systemd service: Failed to execute command: Permission denied - linux

I am trying to run an SSH command in a systemd service. Although I the user I set to run the command fedora has permission to everything the command requires (verified by both running the command manually in a logged-in shell without failure and permission checks on the files), it still gives the error of permission denied.
[Unit]
Description=AutoSSH tunnel
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/ssh -f -TN -L 3333:localhost:3333 -o "ExitOnForwardFailure yes" -o "ServerAliveInterval 60" -i /home/fedora/.ssh/id_rsa ubuntu#server
ExecStop=/usr/bin/pkill -f 3333:localhost:3333
Restart=always
RestartSec=10
User=fedora
Group=fedora
[Install]
WantedBy=multi-user.target
error message:
Oct 16 11:10:47 Lenovoserver systemd[2318595]: autossh-tunnel.service: Failed to execute command: Permission denied
Oct 16 11:10:47 Lenovoserver systemd[2318595]: autossh-tunnel.service: Failed at step EXEC spawning /usr/bin/ssh: Permission denied
Permission checks:
-rwxr-xr-x. 1 root root 808832 Oct 9 2019 /usr/bin/ssh
fedora user has permission to execute /usr/bin/ssh
-rw-------. 1 fedora fedora 2610 Jan 3 2020 /home/fedora/.ssh/id_rsa
fedora user has read access to its private key.
Did I do anything wrong or is this a systemd bug?

It could be SELinux, the new ssh port has to be registered in selinux.
Firs check if the service work by disabling selinux temporarily, if it works add ssh port to selinux as follow.
# Check selinux status
sestatus
# Disable selinux temporarily
setenforce 0
# Check selinux ssh port
semanage port -l | grep ssh
ssh_port_t tcp 22
# Add selinux ssh port
sudo semanage port -a -t ssh_port_t -p tcp 3333
# Check selinux ssh port
semanage port -l | grep ssh
ssh_port_t tcp 22, 3333

Related

Device node in LXC is not accessible when connected via SSH

I have a problem where a physical hardware device passed through to an LXC container cannot be read from or written to when I am connected via SSH.
The device node of my physical hardware device looks like this:
myuser#myhost:~$ ls -la /dev/usb/hiddev0
crw-rw-rw- 1 root root 180, 0 Jul 30 10:27 /dev/usb/hiddev0
This is how I create and start my container:
myuser#myhost:~$ sudo lxc-create -q -t debian -n mylxc -- -r stretch
myuser#myhost:~$ sudo lxc-start -n mylxc
Then I add the device node to the LXC:
myuser#myhost:~$ sudo lxc-device -n mylxc add /dev/usb/hiddev0
Afterwards the device is available in the LXC and I can read from it after having attached to the LXC:
myuser#myhost:~$ sudo lxc-attach -n mylxc
root#mylxc:/# ls -la /dev/usb/hiddev0
crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0
root#mylxc:/# cat /dev/usb/hiddev0
����������^C
root#mylxc:/#
I then enable root access via SSH without a password:
myuser#myhost:~$ sudo lxc-attach -n mylxc
root#mylxc:/# sed -i 's/#\?PermitRootLogin.*/PermitRootLogin yes/g' /etc/ssh/sshd_config
root#mylxc:/# sed -i 's/#\?PermitEmptyPasswords.*/PermitEmptyPasswords yes/g' /etc/ssh/sshd_config
root#mylxc:/# sed -i 's/#\?UsePAM.*/UsePAM no/g' /etc/ssh/sshd_config
root#mylxc:/# passwd -d root
passwd: password expiry information changed.
root#mylxc:/# /etc/init.d/ssh restart
Restarting ssh (via systemctl): ssh.service.
root#mylxc:/# exit
When I connect via SSH now, the device node is there, but I cannot access it:
myuser#myhost:~$ ssh root#<lxc-ip-address>
root#mylxc:~# ls -la /dev/usb/hiddev0
crw-r--r-- 1 root root 180, 0 Aug 27 11:26 /dev/usb/hiddev0
root#mylxc:~# cat /dev/usb/hiddev0
cat: /dev/usb/hiddev0: Operation not permitted
In both cases (lxc-attach and ssh) I am the root user (verified via whoami), so this cannot be the problem.
Why am I not allowed to access the device when I am connected via SSH?
EDIT
In the meantime I found out that the error disappears when I call all the LXC initialization commands directly one after another in a script, i.e.:
sudo lxc-create -q -t debian -n mylxc -- -r stretch
sudo lxc-start -n mylxc
sudo lxc-device -n mylxc add /dev/usb/hiddev0
...
And then all the SSH configuration as described above. The device is correctly accessible via SSH then.
As soon as some time passes between lxc-start and lxc-device, the error appears, e.g.:
sudo lxc-create -q -t debian -n mylxc -- -r stretch
sudo lxc-start -n mylxc
sleep 1
sudo lxc-device -n mylxc add /dev/usb/hiddev0
...
Why is the timing relevant here? What happens during the first second within the LXC that makes the device become unaccessible?
With help from the lxc-users mailing list I found out that the restriction is intended. Access to devices has to be allowed explicitly in the LXC's config using their major/minor numbers:
lxc.cgroup.devices.allow = c 180:* rwm
The unrestricted access using lxc-attach seems to be some bug in my case. Devices should never be accessible in the LXC if not explicitly allowed.

PID file /usr/local/apache2/logs/httpd.pid not readable (yet?) after start

I installed httpd 2.4.27 in CentOS 7. I configured httpd.service as systemd service. But everytime I got this error PID file /usr/local/apache2/logs/httpd.pid not readable (yet?) after start. when I start or restart httpd.service.
Here is my configuration of httpd.service:
[root#localhost ~]# cat /usr/lib/systemd/system/httpd.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
Documentation=man:httpd(8)
Documentation=man:apachectl(8)
[Service]
Type=forking
ExecStart=/usr/local/apache2/bin/apachectl -k start
ExecReload=/usr/local/apache2/bin/apachectl -k graceful
ExecStop=/usr/local/apache2/bin/apachectl -k graceful-stop
PIDFile=/usr/local/apache2/logs/httpd.pid
PrivateTmp=true
[Install]
WantedBy=multi-user.target
[root#localhost ~]#
Here is the error info:
[root#localhost ~]# systemctl start httpd.service
[root#localhost ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2017-09-01 22:30:48 EDT; 1s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 2173 ExecStart=/usr/local/apache2/bin/apachectl -k start (code=exited, status=0/SUCCESS)
Main PID: 2176 (httpd)
CGroup: /system.slice/httpd.service
├─2176 /usr/local/apache2/bin/httpd -k start
├─2177 /usr/local/apache2/bin/httpd -k start
├─2178 /usr/local/apache2/bin/httpd -k start
└─2179 /usr/local/apache2/bin/httpd -k start
Sep 01 22:30:47 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
Sep 01 22:30:48 localhost.localdomain systemd[1]: PID file /usr/local/apache2/logs/httpd.pid not readable (yet?) after start.
Sep 01 22:30:48 localhost.localdomain systemd[1]: Started The Apache HTTP Server.
[root#localhost ~]#
Here is the permission of httpd.pid file:
[root#localhost ~]# ll /usr/local/apache2/logs/
total 8
-rw-r--r--. 1 root root 0 Sep 1 20:46 access_log
-rw-r--r--. 1 root root 3270 Sep 1 22:30 error_log
-rw-r--r-- 1 root root 5 Sep 1 22:30 httpd.pid
[root#localhost ~]#
I found there was no use to change the permission of httpd.pid file manually, because the file will be removed automatically when service gets stopped. And new httpd.pid file will be generated once service is turned on.
Note: I see some posts saying updating /usr/lib/tmpfiles.d/httpd.conf will work. But I don't have this file since I installed apache from source. I think only 'yum install httpd' has this.
Anyone can help? I just want to have a clean service start with no error or warning. Thanks.
you can set /lib/tmpfiles.d/httpd.conf follow:
d /usr/local/apache2/logs/httpd.pid 700 apache apache
vim /etc/systemd/system/httpd.service
Add parameter of "ExecStartPost" is work,
[Unit]
Description=httpd service
After=syslog.target network.target
[Service]
Type=forking
PIDFile=/usr/local/apache2/logs/httpd.pid
ExecStart=/bin/sh -c '/usr/sbin/apachectl -f /etc/httpd/httpd.conf -k start'
ExecStop=/bin/sh -c '/usr/sbin/apachectl -f /etc/httpd/httpd.conf -k stop'
ExecReload=/bin/sh -c '/usr/sbin/apachectl -f /etc/httpd/httpd.conf -k graceful'
ExecStartPost=/bin/sh -c '/usr/bin/chown apache:apache -R /usr/local/apache2/logs/httpd.pid'
[Install]
WantedBy=multi-user.target

Failed to restart redis-server.service: Unit redis-server.service not found

Tried to start redis-server but got:
26195:C 27 Aug 17:05:11.684 # Warning: no config file specified, using
the default config. In order to specify a config file use redis-server
/path/to/redis.conf
26195:M 27 Aug 17:05:11.684 * Increased maximum number of open files
to 10032 (it was originally set to 1024).
26195:M 27 Aug 17:05:11.685 # Creating Server TCP listening socket
*:6379: bind: Address already in use
Ran lsof -wni tcp:3000 and killed the local host and tried restarting redis-server again and got the same above error.
Tried: ps -aux | grep redis (output below), then sudo kill -9 6379
nick4896 12238 0.0 0.1 41432 9048 ? Sl Aug26 0:14
redis-server *:6379
nick4896 26304 0.0 0.0 21300 984 pts/21 S+ 17:08 0:00 grep
--color=auto redis
And ran sudo service redis-server restart, and got:
Failed to restart redis-server.service: Unit redis-server.service not
found.
Any ideas?
The problem is that symlink redis-server.service to redis.service was deleted.
Command
sudo systemctl enable redis-server
creates the symlink:
Created symlink /etc/systemd/system/redis.service → /lib/systemd/system/redis-server.service.
Came across this, I would suggest systemctl daemon-reload
Not an answer, but to complete Igor Kavzov's answer, this is the code to enter at the terminal:
sudo ln /lib/systemd/system/redis.service /etc/systemd/system/redis-server.service

binary privilege based on users execution

I have tpdump command , when I run the command with admin tcpdump should run as a root privileges . And when I run same tcpdump command with user1 it should run as normal privilege .
I mean , binary should have the different privileges based on user's who is executing . for example if the binary runs with root , it should have root privilege .And if it runs with user1 then it should have normal privilege.
Example-1: for admin
# tcpdump -x /data/temp/test.cap
#ls -ld tcpdump
-r-sr-xr-x 1 root my 43305 Aug 5 11:48 /data/bin/tcpdump
#
Example-2: user1
# tcpdump -x /data/tmp/test1.cap
#ls -ld tcpdump
-r-sr-xr-x 1 user1 my 43305 Aug 5 11:48 /data/bin/tcpdump
#
Note: tcpdump is a root binary.
-x to capture the packets into file
This is exactly how permissions work when SUID bit isn't set (which is set for tcpdump). See man chmod and its s permission symbol.

tunnel ssh from another pc to docker

i am trying to create a ssh tunnel for executing conky in my contenair.
pc --> server --> contenair(docker)
i can create a tunnel from my pc to the server and from the server to contenair
but i don't know why i can't execute this command from my pc to create a tunnel all the way:
ssh -L 8888:localhost:22 user#62.210.227.219 ssh -t -t -L 8887:localhost:8888 -p 8888 admin#localhost
i get a terminal with nothing. :(
the ssh log from my server
Aug 9 14:57:14 sd-46208 sshd[5867]: Accepted publickey for USER from 82.64.127.210 port 54369 ssh2: RSA 39:50:42:5p:05:0a:7a:f4:66:fb:5d:24:1f:96:09:5f
Aug 9 14:57:14 sd-46208 systemd: Starting Session 1810 of user USER.
Aug 9 14:57:14 sd-46208 systemd: Started Session 1810 of user USER.
Aug 9 14:57:14 sd-46208 systemd: Failed to reset devices.list on /system.slice: Invalid argument
Aug 9 14:57:14 sd-46208 systemd-logind: New session 1810 of user USER.
Aug 9 14:57:14 sd-46208 sshd[5870]: error: Failed to disconnect from controlling tty.
i almost solved my problem
i added in ssh/sshd_config
X11Forwarding yes
X11UseLocalhost yes
X11DisplayOffset 10
AddressFamily inet
and i run
ssh User#60.220.207.219 ssh User#127.0.0.1 -p 9999 i can connect to contenair but i cant execute an application for the moment

Resources