 close(5) = 0 close(15) = 0 getdents(3, /* 0 entries */, 32768) = 0 close(3) = 0 getuid() = 1001 geteuid() = 1001 write(2, "PRIV_END: seteuid: Operation not"..., 44PRIV_END: seteuid: Operation not permitted ) = 44 exit_group(255) = ? +++ exited with 255 +++ Please consider the environment. Do you really need to print this email? Click here for company information http://www.lbsltd.co.uk/ or here for our Email Disclaimer http://www.lbsltd.co.uk/EmailDisclaimer.htm Littlehampton Book Services Limited. Registered Office: Faraday Close, Durrington, Worthing, West Sussex, BN13 3RB. Registered in England No. 250744 From sgunderson at bigfoot.com Mon Nov 14 22:40:27 2016 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 14 Nov 2016 22:40:27 +0100 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <2707F514C9E0814D868A99932C975A023219D10A@GBDCS02EXM01.hachette.hluk.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> <20161114182639.GA20929@sesse.net> <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> <20161114192151.GA23920@sesse.net> <2707F514C9E0814D868A99932C975A023219D10A@GBDCS02EXM01.hachette.hluk.net> Message-ID: <20161114214027.GA38294@sesse.net> On Mon, Nov 14, 2016 at 09:35:39PM +0000, Sam Langdon wrote: > getuid() = 1001 > geteuid() = 1001 > write(2, "PRIV_END: seteuid: Operation not"..., 44PRIV_END: seteuid: Operation not permitted > ) = 44 > exit_group(255) = ? > +++ exited with 255 +++ This is very confusing. There's no seteuid() call here for it to die on... It _could_ be that this is happening in another thread. Could you try launching strace with -vffF? /* Steinar */ -- Homepage: https://www.sesse.net/ From Sam.Langdon at lbsltd.co.uk Mon Nov 14 23:16:36 2016 From: Sam.Langdon at lbsltd.co.uk (Sam Langdon) Date: Mon, 14 Nov 2016 22:16:36 +0000 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <20161114214027.GA38294@sesse.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> <20161114182639.GA20929@sesse.net> <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> <20161114192151.GA23920@sesse.net> <2707F514C9E0814D868A99932C975A023219D10A@GBDCS02EXM01.hachette.hluk.net> <20161114214027.GA38294@sesse.net> Message-ID: <2707F514C9E0814D868A99932C975A023219D201@GBDCS02EXM01.hachette.hluk.net> > From: mpm-itk [mailto:mpm-itk-bounces at err.no] On Behalf Of Steinar H. > Gunderson > Sent: 14 November 2016 21:40 > This is very confusing. There's no seteuid() call here for it to die on... > It _could_ be that this is happening in another thread. Could you try > launching strace with -vffF? Sure - there's more output with that, but it still doesn't look like there's a seteuid call... execve("/usr/bin/ssh", ["ssh", "-V"], ["APACHE_RUN_DIR=/var/run/apache2", "APACHE_PID_FILE=/var/run/apache2"..., "PATH=/usr/local/sbin:/usr/local/"..., "APACHE_LOCK_DIR=/var/lock/apache"..., "LANG=C", "APACHE_RUN_USER=www-data", "APACHE_RUN_GROUP=www-data", "APACHE_LOG_DIR=/var/log/apache2", "PWD=/var/www/vhosts/STAGING/test"]) = 0 brk(0) = 0x7f9f27b64000 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f25963000 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 fstat(3, {st_dev=makedev(202, 1), st_ino=661637, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=64, st_size=28772, st_atime=2016/10/25-11:05:12, st_mtime=2016/10/25-11:05:12, st_ctime=2016/10/25-11:05:12}) = 0 mmap(NULL, 28772, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9f258b8000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0[\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=393339, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=264, st_size=134296, st_atime=2015/04/02-16:33:05, st_mtime=2014/04/29-13:34:05, st_ctime=2015/04/02-16:33:05}) = 0 mmap(NULL, 2238192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f25478000 mprotect(0x7f9f25498000, 2093056, PROT_NONE) = 0 mmap(0x7f9f25697000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1f000) = 0x7f9f25697000 mmap(0x7f9f25699000, 5872, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9f25699000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\356\5\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=401575, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=3776, st_size=1930528, st_atime=2015/04/02-16:35:26, st_mtime=2015/03/19-15:16:35, st_ctime=2015/04/02-16:35:26}) = 0 mmap(NULL, 4040856, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f25098000 mprotect(0x7f9f2524a000, 2093056, PROT_NONE) = 0 mmap(0x7f9f25449000, 155648, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b1000) = 0x7f9f25449000 mmap(0x7f9f2546f000, 14488, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9f2546f000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\16\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=393466, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=32, st_size=14664, st_atime=2015/04/02-16:31:28, st_mtime=2015/02/25-16:56:50, st_ctime=2015/04/02-16:32:43}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f25962000 mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f24e90000 mprotect(0x7f9f24e93000, 2093056, PROT_NONE) = 0 mmap(0x7f9f25092000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f9f25092000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libz.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\0\36\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=393692, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=200, st_size=100728, st_atime=2015/04/02-16:33:40, st_mtime=2013/05/13-12:42:58, st_ctime=2015/04/02-16:33:40}) = 0 mmap(NULL, 2195784, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f24c70000 mprotect(0x7f9f24c88000, 2093056, PROT_NONE) = 0 mmap(0x7f9f24e87000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f9f24e87000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320:\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=393229, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=200, st_size=101240, st_atime=2015/04/02-16:31:28, st_mtime=2015/02/25-16:56:50, st_ctime=2015/04/02-16:32:43}) = 0 mmap(NULL, 2206376, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f24a50000 mprotect(0x7f9f24a67000, 2097152, PROT_NONE) = 0 mmap(0x7f9f24c67000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17000) = 0x7f9f24c67000 mmap(0x7f9f24c69000, 6824, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9f24c69000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\255\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=136301, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=560, st_size=285848, st_atime=2015/04/02-16:36:26, st_mtime=2015/02/06-21:13:05, st_ctime=2015/04/02-16:36:37}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f25961000 mmap(NULL, 2381504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f24808000 mprotect(0x7f9f2484b000, 2097152, PROT_NONE) = 0 mmap(0x7f9f24a4b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x43000) = 0x7f9f24a4b000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\37\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=403559, st_mode=S_IFREG|0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=3600, st_size=1840928, st_atime=2015/04/02-16:31:28, st_mtime=2015/02/25-16:56:51, st_ctime=2015/04/02-16:32:43}) = 0 mmap(NULL, 3949248, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f24440000 mprotect(0x7f9f245fb000, 2093056, PROT_NONE) = 0 mmap(0x7f9f247fa000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1ba000) = 0x7f9f247fa000 mmap(0x7f9f24800000, 17088, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9f24800000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpcre.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\27\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=393257, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=496, st_size=252032, st_atime=2015/04/02-16:33:03, st_mtime=2013/12/03-13:43:06, st_ctime=2015/04/02-16:33:03}) = 0 mmap(NULL, 2347200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f24200000 mprotect(0x7f9f2423d000, 2093056, PROT_NONE) = 0 mmap(0x7f9f2443c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3c000) = 0x7f9f2443c000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\4\2\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=136303, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=1632, st_size=831616, st_atime=2015/04/02-16:36:26, st_mtime=2015/02/06-21:13:05, st_ctime=2015/04/02-16:36:37}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f258c7000 mmap(NULL, 2927488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f23f30000 mprotect(0x7f9f23fec000, 2097152, PROT_NONE) = 0 mmap(0x7f9f241ec000, 61440, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xbc000) = 0x7f9f241ec000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 @\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=136268, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=368, st_size=186824, st_atime=2015/04/02-16:36:26, st_mtime=2015/02/06-21:13:05, st_ctime=2015/04/02-16:36:37}) = 0 mmap(NULL, 2285720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f23d00000 mprotect(0x7f9f23d2c000, 2093056, PROT_NONE) = 0 mmap(0x7f9f23f2b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2b000) = 0x7f9f23f2b000 mmap(0x7f9f23f2e000, 152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9f23f2e000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libcom_err.so.2", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\24\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=393719, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=32, st_size=14592, st_atime=2015/04/02-16:35:30, st_mtime=2015/02/16-19:25:48, st_ctime=2015/04/02-16:35:34}) = 0 mmap(NULL, 2109896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f23af8000 mprotect(0x7f9f23afb000, 2093056, PROT_NONE) = 0 mmap(0x7f9f23cfa000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f9f23cfa000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/usr/lib/x86_64-linux-gnu/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@(\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=136306, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=88, st_size=43672, st_atime=2015/04/02-16:36:26, st_mtime=2015/02/06-21:13:05, st_ctime=2015/04/02-16:36:37}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f258c6000 mmap(NULL, 2139112, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f238e8000 mprotect(0x7f9f238f2000, 2093056, PROT_NONE) = 0 mmap(0x7f9f23af1000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f9f23af1000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 \20\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=393651, st_mode=S_IFREG|0644, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=32, st_size=14256, st_atime=2015/04/02-16:36:26, st_mtime=2013/10/21-13:39:14, st_ctime=2015/04/02-16:36:37}) = 0 mmap(NULL, 2109456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f236e0000 mprotect(0x7f9f236e2000, 2097152, PROT_NONE) = 0 mmap(0x7f9f238e2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f9f238e2000 close(3) = 0 access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory) open("/lib/x86_64-linux-gnu/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0po\0\0\0\0\0\0"..., 832) = 832 fstat(3, {st_dev=makedev(202, 1), st_ino=403561, st_mode=S_IFREG|0755, st_nlink=1, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=280, st_size=141574, st_atime=2015/04/02-16:31:28, st_mtime=2015/02/25-16:56:51, st_ctime=2015/04/02-16:32:43}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f258c5000 mmap(NULL, 2217264, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f9f234c0000 mprotect(0x7f9f234d9000, 2093056, PROT_NONE) = 0 mmap(0x7f9f236d8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18000) = 0x7f9f236d8000 mmap(0x7f9f236da000, 13616, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f9f236da000 close(3) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f258c1000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f258b6000 arch_prctl(ARCH_SET_FS, 0x7f9f258b6840) = 0 mprotect(0x7f9f247fa000, 16384, PROT_READ) = 0 mprotect(0x7f9f236d8000, 4096, PROT_READ) = 0 mprotect(0x7f9f238e2000, 4096, PROT_READ) = 0 mprotect(0x7f9f25092000, 4096, PROT_READ) = 0 mprotect(0x7f9f23af1000, 4096, PROT_READ) = 0 mprotect(0x7f9f23cfa000, 4096, PROT_READ) = 0 mprotect(0x7f9f23f2b000, 8192, PROT_READ) = 0 mprotect(0x7f9f24c67000, 4096, PROT_READ) = 0 mprotect(0x7f9f241ec000, 53248, PROT_READ) = 0 mprotect(0x7f9f2443c000, 4096, PROT_READ) = 0 mprotect(0x7f9f24a4b000, 4096, PROT_READ) = 0 mprotect(0x7f9f24e87000, 4096, PROT_READ) = 0 mprotect(0x7f9f25449000, 110592, PROT_READ) = 0 mprotect(0x7f9f25697000, 4096, PROT_READ) = 0 mprotect(0x7f9f25b61000, 12288, PROT_READ) = 0 mprotect(0x7f9f258c2000, 4096, PROT_READ) = 0 munmap(0x7f9f258b8000, 28772) = 0 set_tid_address(0x7f9f258b6b10) = 17395 set_robust_list(0x7f9f258b6b20, 24) = 0 futex(0x7fff6e477510, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, 7f9f258b6840) = -1 EAGAIN (Resource temporarily unavailable) rt_sigaction(SIGRTMIN, {0x7f9f234c69f0, [], SA_RESTORER|SA_SIGINFO, 0x7f9f234d0340}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {0x7f9f234c6a80, [], SA_RESTORER|SA_RESTART|SA_SIGINFO, 0x7f9f234d0340}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 statfs("/sys/fs/selinux", 0x7fff6e4774e0) = -1 ENOENT (No such file or directory) statfs("/selinux", 0x7fff6e4774e0) = -1 ENOENT (No such file or directory) brk(0) = 0x7f9f27b64000 brk(0x7f9f27b85000) = 0x7f9f27b85000 open("/proc/filesystems", O_RDONLY) = 3 fstat(3, {st_dev=makedev(0, 3), st_ino=4026532100, st_mode=S_IFREG|0444, st_nlink=1, st_uid=0, st_gid=0, st_blksize=1024, st_blocks=0, st_size=0, st_atime=2016/11/14-20:47:51, st_mtime=2016/11/14-20:47:51, st_ctime=2016/11/14-20:47:51}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9f258c0000 read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tr"..., 1024) = 328 read(3, "", 1024) = 0 close(3) = 0 munmap(0x7f9f258c0000, 4096) = 0 open("/dev/null", O_RDWR) = 3 close(3) = 0 openat(AT_FDCWD, "/proc/17395/fd", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3 getdents(3, {{d_ino=1242140, d_off=1, d_reclen=24, d_name=".", d_type=DT_DIR} {d_ino=1242139, d_off=2, d_reclen=24, d_name="..", d_type=DT_DIR} {d_ino=1242141, d_off=3, d_reclen=24, d_name="0", d_type=DT_LNK} {d_ino=1242142, d_off=4, d_reclen=24, d_name="1", d_type=DT_LNK} {d_ino=1242143, d_off=5, d_reclen=24, d_name="2", d_type=DT_LNK} {d_ino=1242144, d_off=7, d_reclen=24, d_name="3", d_type=DT_LNK} {d_ino=1242145, d_off=17, d_reclen=24, d_name="5", d_type=DT_LNK} {d_ino=1242146, d_off=66, d_reclen=24, d_name="15", d_type=DT_LNK}}, 32768) = 192 close(5) = 0 close(15) = 0 getdents(3, {}, 32768) = 0 close(3) = 0 getuid() = 1001 geteuid() = 1001 write(2, "PRIV_END: seteuid: Operation not"..., 44PRIV_END: seteuid: Operation not permitted ) = 44 exit_group(255) = ? +++ exited with 255 +++ Please consider the environment. Do you really need to print this email? Click here for company information http://www.lbsltd.co.uk/ or here for our Email Disclaimer http://www.lbsltd.co.uk/EmailDisclaimer.htm Littlehampton Book Services Limited. Registered Office: Faraday Close, Durrington, Worthing, West Sussex, BN13 3RB. Registered in England No. 250744 From sgunderson at bigfoot.com Mon Nov 14 23:30:02 2016 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Mon, 14 Nov 2016 23:30:02 +0100 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <2707F514C9E0814D868A99932C975A023219D201@GBDCS02EXM01.hachette.hluk.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> <20161114182639.GA20929@sesse.net> <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> <20161114192151.GA23920@sesse.net> <2707F514C9E0814D868A99932C975A023219D10A@GBDCS02EXM01.hachette.hluk.net> <20161114214027.GA38294@sesse.net> <2707F514C9E0814D868A99932C975A023219D201@GBDCS02EXM01.hachette.hluk.net> Message-ID: <20161114223002.GA8070@sesse.net> On Mon, Nov 14, 2016 at 10:16:36PM +0000, Sam Langdon wrote: > Sure - there's more output with that, but it still doesn't look like > there's a seteuid call... I suppose the sandbox kills it before strace gets to see it, then. The seteuid() call should have been allowed, though. I'll need to see if I can reproduce or not, but I don't have the time to do it right now. Is this 32- or 64-bit Ubuntu? /* Steinar */ -- Homepage: https://www.sesse.net/ From Sam.Langdon at lbsltd.co.uk Tue Nov 15 15:03:12 2016 From: Sam.Langdon at lbsltd.co.uk (Sam Langdon) Date: Tue, 15 Nov 2016 14:03:12 +0000 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <20161114223002.GA8070@sesse.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> <20161114182639.GA20929@sesse.net> <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> <20161114192151.GA23920@sesse.net> <2707F514C9E0814D868A99932C975A023219D10A@GBDCS02EXM01.hachette.hluk.net> <20161114214027.GA38294@sesse.net> <2707F514C9E0814D868A99932C975A023219D201@GBDCS02EXM01.hachette.hluk.net> <20161114223002.GA8070@sesse.net> Message-ID: <2707F514C9E0814D868A99932C975A023219DF61@GBDCS02EXM01.hachette.hluk.net> > I suppose the sandbox kills it before strace gets to see it, then. > The seteuid() call should have been allowed, though. I'll need to see if I can > reproduce or not, but I don't have the time to do it right now. Thanks Steinar - appreciate your time on this so far. > Is this 32- or 64-bit Ubuntu? It's 64 bit (x86_64). Some other version numbers from this server in case it's any help to reproduce, if you have the time: Ubuntu: 14.04.2 LTS Apache: Apache/2.4.7 PHP: 5.5.9-1ubuntu4.9 SSH: OpenSSH_6.6.1p1 I will look at using the PPH PECL ssh2 implementation (which seems to work ok on my setup) to delete and send new files via SFTP as an alternative to ssh/rsync via shell in the meantime, but rsync would be preferable as it only sends incremental changes, so I would love to get this oddity resolved. Many thanks, Sam Please consider the environment. Do you really need to print this email? Click here for company information http://www.lbsltd.co.uk/ or here for our Email Disclaimer http://www.lbsltd.co.uk/EmailDisclaimer.htm Littlehampton Book Services Limited. Registered Office: Faraday Close, Durrington, Worthing, West Sussex, BN13 3RB. Registered in England No. 250744 From kh at ipimp.at Tue Nov 15 15:22:27 2016 From: kh at ipimp.at (Kim Henriksen) Date: Tue, 15 Nov 2016 15:22:27 +0100 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: <2707F514C9E0814D868A99932C975A023219DF61@GBDCS02EXM01.hachette.hluk.net> References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> <20161114182639.GA20929@sesse.net> <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> <20161114192151.GA23920@sesse.net> <2707F514C9E0814D868A99932C975A023219D10A@GBDCS02EXM01.hachette.hluk.net> <20161114214027.GA38294@sesse.net> <2707F514C9E0814D868A99932C975A023219D201@GBDCS02EXM01.hachette.hluk.net> <20161114223002.GA8070@sesse.net> <2707F514C9E0814D868A99932C975A023219DF61@GBDCS02EXM01.hachette.hluk.net> Message-ID: I can recommend the phpseclib: http://phpseclib.sourceforge.n et/ssh/examples.html instead of the SSH PECL implementation On Tue, Nov 15, 2016 at 3:03 PM, Sam Langdon wrote: > > I suppose the sandbox kills it before strace gets to see it, then. > > The seteuid() call should have been allowed, though. I'll need to see if > I can > > reproduce or not, but I don't have the time to do it right now. > > Thanks Steinar - appreciate your time on this so far. > > > Is this 32- or 64-bit Ubuntu? > > It's 64 bit (x86_64). Some other version numbers from this server in case > it's any help to reproduce, if you have the time: > > Ubuntu: 14.04.2 LTS > Apache: Apache/2.4.7 > PHP: 5.5.9-1ubuntu4.9 > SSH: OpenSSH_6.6.1p1 > > I will look at using the PPH PECL ssh2 implementation (which seems to work > ok on my setup) to delete and send new files via SFTP as an alternative to > ssh/rsync via shell in the meantime, but rsync would be preferable as it > only sends incremental changes, so I would love to get this oddity resolved. > > Many thanks, > Sam > > > Please consider the environment. Do you really need to print this email? > > Click here for company information http://www.lbsltd.co.uk/ > or here for our Email Disclaimer http://www.lbsltd.co.uk/EmailD > isclaimer.htm > > Littlehampton Book Services Limited. Registered Office: Faraday Close, > Durrington, Worthing, West Sussex, BN13 3RB. Registered in England No. > 250744 > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > -- Mvh. Kim Henriksen -------------- next part -------------- An HTML attachment was scrubbed... URL: From Sam.Langdon at lbsltd.co.uk Tue Nov 15 18:35:00 2016 From: Sam.Langdon at lbsltd.co.uk (Sam Langdon) Date: Tue, 15 Nov 2016 17:35:00 +0000 Subject: [mpm-itk] MPM-ITK problems with SSH In-Reply-To: References: <2707F514C9E0814D868A99932C975A023219C9FD@GBDCS02EXM01.hachette.hluk.net> <2707F514C9E0814D868A99932C975A023219CAEC@GBDCS02EXM01.hachette.hluk.net> <20161114174736.GA17919@sesse.net> <2707F514C9E0814D868A99932C975A023219CBE3@GBDCS02EXM01.hachette.hluk.net> <20161114182639.GA20929@sesse.net> <2707F514C9E0814D868A99932C975A023219CD54@GBDCS02EXM01.hachette.hluk.net> <20161114192151.GA23920@sesse.net> <2707F514C9E0814D868A99932C975A023219D10A@GBDCS02EXM01.hachette.hluk.net> <20161114214027.GA38294@sesse.net> <2707F514C9E0814D868A99932C975A023219D201@GBDCS02EXM01.hachette.hluk.net> <20161114223002.GA8070@sesse.net> <2707F514C9E0814D868A99932C975A023219DF61@GBDCS02EXM01.hachette.hluk.net> Message-ID: <2707F514C9E0814D868A99932C975A023219E290@GBDCS02EXM01.hachette.hluk.net> Thanks Kim ? the PECL ssh2 has worked quite well for me, so for now I?ll follow the old ?if it ain?t broke?? adage, but good to have the recommendation in case things go wrong. From: Kim Henriksen [mailto:kh at ipimp.at] Sent: 15 November 2016 14:22 I can recommend the phpseclib: http://phpseclib.sourceforge.net/ssh/examples.html instead of the SSH PECL implementation Please consider the environment. Do you really need to print this email? Click here for company information http://www.lbsltd.co.uk/ or here for our Email Disclaimer http://www.lbsltd.co.uk/EmailDisclaimer.htm Littlehampton Book Services Limited. Registered Office: Faraday Close, Durrington, Worthing, West Sussex, BN13 3RB. Registered in England No. 250744 -------------- next part -------------- An HTML attachment was scrubbed... URL: From jean at phpnet.org Fri Nov 18 18:55:01 2016 From: jean at phpnet.org (Jean Weisbuch) Date: Fri, 18 Nov 2016 18:55:01 +0100 Subject: [mpm-itk] htaccess files are read as root Message-ID: <583cae05-c0f5-bd91-0c9c-f496d2971f77@phpnet.org> It seems that the htaccess files are read/parsed as root on mpm-itk-2.4.7-04. Subsequent requests on the same keepalive connection are not done by the root. Is that an expected behavior? Here is how i spotted this : * Patch HTTPD to add the UID executing the process on the messages sent to the error log : --- server/log.c 2015-09-27 00:20:14.000000000 +0200 +++ server/log.c 2016-04-08 11:21:10.195496112 +0200 @@ -930,6 +930,10 @@ buf[len++] = ' '; } + // Adds the UID of the httpd process on the default error log format + len += apr_snprintf(buf + len, buflen - len, + "<%d> ", getuid()); + if (!info->startup) { buf[len++] = '['; len += log_module_name(info, NULL, buf + len, buflen - len); * Add mod_mockphp module to HTTPD and activate its logging to log calls of php_value/php_flag directives from an htaccess file : https://github.com/jb-boin/mod_mockphp * Put a PHP directive on a .htaccess on a VHost that should be executed by an user defined by AssignUserId, for example : php_value upload_max_filesize 123M * Access an URL that points on the directory. The logged entry (which is done after the htaccess has been read) is done by the UID 0, a subsequent access using the same keepalive connection is done by the correct user (#3570 in this case) : [server] [Fri Nov 18 18:39:10.446030 2016] <0> [mockphp:warn] [pid 30781] Called a php_mod function on /home/users/www/test/.htaccess (2) 'php_value upload_max_filesize 123M' [server] [Fri Nov 18 18:39:11.518379 2016] <3570> [mockphp:warn] [pid 30781] Called a php_mod function on /home/users/www/test/.htaccess (2) 'php_value upload_max_filesize 123M' -------------- next part -------------- An HTML attachment was scrubbed... URL: From kassah at gmail.com Fri Nov 18 20:47:05 2016 From: kassah at gmail.com (William Lightning) Date: Fri, 18 Nov 2016 11:47:05 -0800 Subject: [mpm-itk] htaccess files are read as root In-Reply-To: <583cae05-c0f5-bd91-0c9c-f496d2971f77@phpnet.org> References: <583cae05-c0f5-bd91-0c9c-f496d2971f77@phpnet.org> Message-ID: I believe that is a consequence of per directory user change feature. Since it then runs after htaccess parsing. What would be interesting to me is if auto-prepend code is run as root. Try: https://davidwalsh.name/prepend-append-files-htaccess/amp Thanks, Will On Nov 18, 2016 9:55 AM, "Jean Weisbuch" wrote: > It seems that the htaccess files are read/parsed as root on > mpm-itk-2.4.7-04. > Subsequent requests on the same keepalive connection are not done by the > root. > > Is that an expected behavior? > > > > Here is how i spotted this : > > > * Patch HTTPD to add the UID executing the process on the messages sent to > the error log : > > --- server/log.c 2015-09-27 00:20:14.000000000 +0200 > +++ server/log.c 2016-04-08 11:21:10.195496112 +0200 > @@ -930,6 +930,10 @@ > buf[len++] = ' '; > } > > + // Adds the UID of the httpd process on the default error log format > + len += apr_snprintf(buf + len, buflen - len, > + "<%d> ", getuid()); > + > if (!info->startup) { > buf[len++] = '['; > len += log_module_name(info, NULL, buf + len, buflen - len); > > > > * Add mod_mockphp module to HTTPD and activate its logging to log calls of > php_value/php_flag directives from an htaccess file : > https://github.com/jb-boin/mod_mockphp > > * Put a PHP directive on a .htaccess on a VHost that should be executed by > an user defined by AssignUserId, for example : > > php_value upload_max_filesize 123M > > > > * Access an URL that points on the directory. The logged entry (which is > done after the htaccess has been read) is done by the UID 0, a subsequent > access using the same keepalive connection is done by the correct user > (#3570 in this case) : > > [server] [Fri Nov 18 18:39:10.446030 2016] <0> [mockphp:warn] [pid 30781] Called a php_mod function on /home/users/www/test/.htaccess (2) 'php_value upload_max_filesize 123M' > [server] [Fri Nov 18 18:39:11.518379 2016] <3570> [mockphp:warn] [pid 30781] Called a php_mod function on /home/users/www/test/.htaccess (2) 'php_value upload_max_filesize 123M' > > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jean at phpnet.org Tue Nov 22 09:52:18 2016 From: jean at phpnet.org (Jean Weisbuch) Date: Tue, 22 Nov 2016 09:52:18 +0100 Subject: [mpm-itk] htaccess files are read as root In-Reply-To: References: <583cae05-c0f5-bd91-0c9c-f496d2971f77@phpnet.org> Message-ID: <6652f0b1-c6b9-6256-9fdd-28ba3e1b12f0@phpnet.org> I tested to append/prepend a PHP file that should not be readable by the user assigned to the vhost with these directive on php5.2 and it doesnt seems to be working (which is good). -- I forgot to mention that i have another issue that might be related : At restart/graceful i have several of these messages (one per process i think) : (1)Operation not permitted: AH02156: setgid: unable to set group id to Group 0 Except from these errors on the errorlog, everything seems to be working as it should. On the configuration i have : User #33 Group #33 AssignUserId #500 #500 EnableCapabilities Off If i set both LimitGIDRange and LimitUIDRange to "1 65000" it doesnt change anything. If i set "LimitGIDRange 0 65000" then i got this error and HTTPD doesnt start (while it does with the setgid error) : (1)Operation not permitted: AH02162: setuid: unable to change to uid: 0 And if i set "LimitUIDRange 0 65000" as well, i dont have any error anymore but its defeating the "LimitUIDRange" and "LimitGIDRange" interest. Le 18/11/2016 ? 20:47, William Lightning a ?crit : > > I believe that is a consequence of per directory user change feature. > Since it then runs after htaccess parsing. > > What would be interesting to me is if auto-prepend code is run as root. > > Try: > https://davidwalsh.name/prepend-append-files-htaccess/amp > > Thanks, > Will > > > On Nov 18, 2016 9:55 AM, "Jean Weisbuch" > wrote: > > It seems that the htaccess files are read/parsed as root on > mpm-itk-2.4.7-04. > Subsequent requests on the same keepalive connection are not done > by the root. > > Is that an expected behavior? > > > > Here is how i spotted this : > > > * Patch HTTPD to add the UID executing the process on the messages > sent to the error log : > > --- server/log.c 2015-09-27 00:20:14.000000000 +0200 > +++ server/log.c 2016-04-08 11:21:10.195496112 +0200 > @@ -930,6 +930,10 @@ > buf[len++] = ' '; > } > > + // Adds the UID of the httpd process on the default error log format > + len += apr_snprintf(buf + len, buflen - len, > + "<%d> ", getuid()); > + > if (!info->startup) { > buf[len++] = '['; > len += log_module_name(info, NULL, buf + len, buflen - len); > > > * Add mod_mockphp module to HTTPD and activate its logging to log > calls of php_value/php_flag directives from an htaccess file : > https://github.com/jb-boin/mod_mockphp > > > * Put a PHP directive on a .htaccess on a VHost that should be > executed by an user defined by AssignUserId, for example : > > php_value upload_max_filesize 123M > > > > * Access an URL that points on the directory. The logged entry > (which is done after the htaccess has been read) is done by the > UID 0, a subsequent access using the same keepalive connection is > done by the correct user (#3570 in this case) : > > [server] [Fri Nov 18 18:39:10.446030 2016] <0> [mockphp:warn] [pid 30781] Called a php_mod function on /home/users/www/test/.htaccess (2) 'php_value upload_max_filesize 123M' > [server] [Fri Nov 18 18:39:11.518379 2016] <3570> [mockphp:warn] [pid 30781] Called a php_mod function on /home/users/www/test/.htaccess (2) 'php_value upload_max_filesize 123M' > > > _______________________________________________ > mpm-itk mailing list > mpm-itk at err.no > http://lists.err.no/mailman/listinfo/mpm-itk > > -------------- next part -------------- An HTML attachment was scrubbed... URL: