My linux is CentOS7.
When I run Elastic Beats-Auditbeat with non-root user,
It shows this error:
ERROR instance/beat.go:877 Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted
Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted`
So I check the capability which the process lacked with this command
strace ./auditbeat -c 1 localhost 2>&1 | grep EPERM and it shows:
epoll_ctl(4, EPOLL_CTL_ADD, 3, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=66785192, u64=140471267168168}}) = -1 EPERM (Operation not permitted)
epoll_ctl(4, EPOLL_CTL_DEL, 3, {0, {u32=0, u64=0}}) = -1 EPERM (Operation not permitted)
I found the lacked capability is CAP_BLOCK_SUSPEND by this doc.
But when I run command setcap cap_block_suspend=ep auditbeat it shows:
fatal error: Invalid argument
usage: setcap [-q] [-v] (-r|-|<caps>) <filename> [ ... (-r|-|<capsN>) <filenameN> ]
Note <filename> must be a regular (non-symlink) file.
Whereas the auditbeat is just a regular file:
[usr#linuxhost auditbeat-7.2.0-linux-x86_64]$ stat auditbeat
File: ‘auditbeat’
Size: 70418699 Blocks: 137544 IO Block: 4096 regular file
Device: pasef/17006b Inode: 410084318 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 1004/ usr ) Gid: ( 1004/ usr )
Access: 2019-08- 0:39:29.160306947 +000
Modify: 2019-06-20 23:04:01.000000000 +000
Change: 2019-08- 0:39:06.226434256 +000
Birth: -
How could I solve it?
Thank you.
I had the same problem. My issue happened because the file I was working with was in a mounted filesystem. I solved it by copying the file to /tmp, running setcap on the /tmp file, then creating a symlink from /tmp back to the original location.
Related
I try to check the attributes of some write-protected files in the.git directory using the command lsattr.
$ lsattr .git/objects/4d/8595f02d97d82a3c4464d9fc1bc47b255dd9bf
lsattr: Operation not supported While reading flags on .git/objects/4d/8595f02d97d82a3c4464d9fc1bc47b255dd9bf
$ stat .git/objects/4d/8595f02d97d82a3c4464d9fc1bc47b255dd9bf
File: .git/objects/4d/8595f02d97d82a3c4464d9fc1bc47b255dd9bf
Size: 115 Blocks: 8 IO Block: 4096 regular file
Device: 0,36 Inode: 436 Links: 1
Access: (0444/-r--r--r--) Uid: ( 1000/ test) Gid: ( 1000/ test)
$ file .git/objects/4d/8595f02d97d82a3c4464d9fc1bc47b255dd9bf
.git/objects/4d/8595f02d97d82a3c4464d9fc1bc47b255dd9bf: zlib compressed data
$ git -v
git version 2.39.1
uname -r
5.15.91-1-MANJARO\
I'd like to figure out why lsattr can't get the attributes of some files and how to make such files.
EDIT. Those files are on the tmpfs filesystem.
Because user extended attributes are not permitted on the tmpfs filesystem, this occurs. However, by enabling TMPFS_XATTR in kernel configuration, extended attributes on tmfps can be enabled.
I'm using Centos 8.0 and my kernel version:
4.18.0-147.5.1.x86_64
Backgroud:
The messages on my host not rotated for a long time,and when I use "logrotate -v -f" to force rotating messages, it shows "rename messages: Operation not permitted".So I try renaming the messages immediately.
-rw------- 1 root 15464299992 Jul 15 10:12 messages
-rw------- 1 root 11644353 Sep 7 2020 messages-20200907.gz
-rw------- 1 root 8834073 Sep 13 2020 messages-20200913.gz
renaming /var/log/messages to /var/log/messages-20210715
error: failed to rename /var/log/messages to /var/log/messages-20210715: Operation not permitted
Here is my operation and the terminal's output:
[root#node-5 log]# mv messages messages-20210715
mv: cannot move ‘messages’ to ‘messages-20210715’: Operation not permitted
[root#node-5 ~]# whoami
root
I login as root,why do I still come across such problem? How can I solve this?
#DavidC.Rankin
Thx for replying.Here is the ls -ald . for messages:
[root#node-5 log]# ls -ald
drwxr-xr-x. 30 root 8192 Jul 15 11:14 .
So I don't think this may be a problem about permissions.
I also used strace to follow the syscall:
stat("messages2", 0x7fff6c37aae0) = -1 ENOENT (No such file or directory)
lstat("messages", {st_mode=S_IFREG|0600, st_size=15464637645, ...}) = 0
lstat("messages2", 0x7fff6c37a790) = -1 ENOENT (No such file or directory)
renameat2(AT_FDCWD, "messages", AT_FDCWD, "messages2", 0) = -1 EPERM (Operation not permitted)
Unfortunately,there are too many branches in function do_renameat2 so I haven't found the exact exit yet.
The problem got solved:
Show the file attributes with lsattr, it seems that messages got an attribute 'a',so it can't be renamed.
---------------- ./maillog-20201004
-----a---------- ./messages
And with command chattr -a messages,messages can be renamed again.
In case it matters: I stumbled over this problem when backing up a directory using rsync in a Cygwin environment, and rsync suddenly gave the error message:
rsync: readdir("/cygdrive/d/portable/FirefoxPortable/Data/profile/storage/default/moz-extension+++4c6d0e71-68ce-470e-87aa-8db1a3f6524d^userContextId=4294967295/idb"): File exists (17)
Here, /cygdrive/d/portable/FirefoxPortable is the directory to be saved, and until now, this has worked fine. Suspecting that the real problem is not related to rsync, I did a
ls /cygdrive/d/portable/FirefoxPortable/Data/profile/storage/default/moz-extension+++4c6d0e71-68ce-470e-87aa-8db1a3f6524d^userContextId=4294967295/idb
and indeed got the error message
ls: reading directory '/cygdrive/d/portable/FirefoxPortable/Data/profile/storage/default/moz-extension+++4c6d0e71-68ce-470e-87aa-8db1a3f6524d^userContextId=4294967295/idb': File exists
So, idb is a directory (which is true), because ls says that it is reading this direcory, but why do I get a File exists error for a directory?
ls -ld /cygdrive/d/portable/FirefoxPortable/Data/profile/storage/default/moz-extension+++4c6d0e71-68ce-470e-87aa-8db1a3f6524d^userContextId=4294967295/idb
yields
drwxr-xr-x 1 FISRONA Domain Users 0 May 6 2019 '/cygdrive/d/portable/FirefoxPortable/Data/profile/storage/default/moz-extension+++4c6d0e71-68ce-470e-87aa-8db1a3f6524d^userContextId=4294967295/idb'
and
stat /cygdrive/d/portable/FirefoxPortable/Data/profile/storage/default/moz-extension+++4c6d0e71-68ce-470e-87aa-8db1a3f6524d^userContextId=4294967295/idb
displayed:
File: /cygdrive/d/portable/FirefoxPortable/Data/profile/storage/default/moz-extension+++4c6d0e71-68ce-470e-87aa-8db1a3f6524d^userContextId=4294967295/idb
Size: 0 Blocks: 0 IO Block: 65536 directory
Device: 5a61dfech/1516363756d Inode: 12873190524118251466 Links: 1
Access: (0755/drwxr-xr-x) Uid: (3672028/ FISRONA) Gid: (1049089/Domain Users)
Access: 2019-05-06 11:32:50.000000000 +0200
Modify: 2019-05-06 11:32:50.190000000 +0200
Change: 2019-05-06 11:32:50.190000000 +0200
Birth: 2019-05-06 11:32:50.190000000 +0200
What could be messed up here to cause this behaviour?
BTW, I also checked the parent directory (because sometimes, differences in upper/lower case filenames can result in odd effects under Cygwin, due to the underlying Windows operating system):
ls -l /cygdrive/d/portable/FirefoxPortable/Data/profile/storage/default/moz-extension+++4c6d0e71-68ce-470e-87aa-8db1a3f6524d^userContextId=4294967295/
total 0
drwxr-xr-x 1 FISRONA Domain Users 0 May 6 2019 idb
I can't send mail from Ubuntu and when I cat /var/log/apache2/error.log
I see the following error:
sh: 1: /usr/sbin/sendmail: Permission denied
Note :- SElinux is disabled
$ stat /usr/sbin/sendmail
File: ‘/usr/sbin/sendmail’ -> ‘/etc/alternatives/sendmail’
Size: 26 Blocks: 0 IO Block: 4096 symbolic link
Device: 801h/2049d Inode: 1318147 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root)
You need to be a superuser to use any binaries found at sbin. As sendmail is in /usr/sbin/, you have to be superuser, If your are not, You will get the Permission denied error
For some time, when trying to run dbus gives me the following error, even if I'm logged in as root:
gentoo herman # /etc/init.d/dbus start
* Starting D-BUS system messagebus ...
Failed to start message bus: Failed to bind socket "/var/run/dbus/system_bus_socket": Permission denied
* start-stop-daemon: failed to start `/usr/bin/dbus-daemon' [ !! ]
* ERROR: dbus failed to start
Listing directory:
gentoo herman # ls /var/run/dbus/ -all
ls: nie ma dostępu do /var/run/dbus/system_bus_socket: Brak dostępu
razem 1
drwxr-xr-x 2 root root 88 08-14 16:42 .
drwxr-xr-x 20 root root 824 08-16 16:45 ..
?????????? ? ? ? ? ? system_bus_socket
I tried to delete this file as root via the rm command, but displays the same error.
I have installed :
[ebuild R ] sys-apps/dbus-1.4.14 USE="X static-libs -debug -doc (-selinux) -test"
[ebuild R ] dev-libs/dbus-glib-0.94-r1 USE="static-libs -bash-completion -debug -doc -test"
uname -a :
Linux gentoo 2.6.38-gentoo #6 SMP Fri Jul 1 09:41:37 CEST 2011 x86_64 Intel(R) Core(TM)2 Duo CPU T9400 # 2.53GHz GenuineIntel GNU/Linux
Command "dmesg | grep dbus" nothing displays. Reinstalling dbus also in no way helped. Thanks for any help
Looks like you have corruption in your /var filesystem. Try fsck-ing the file-system.
Also, for a quick workaround you can rename the directory and create a new one, because you won't be able to delete the offending file.
Do as root:
# mv /var/run/dbus /var/run/dbus-broken
# mkdir /var/run/dbus
And start the daemon as usual.
But don't forget the fsck! If there is one error in the FS there may be others lurking around.