Dnsmasq fails to start every time I reboot my VPS. Below is the log about it.
Aug 22 18:14:51 debian dnsmasq[776]: dnsmasq: syntax check OK.
Aug 22 18:14:51 debian dnsmasq[798]: chown: invalid user: ‘dnsmasq:nogroup’
Aug 22 18:14:51 debian systemd[1]: dnsmasq.service: Control process exited, code=exited status=2
Aug 22 18:14:51 debian systemd[1]: Failed to start dnsmasq - A lightweight DHCP and caching DNS server.
Aug 22 18:14:51 debian systemd[1]: dnsmasq.service: Unit entered failed state.
Aug 22 18:14:51 debian systemd[1]: dnsmasq.service: Failed with result 'exit-code'.
I'd set the user and group name correctly in /etc/dnsmasq.conf file. I tried to reinstall dnsmasq and then it worked. But after I reboot the VPS, it failed to start again. Then I have to reinstall again...
So, If I want to use dnsmasq, I have to not to reboot my VPS. But I want to know what causes this and how to fix it once and for all. My VPS's system is Debian 9, kernel is 4.9.0-7-amd64.
Finally, I've found the trouble and fixed it. As the system informed, chown: invalid user: ‘dnsmasq:nogroup’ is the bad code. I thought it should be dnsmasq failed to automatically add user or group that caused the error.
One solution might be manually adding a user named "dnsmasq". I didn't try it but I thought it would work. Another handling way is to looked up user "dnsmasq" in relative files and replace user "dnsmasq" with an existing user like "nobody".
There are 3 places in the /etc/init.d/dnsmasq file that need replace.
if [ ! "$DNSMASQ_USER" ]; then
DNSMASQ_USER="*dnsmasq*"
fi
# /run may be volatile, so we need to ensure that
# /run/dnsmasq exists here as well as in postinst
if [ ! -d /run/dnsmasq ]; then
mkdir /run/dnsmasq || return 2
chown *dnsmasq*:nogroup /run/dnsmasq || return 2
fi
# /run may be volatile, so we need to ensure that
# /run/dnsmasq exists here as well as in postinst
if [ ! -d /run/dnsmasq ]; then
mkdir /run/dnsmasq || return 2
chown *dnsmasq*:nogroup /run/dnsmasq || return 2
fi
Replace 3 empasized places above.
Although I'm not sure why dnsmasq failed to access account files.
Related
I am trying to use a named pipe to run certain commands from a dockerised guest application to the host.
I am aware of the risks and this is not public facing, so please no comments about not doing this.
I have a named pipe configured on the host using:
sudo mkfifo -m a+rw /path/to/pipe/file
When I check the created pipe permissions with ls -la file, it shows the pipe has been created and intended permissions are set.
prw-rw-rw- 1 root root 0 Feb 2 11:43 file
When I then test the input by catting a command into the pipe from the host, this runs successfully.
Input
echo "echo test" > file
Output
[!] Starting listening on named pipe: file
test
The problem appears to be within my docker container. I have created a volume and mounted the named pipe from the host. When I then start an sh session and ls -l however, the file named pipe appears to be a normal file without the p and permission properties present on the host.
/hostpipe # ls -la
total 12
drwxr-xr-x 2 root root 4096 Feb 1 16:25 .
drwxr-xr-x 1 root root 4096 Feb 2 11:44 ..
-rw-r--r-- 1 root root 11 Feb 2 11:44 file
Running the same and similar echo "echo test" > file does not work from within the guest.
The host is a Linux desktop on baremetal.
Linux desktop 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
And the guest is an Alpine image
FROM python:3.8-alpine
and
Linux b16a4357fcf5 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 Linux
Any idea what is going wrong here?
The issue was how the container was being set up. I was using a regular volume used for persisting data not mounting drives and files. I had to change my definition to use the - type: bind
Using volumes without the bind parameter does not allow use of the host file system functionality and only allows data sharing.
Before
volumes:
- static_data:/vol/static
- ./web:/web
- /opt/named_pipes/:/hostpipe
After
volumes:
- static_data:/vol/static
- ./web:/web
- type: bind
source: /opt/named_pipes/
target: /hostpipe
I asked this question on security overflow last week, however there were no responses, so I am hoping that you can help here. The question is below:
So i'm busy setting up a knockd service on a VM to enable SSH login when the correct sequence of ports are "knocked on" using knockd and ufw.
The issue that I am currently having is that when the correct sequence of ports are selected, the user.rules for ufw is not able to write the new rule to a file.
I have tried using chmod 777 on all files within /etc/ufw as a test, however the file is still not writable.
The output for /etc/ufw/user.rules is as follows:
Jun 14 13:13:31 Pop knockd[4780]: WARN: /etc/ufw/after6.rules is world writable!
Jun 14 13:13:31 Pop knockd[4780]: WARN: /etc/ufw/after6.rules is group writable!
Jun 14 13:13:31 Pop knockd[4780]: WARN: /etc/ufw/user6.rules is world writable!
Jun 14 13:13:31 Pop knockd[4780]: WARN: /etc/ufw/user6.rules is group writable!
Jun 14 13:13:31 Pop knockd[4780]: WARN: /etc/ufw/applications.d is world writable!
Jun 14 13:13:31 Pop knockd[4780]: WARN: /etc/ufw/applications.d is group writable!
Jun 14 13:13:31 Pop knockd[4780]: WARN: /etc/ufw/user.rules is world writable!
Jun 14 13:13:31 Pop knockd[4780]: WARN: /etc/ufw/user.rules is group writable!
Jun 14 13:13:31 Pop knockd[4780]: ERROR: '/etc/ufw/user.rules' is not writable
Jun 14 13:13:31 Pop knockd[4780]: openSSH: command returned non-zero status code (1)
The knockd file is shown in the code block below:
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = ufw allow 22/tcp
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = ufw delete allow 22/tcp
tcpflags = syn
The output for /etc/default/knockd is shown below:
# control if we start knockd at init or not
# 1 = start
# anything else = don't start
# PLEASE EDIT /etc/knockd.conf BEFORE ENABLING
START_KNOCKD=1
# command line options
KNOCKD_OPTS="-i enp0s3"
Any advice would be greatly appreciated.
First heed the warning and reset permission to all files you changed. Having write permissions for all users on your firewall rules isn't a good idea. That is do:
chmod -R ga-w /etc/ufw
Then disable (comment out or set explicit to off) ProtectSystem directive at knockd.service file (found in /lib/systemd/system/ folder).
If this works, reset it to full and put below it
ReadWritePaths=-/etc/ufw/
ProtectSystem=full mounts ro /usr, /boot and /etc for processes invoked by the unit excluding directories specified in ReadWritePaths.
If running, before restarting the service do
systemctl daemon-reload
I have hit the same problem with a knockd /etc/ufw/user.rules not writeable error. The knock packets show up in syslog and the ufw insert 1 ... command is attempted. My current best guess at the cause is the cgroups system.
Using iptables commands instead of ufw commands in /etc/knockd.conf works for me.
I had same problem but solved it by cleaning out both ip4 and ip6 tables.
In one error message it said that 'xtable' was locked by another process.
ufw disable
iptables -F
iptables -X
ip6tables -F
ip6tables -X
ufw enable
try knocking
and then check
service knockd status
First, what I'm trying to do is to jail (chroot) the user in a specfic directory for sftp access. I found a great tutorial that made the job, you can find it here : http://www.thegeekstuff.com/2012/03/chroot-sftp-setup/. You should read it first (it's very short) to understand the rest.
With the example in the link, I've no problem to create sftpusers group, guestuser user and lock it to the /sftp/guestuser/incoming directory. Here is how it's done :
groupadd sftpusers
useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
passwd guestuser
chown guestuser:sftpusers /sftp/guestuser/incoming
service ssh restart
What I've tried to do after is to lock another user (we call it "test") from the same group in /sftp/test. So I've created user like this :
useradd -g sftpusers -d / -s /sbin/nologin test
You see, instead /incoming as directory, I've just put "/", then I've changed rights to /sftp/test and restart ssh. But connection fails and give me this error : Write failed: Broken pipe
I thought it was due to the wrong path "/", so I decided to delete user and re-create it with an /incoming directory :
userdel test
useradd -g sftpusers -d /incoming -s /sbin/nologin test
passwd test
chown test:sftpusers /sftp/test/incoming
service ssh restart
But even after, the test user seems to be compromise for ever, because I have the same error when I try to connect through sftp : Write failed: Broken pipe Couldn't read packet: Connection reset by peer
EDIT :
Here is the log file for sshd :
Jan 24 12:46:20 ns sshd[13786]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jan 24 12:46:23 ns sshd[13786]: Accepted password for test from xxx.xxx.xxx.xxx port 37838 ssh2
Jan 24 12:46:23 ns sshd[13786]: pam_unix(sshd:session): session opened for user test by (uid=0)
Jan 24 12:46:24 ns sshd[13949]: fatal: bad ownership or modes for chroot directory "/sftp/test"
Jan 24 12:46:24 ns sshd[13786]: pam_unix(sshd:session): session closed for user test
Jan 24 12:48:17 ns sshd[14103]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Jan 24 12:48:19 ns sshd[14103]: Invalid user brad from xxx.xxx.xxx.xxx
Jan 24 12:48:19 ns sshd[14103]: input_userauth_request: invalid user brad [preauth]
Jan 24 12:48:19 ns sshd[14103]: pam_unix(sshd:auth): check pass; user unknown
Jan 24 12:48:19 ns sshd[14103]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx
Jan 24 12:48:22 ns sshd[14103]: Failed password for invalid user brad from xxx.xxx.xxx.xxx port 42756 ssh2
Jan 24 12:48:22 ns sshd[14103]: Received disconnect from xxx.xxx.xxx.xxx: 11: Bye Bye [preauth]
Check the debug log for sshd. You'll likely find it complain about the home directory for user test not being secure.
The sshd is very strict about access to the user's credentials in $HOME/.ssh and will disconnect when it cannot access the directory, or when it detects permissions that would allow any other account to access it.
sshd[13949]: fatal: bad ownership or modes for chroot directory "/sftp/test"
Make sure that the owner of the directory is the only account that can modify any file in $HOME and below. Pay attention specifically to the group settings
I installed postgresql in accordance with the instructions given at: http://xadmin.info/?p=284
# pg_ctl -D /var/lib/pgsql/data -l pglog.log start
server starting
postgres#linux-p0pl:~> psql
psql: could not connect to server: No such file or directory
Is the server running locally and accepting
connections on
Unix domain socket "/tmp/.s.PGSQL.5432"?
I am not getting as to why am I getting this error when the server has started...can someone please please help.
My pglog.log file shows the following output:
2013-02-06 19:43:39 GMT FATAL: lock file "postmaster.pid" already exists
2013-02-06 19:43:39 GMT HINT: Is another postmaster (PID 23971) running in data directory "/var/lib/pgsql/data"?
2013-02-06 19:44:02 GMT FATAL: lock file "postmaster.pid" already exists
2013-02-06 19:44:02 GMT HINT: Is another postmaster (PID 23971) running in data directory "/var/lib/pgsql/data"?
2013-04-24 12:43:29 GMT FATAL: data directory "/var/lib/pgsql/data" has group or world access
2013-04-24 12:43:29 GMT DETAIL: Permissions should be u=rwx (0700).
2013-04-24 12:44:07 GMT FATAL: data directory "/var/lib/pgsql/data" has group or world access
2013-04-24 12:44:07 GMT DETAIL: Permissions should be u=rwx (0700).
2013-04-24 12:57:02 GMT FATAL: data directory "/var/lib/pgsql/data" has group or world access
2013-04-24 12:57:02 GMT DETAIL: Permissions should be u=rwx (0700).
2013-04-24 12:57:40 GMT FATAL: data directory "/var/lib/pgsql/data" has group or world access
2013-04-24 12:57:40 GMT DETAIL: Permissions should be u=rwx (0700).
ps -ef | grep postgres
root 21659 21591 0 19:14 pts/0 00:00:00 grep --color=auto postgres
The permissions and ownership on /var/lib/pgsql/data should be:
# ll -d /var/lib/pgsql/data
drwx------. 15 postgres postgres 4096 Apr 24 10:27 /var/lib/pgsql/data
If they are not do as root:
# chmod -R 700 /var/lib/pgsql/data
# chown -R postgres /var/lib/pgsql/data
Check in the pglog.log file to ensure that the server did actually start without error. Given the error it seems like it did not start properly.
You probably don't have your server configured to put unix domain sockets in "/tmp". It's probably somewhere like "/var/run/pgsql" but see your postgresql.conf file to see exactly what.
Then you can specify this directory as a "host" on the command-line:
psql -h /path/we/want ...
If that's not the problem, check the port number.
Not sure why/how your psql client and postgresql server have different default paths, but then I've never heard of the site you got the instructions from, so I've no idea how useful they are.
For some time, when trying to run dbus gives me the following error, even if I'm logged in as root:
gentoo herman # /etc/init.d/dbus start
* Starting D-BUS system messagebus ...
Failed to start message bus: Failed to bind socket "/var/run/dbus/system_bus_socket": Permission denied
* start-stop-daemon: failed to start `/usr/bin/dbus-daemon' [ !! ]
* ERROR: dbus failed to start
Listing directory:
gentoo herman # ls /var/run/dbus/ -all
ls: nie ma dostępu do /var/run/dbus/system_bus_socket: Brak dostępu
razem 1
drwxr-xr-x 2 root root 88 08-14 16:42 .
drwxr-xr-x 20 root root 824 08-16 16:45 ..
?????????? ? ? ? ? ? system_bus_socket
I tried to delete this file as root via the rm command, but displays the same error.
I have installed :
[ebuild R ] sys-apps/dbus-1.4.14 USE="X static-libs -debug -doc (-selinux) -test"
[ebuild R ] dev-libs/dbus-glib-0.94-r1 USE="static-libs -bash-completion -debug -doc -test"
uname -a :
Linux gentoo 2.6.38-gentoo #6 SMP Fri Jul 1 09:41:37 CEST 2011 x86_64 Intel(R) Core(TM)2 Duo CPU T9400 # 2.53GHz GenuineIntel GNU/Linux
Command "dmesg | grep dbus" nothing displays. Reinstalling dbus also in no way helped. Thanks for any help
Looks like you have corruption in your /var filesystem. Try fsck-ing the file-system.
Also, for a quick workaround you can rename the directory and create a new one, because you won't be able to delete the offending file.
Do as root:
# mv /var/run/dbus /var/run/dbus-broken
# mkdir /var/run/dbus
And start the daemon as usual.
But don't forget the fsck! If there is one error in the FS there may be others lurking around.