Author Topic: User-Rights gone wrong  (Read 3092 times)

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
User-Rights gone wrong
« on: July 16, 2013, 08:48:20 pm »
Hello,

I changed the settings of the file-sharing (samba). Since I did that, I cannot access the web-interface any longer.
Thus, I rebooted. No improvement.
I also noted, that I can only log in as root via ssh. Even su to my username does not work:
su henfri
Cannot execute /bin/sh: Permission denied
su: User not known to the underlying authentication module

What has gone wrong here?

Note: I added "/" to the shared folders (I know I should not, but /var/www was not allowed, and I DO have good reasons to share this (I want to edit the web-pages from windows).

Greetings,
Hendrik

Lonniebiz

  • Zen Samurai
  • ****
  • Posts: 320
  • Karma: +24/-2
    • View Profile
Re: User-Rights gone wrong
« Reply #1 on: July 17, 2013, 08:20:44 am »
That was a bold thing to try. From what I understand, when you make a share, the folder you share gets special permissions so that LDAP users can access that folder and I think all sub-folder then inherit those same permissions.

So, if you somehow set your root folder as a share I wonder if Samba had the authority to change permissions on your root folder and make all sub folders inherit those permissions. Probably a far fetched idea, but when you ssh in I'd be sure to check the file permissions on your root folder:
Code: [Select]
cd /
ls -lha

Find out where the web interface files are and see their permissions too. If you can no longer access the web interface, it seems likely that you have a permissions issue at some level.

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: User-Rights gone wrong
« Reply #2 on: July 17, 2013, 07:36:02 pm »
Hello,

Thanks for your reply.
The output is:
Code: [Select]
total 168K
drwx------  25 root root 4,0K Jul 10 20:44 .
drwx------  25 root root 4,0K Jul 10 20:44 ..
-rw-------   1 root root  14K Feb 24 13:51 aquota.group
-rw-------   1 root root  14K Feb 24 13:51 aquota.user
drwxr-xr-x   2 root root 4,0K Jul 10 20:41 bin
drwxr-xr-x   3 root root 4,0K Jul 10 20:46 boot
drwxr-xr-x   3 root root 4,0K Jul  1 18:44 build
drwxr-xr-x   2 root root 4,0K Apr 13 22:32 .config
drwxr-xr-x  19 root root 4,4K Jul 16 20:29 dev
drwxr-xr-x 158 root root  12K Jul 16 20:29 etc
drwxr-xr-x  14 root root 4,0K Jul  6 22:45 home
lrwxrwxrwx   1 root root   33 Jul 10 20:44 initrd.img -> /boot/initrd.img-3.2.0-49-generic
lrwxrwxrwx   1 root root   33 Mai 18 11:27 initrd.img.old -> /boot/initrd.img-3.2.0-43-generic
-rw-r--r--   1 root root  351 Mär  9 20:09 iostat-ios.state
drwxr-xr-x  20 root root 4,0K Jul 10 20:41 lib
drwxr-xr-x   2 root root 4,0K Mai 18 11:24 lib64
drwx------   2 root root  16K Nov 27  2012 lost+found
drwxr-xr-x   4 root root 4,0K Jun 29 20:59 media
drwxrwxrwx  10 root root 4,0K Apr 19 20:47 mnt
drwxr-xr-x   4 root root 4,0K Feb 24 11:30 opt
dr-xr-xr-x 182 root root    0 Jul 16 20:28 proc
drwx------  64 root root 4,0K Jul 13 23:12 root
drwxr-xr-x  28 root root 1,2K Jul 17 19:32 run
drwxr-xr-x   2 root root  12K Jul 10 20:41 sbin
drwxr-xr-x   2 root root 4,0K Mär  5  2012 selinux
drwxr-xr-x   8 root root 4,0K Jun 13 21:11 srv
dr-xr-xr-x  13 root root    0 Jul 16 20:28 sys
drwxrwxrwt   7 root root 4,0K Jul 17 19:30 tmp
-rw-r--r--   1 root root 1,1K Nov 27  2012 ubuntu
-rw-r--r--   1 root root 1,1K Dez 26  2012 ubuntu.1
drwxr-xr-x  11 root root 4,0K Jun 30 20:40 usr
drwxr-xr-x  15 root root 4,0K Jul 16 20:28 var
lrwxrwxrwx   1 root root   29 Jul 10 20:44 vmlinuz -> boot/vmlinuz-3.2.0-49-generic
lrwxrwxrwx   1 root root   29 Mai 18 11:27 vmlinuz.old -> boot/vmlinuz-3.2.0-43-generic
-rw-r--r--   1 root root 8,2K Dez 26  2012 webmin-setup.out

At least it does not look as if all folders got the same permissions (which I would assume if what you discribed happened).

e.g. /home/henfri has the rights 755 and is owned by henfri and the group is users, so that looks right.

I had the impression, that the authentication module was not working (the indication was that the su henfri didn't work).
Code: [Select]
su: User not known to the underlying authentication moduleSo, what is the underlying auth module? LDAP? how can I check it?

Regarding the web-if:
I get some entries of apache looking at ps:
Code: [Select]
root      3067  0.0  0.1 301120 12624 ?        Ss   Jul16   0:02 /usr/sbin/apache2 -k start
www-data  3264  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3265  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3270  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3271  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3272  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3777  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3975  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  9795  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  9796  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  9797  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start

But usually there was something like ...apache-2 /...zentyal, right?

Greetings,
Hendrik
« Last Edit: July 17, 2013, 07:38:57 pm by henfri »

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: User-Rights gone wrong
« Reply #3 on: July 17, 2013, 08:22:55 pm »
Hello again,

I searched for files that changed in the last 24h and filtered them for obvious stuff (/run, /var/log, /proc, /dev etc).

I found some files that might be related, but I am not sure:
Code: [Select]
/etc/samba/smb.conf
/etc/ldap.conf
/etc/mtab
/var/lib/ldap/__db.002
/var/lib/ldap/__db.003
/var/lib/ldap/__db.004
/var/lib/ldap/__db.005
/var/lib/ldap/__db.006
/var/lib/libnss-ldap
/var/lib/libnss-ldap/ldap.conf.20130716202741.diff

/opt/samba4/private
/opt/samba4/private/ldap_priv
/opt/samba4/private/ldap_priv/ldapi
/opt/samba4/private/secrets.tdb
/opt/samba4/private/ldapi
/opt/samba4/private/schannel_store.tdb
/opt/samba4/private/smbd.tmp/msg
/opt/samba4/private/smbd.tmp/msg/names.tdb
/opt/samba4/private/smbd.tmp/msg/msg.25592.1
/opt/samba4/private/smbd.tmp/msg/msg.9201
/opt/samba4/private/smbd.tmp/msg/msg.9208
/opt/samba4/private/smbd.tmp/msg/msg.9203.30
/opt/samba4/private/smbd.tmp/msg/msg.9210
/opt/samba4/private/smbd.tmp/msg/msg.9196
/opt/samba4/private/smbd.tmp/msg/msg.0
/opt/samba4/private/smbd.tmp/msg/msg.9200
/opt/samba4/private/smbd.tmp/msg/msg.9203
/opt/samba4/private/smbd.tmp/msg/msg.9209
/opt/samba4/private/smbd.tmp/msg/msg.9202
/opt/samba4/private/smbd.tmp/msg/msg.9195
/opt/samba4/private/smbd.tmp/msg/msg.9198
/opt/samba4/private/smbd.tmp/msg/msg.9199
/

Any hints?

Greetings,
Hendrik

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: User-Rights gone wrong
« Reply #4 on: July 18, 2013, 07:54:41 am »
Hello,

it seems, noone has an Idea how to fix this. My last Idea: Can someone say, what is actually done, when storing the samba configuration?

Is there a way to re-initialize everything, i.e. re-running the post-install wizard without re-installing the whole system?

Greetings,
Hendrik
« Last Edit: July 18, 2013, 08:02:09 am by henfri »

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: User-Rights gone wrong
« Reply #5 on: July 18, 2013, 09:42:36 am »
Hi there:

I would have a look at /etc/pam.d dir and probably compare with a running system o you can check what the differences are. In this way you might be able to solve this su issue, and probably the sudo one, which on its side could allow you to access the web interface.

Nevertheless, if this is in production I would advise you to reinstall as this would leave you a clean system (there are more thing that might be wrong after this wrong configuration you have done) If it was in development environment, I cannot see the reason to no reinstall as this would ensure that in the case you got another error, this was not due to this first misconfig

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: User-Rights gone wrong
« Reply #6 on: July 18, 2013, 09:06:55 pm »
Hello,

I have replaced the pam.d directory by one out of an (very old) backup.
No change.
The Server is a Production one, but it is "only" at my home. I would really dislike re-installing, as the set-up of (non-zentyal programs) was lots of work.

Can you tell me please, what is done/executed when adding a Samba-Share?

And one more thing:
I had the impression, that you felt my doing quite unreasonable. I don't really see, why that is (and I think there is no need discussing this), but if this can break the system in such a way, this *must* be prevented (similarly sharing /var/www is prevented, where I don't see the reason (a handy way to update the web-sites)). I have opened a ticket for that in the bug-tracker.

Greetings,
Hendrik

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: User-Rights gone wrong
« Reply #7 on: July 19, 2013, 10:29:36 am »
Hello creating a share cannot be prevented to do under / as it would prevent any share to be created.

About your question, when a share is created this is what is done:

  • Create the folder if it does not exist
  • Clear POSIX ACLs
  • Modify Path and user, and set NTACL's if guest access is allowed
  • Build POSIX and NT ACL's




You can get that looking at this https://github.com/Zentyal/zentyal/blob/3.0/main/samba/src/EBox/Samba/Model/SambaShares.pm

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: User-Rights gone wrong
« Reply #8 on: July 19, 2013, 08:45:35 pm »
Hello creating a share cannot be prevented to do under / as it would prevent any share to be created.
That depends how it is implemented.
I am sure, you can check for "/" rather than "/*". I still think, that this really should be prevented. no matter how unlikely this appears. If it can destroy the whole system. Risk=likelyhood*consequence. So the risk is high her.

Quote
About your question, when a share is created this is what is done:

  • Create the folder if it does not exist
  • Clear POSIX ACLs
  • Modify Path and user, and set NTACL's if guest access is allowed[/li
    • Build POSIX and NT ACL's
The system should run without ACLs, if I understand correctly, right?
So if I clear all ACLs, I can rule out that wrong ACLs are the problem?!

Would wrong ACLs explain, why the "user cannot be found by the underlying authentication service"?

Quote
You can get that looking at this https://github.com/Zentyal/zentyal/blob/3.0/main/samba/src/EBox/Samba/Model/SambaShares.pm
Thanks. I am not too familiar with perl, so I fear that this will not be so helpful. But I'll try.

Greetings -I appreciate your help,
Hendrik

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: User-Rights gone wrong
« Reply #9 on: July 19, 2013, 09:03:38 pm »
HI:

You are very welcome to propose any feature you might consider helpful under Feature Requests in this forum ;)

The system removes any previous ACL and set new ones based on what has been defined in the share
According to http://pubs.opengroup.org/onlinepubs/8329799/pam_authenticate.htm you should definitely check PAM...(permissions on config files as well)
« Last Edit: July 19, 2013, 09:05:21 pm by jbahillo »

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: User-Rights gone wrong
« Reply #10 on: July 20, 2013, 08:42:12 pm »
You are very welcome to propose any feature you might consider helpful under Feature Requests in this forum ;)
I am not sure, weather you are being serious.
In my view it is a serious bug.

Quote
The system removes any previous ACL and set new ones based on what has been defined in the share
According to http://pubs.opengroup.org/onlinepubs/8329799/pam_authenticate.htm you should definitely check PAM...(permissions on config files as well)
What in that link are you refering to? I really don't see it. Sorry.

Greetings,
Hendrik

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: User-Rights gone wrong
« Reply #11 on: July 20, 2013, 10:03:18 pm »
If, in your view, this is a bug, you should  add it on trac. Nevertheless any thing that is provoked by user interaction is for me more like a missing feature, that's why I suggested you to add a check like the one we are discussing.

IN the webpage I had mentioned you you can see the particular error you are receiving:
[PAM_AUTHINFO_UNAVAIL]

    The underlying authentication service cannot retrieve the authentication information.


That's why I suggest to deeply revise PAM

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: User-Rights gone wrong
« Reply #12 on: July 20, 2013, 10:57:56 pm »
Hello,

I see. Of course I already have added something in the tracker:
http://trac.zentyal.org/ticket/7008

Regarding PAM:
By re-installing (apt-get install --reinstall libnss-ldap libpam-ldap nscd) pam, I fixed the "...not known by the underlying..." Problem.

Still:
su henfri
/bin/sh cannot be executed

by chmod 755 / this is fixed.

Unfortunately, this reverted after reboot.

Any ideas? How can I see the access-rights of /?

Greetings,
Hendrik

jbahillo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1444
  • Karma: +77/-2
    • View Profile
Re: User-Rights gone wrong
« Reply #13 on: July 20, 2013, 11:02:28 pm »
Have you deleted the / share?

Permissions are set on any samba reboot / start

henfri

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +0/-0
    • View Profile
Re: User-Rights gone wrong
« Reply #14 on: July 21, 2013, 08:47:41 am »
Hello,

no, I could not (as the web-if is still not working). But I was suspecting that...

I will check if I can find where they are stored.

Greetings,
Hendrik