Hi everyone, I've got proxy-suite running on a SuSE 9.0 (up2date). I've set up 2 proxy-servers in their chroots. I can start them with rcftpproxytest1 (or -2) start without any problems. But when they are started after boot via the startup-scripts I get the following error in boot.msg: ftp-proxy-test1 (com-syslog.c:279): can't open logfile '/var/log/ftp-proxy-test1.log' (errno=13 [Permission denied]) ftp-proxy-test2 (com-syslog.c:279): can't open logfile '/var/log/ftp-proxy-test2.log' (errno=13 [Permission denied]) The servers do not start. If I start them right afterwards manually everything is O.K.. My config says: LogDestination /var/log/ftp-proxy-test1.log Any ideas? Greetings, Ralf
On Thu, Mar 25, 2004 at 11:28:50PM +0100, Ralf Ronneburger wrote:
Hi everyone,
Hi!
I've got proxy-suite running on a SuSE 9.0 (up2date). I've set up 2 proxy-servers in their chroots. I can start them with rcftpproxytest1 (or -2) start without any problems. But when they are started after boot via the startup-scripts I get the following error in boot.msg:
ftp-proxy-test1 (com-syslog.c:279): can't open logfile '/var/log/ftp-proxy-test1.log' (errno=13 [Permission denied]) ftp-proxy-test2 (com-syslog.c:279): can't open logfile '/var/log/ftp-proxy-test2.log' (errno=13 [Permission denied])
The servers do not start. If I start them right afterwards manually everything is O.K.. My config says:
LogDestination /var/log/ftp-proxy-test1.log
Any ideas?
Yes.
You have configured the proxy to drop privileges using User/Group
options, e.g.:
User ftpproxy
Group ftpproxy
This is fine!
But as soon as the proxy drops it, it can't write to /var/log,
that is (and should) be writeable only for root.
The solution is simple:
mkdir -m0750 /var/log/ftp-proxy
chown $User /var/log/ftp-proxy
chgrp $Group /var/log/ftp-proxy
using same values for $User / $Group as defined in the proxy
configuration file and change to:
LogDestination /var/log/ftp-proxy/test1.log
Kind regards,
Marius Tomaschewski
Hi Marius, thanks for your reply, I did only today get to try this. Unfortunately that did not work out. Now I have a dir ftp-proxy writeable to nobody/nogroup in /var/log, but the ftp-proxys log to /var/lib/ftp-proxy-test1/rundir/var/log/ftp-proxy and they still don't want to start up at boot. Any other ideas? Greetings, Ralf Marius Tomaschewski wrote:
On Thu, Mar 25, 2004 at 11:28:50PM +0100, Ralf Ronneburger wrote:
Hi everyone,
Hi!
I've got proxy-suite running on a SuSE 9.0 (up2date). I've set up 2 proxy-servers in their chroots. I can start them with rcftpproxytest1 (or -2) start without any problems. But when they are started after boot via the startup-scripts I get the following error in boot.msg:
ftp-proxy-test1 (com-syslog.c:279): can't open logfile '/var/log/ftp-proxy-test1.log' (errno=13 [Permission denied]) ftp-proxy-test2 (com-syslog.c:279): can't open logfile '/var/log/ftp-proxy-test2.log' (errno=13 [Permission denied])
The servers do not start. If I start them right afterwards manually everything is O.K.. My config says:
LogDestination /var/log/ftp-proxy-test1.log
Any ideas?
Yes. You have configured the proxy to drop privileges using User/Group options, e.g.:
User ftpproxy Group ftpproxy
This is fine! But as soon as the proxy drops it, it can't write to /var/log, that is (and should) be writeable only for root.
The solution is simple:
mkdir -m0750 /var/log/ftp-proxy chown $User /var/log/ftp-proxy chgrp $Group /var/log/ftp-proxy
using same values for $User / $Group as defined in the proxy configuration file and change to:
LogDestination /var/log/ftp-proxy/test1.log
Kind regards, Marius Tomaschewski
-- SUSE LINUX AG, Nuernberg -- Product Developement PGP public key on: http://www.suse.de/~mt/mt.pgp DF17 271A AD15 006A 5BB9 6C96 CA2F F3F7 373A 1CC0 --------------------------------------------------------------------- To unsubscribe, e-mail: proxy-suite-unsubscribe@suse.com For additional commands, e-mail: proxy-suite-help@suse.com
On Tue, Apr 20, 2004 at 04:19:22AM +0200, Ralf Ronneburger wrote:
Hi Marius, Hi!
thanks for your reply, I did only today get to try this. Unfortunately that did not work out. Now I have a dir ftp-proxy writeable to nobody/nogroup in /var/log, but the ftp-proxys log to /var/lib/ftp-proxy-test1/rundir/var/log/ftp-proxy and they still don't want to start up at boot. Any other ideas?
No. Same idea, but better realization :-) :
Of course, you have to create all directories:
mkdir -m0750 /var/lib/ftp-proxy-test1/
mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/
mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/
mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/log
mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/log/ftp-proxy
chown -R $User /var/lib/ftp-proxy-test1/
chgrp -R $Group /var/lib/ftp-proxy-test1/
Or you change the configuration a little bit... Since
you are using:
ServerRoot /var/lib/ftp-proxy-test1
you can simplify the log path:
User ftpproxy
Group ftpproxy
LogDestination /log/test1.log
The proxy appends the LogDestination path to the
directory specified in ServerRoot.
mkdir -p -m0750 /var/lib/ftp-proxy-test1/
mkdir -p -m0750 /var/lib/ftp-proxy-test1/log/
mkdir -p -m0750 /var/lib/ftp-proxy-test1/etc/proxy-suite/
chown -R root /var/lib/ftp-proxy-test1/
chgrp -R root /var/lib/ftp-proxy-test1/
chown -R $User /var/lib/ftp-proxy-test1/log/
chgrp -R $Group /var/lib/ftp-proxy-test1/log/
The $ServerRoot/etc/proxy-suite/ is required for reload;
the proxy copies (as root, before chroot) its config to it.
This directory depends on compilation time configuration:
if you compiled the proxy to use /usr/local/etc/proxy-suite/
and not the /etc/proxy-suite/ (--sysconfdir=/etc as I do for
SuSE all packages), you have to create the
/usr/local/etc/proxy-suite/
bellow of the directory specified in ServerRoot.
See "ftp-proxy -h" for the default config file path.
Note: Don't use nobody, nogroup - there should be no
writeable (owned) files for them in the system!
If a daemon needs a user/group and writes files
owned by them, create a user/group for it.
The main chroot() directory should be read-only
for the daemon user/group (owned by root:root).
Kind regards,
Marius Tomaschewski
Hi Marius,
thanks for your reply, I did only today get to try this. Unfortunately that did not work out. Now I have a dir ftp-proxy writeable to nobody/nogroup in /var/log, but the ftp-proxys log to /var/lib/ftp-proxy-test1/rundir/var/log/ftp-proxy and they still don't want to start up at boot. Any other ideas?
No. Same idea, but better realization :-) :
Of course, you have to create all directories:
mkdir -m0750 /var/lib/ftp-proxy-test1/ mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/ mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/ mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/log mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/log/ftp-proxy chown -R $User /var/lib/ftp-proxy-test1/ chgrp -R $Group /var/lib/ftp-proxy-test1/
This looks somewhat strange - does the user running the proxy have to own the whole chroot-directory? In the other option that you wrote me the user only owns the log-directory. So I made him owner of the log-directory in the rundir, but it did not work out... Greetings, Ralf
On Wed, Jun 09, 2004 at 12:38:51PM +0200, Ralf Ronneburger wrote:
Hi Marius,
thanks for your reply, I did only today get to try this. Unfortunately that did not work out. Now I have a dir ftp-proxy writeable to nobody/nogroup in /var/log, but the ftp-proxys log to /var/lib/ftp-proxy-test1/rundir/var/log/ftp-proxy and they still don't want to start up at boot. Any other ideas?
No. Same idea, but better realization :-) :
Of course, you have to create all directories:
mkdir -m0750 /var/lib/ftp-proxy-test1/ mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/ mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/ mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/log mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/log/ftp-proxy chown -R $User /var/lib/ftp-proxy-test1/ chgrp -R $Group /var/lib/ftp-proxy-test1/
This looks somewhat strange - does the user running the proxy have to own the whole chroot-directory?
Please try out/adopt the sample script in ftp-proxy/rc.script for your purposes. Except of the /etc/rc.status sourcing, that is SuSE specific, you should be able to get it running on FreeBSD/OpenBSD as well. (you may fake one definig some rc_* functions the script uses, remove them from script or copy the file from SuSE Linux), Sorry - this was broken: > >mkdir -m0750 /var/lib/ftp-proxy-test1/ > >mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/ > >mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/ > >mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/log > >mkdir -m0750 /var/lib/ftp-proxy-test1/rundir/var/log/ftp-proxy mkdir -m0750 /var/lib/ftp-proxy-test1/{dev,lib,etc} mkdir -m0750 /var/lib/ftp-proxy-test1/etc/proxy-suite chown -R root /var/lib/ftp-proxy-test1/ chgrp -R $Group /var/lib/ftp-proxy-test1/ chown -R $User /var/lib/ftp-proxy-test1/rundir/var/log/ftp-proxy Other dirs than log-dir has to be at least executeable (to be able to access files inside)... The proxy should be able to write to $ServerRoot/$LogDestination and for config reloads (SIGHUP) also to be able to read the config from $ServerRoot/$ConfigDir/ftp-proxy.conf (it makes a copy itself if it does not exists). Further it should be able to write to $ServerRoot/dev/{log,null} (on Free/OpenBSD also /dev/ipnat or /dev/pf), have (and be able to read them) all libs it requires in $ServerRoot/lib as well as some files in $ServerRoot/etc. Note: static linked proxy on Linux still needs some libs in chroot, since the glibc loads them on demand. Use "strace", "truss", "ktrace" or however they are named to see what's missing or where you get a permission denied...
In the other option that you wrote me the user only owns the log-directory. So I made him owner of the log-directory in the rundir, but it did not work out...
Kind regards,
Marius Tomaschewski
participants (2)
-
Marius Tomaschewski
-
Ralf Ronneburger