Difference between revisions of "Debugging hints"

From PDP/Grid Wiki
Jump to navigationJump to search
Line 9: Line 9:
 
For all run-modes of gLExec, the gLExec must be ''executable'' for all users.
 
For all run-modes of gLExec, the gLExec must be ''executable'' for all users.
  
*For running gLExec in '''setuid''' mode, ''preferably'' use one of the following modes ('''setuid''' and '''setgid'''):
+
=== Versions up to 0.6.8-3 ===
glexec: mode: 6111, 6511, 6711; owned by root:glexec
 
glexec.conf: mode: 0440; owned by root:glexec
 
  
*In case ''setgid'' is not possible, ''preferably'' use one of the following modes (only '''setuid'''):
+
*For running gLExec in '''setuid''' mode, ''preferably'' use the following mode ('''setuid''' and '''setgid'''):
glexec: mode: 4111, 4511, 4711; owned by root:glexec or root:root
+
  -r-sr-sr-x 1 root  root   12345 2010-02-29 12:34 glexec
glexec.conf: mode: 0444; owned by root:glexec or root:root
+
  -rw-r----- 1 root   glexec  123 2010-02-29 12:34 glexec.conf
  
*For running gLExec in '''logging only''' mode, ''preferably'' use one of the following modes:
+
*In case ''setgid'' is not possible, ''preferably'' use the following mode (only '''setuid'''):
glexec: mode: 0111, 0511, 0711; owned by root:glexec or root:root
+
  -r-sr-xr-x 1 root  root  12345 2010-02-29 12:34 glexec
glexec.conf: mode: 0444; owned by root:glexec or root:root
+
  -rw-r--r-- 1 root  glexec  123 2010-02-29 12:34 glexec.conf
 +
 
 +
*For running gLExec in '''logging only''' mode, ''preferably'' use the following mode:
 +
  -r-xr-xr-x 1 root  root  12345 2010-02-29 12:34 glexec
 +
  -rw-r--r-- 1 root  glexec   123 2010-02-29 12:34 glexec.conf
 +
 
 +
Note that these settings are also possible on a NFS mount.
 +
 
 +
=== Version 0.7.0-2 ===
 +
 
 +
*For running gLExec in '''setuid''' mode, ''preferably'' use the following mode (only '''setuid'''):
 +
  -rws--x--x 1 root  root   12345 2010-02-29 12:34 glexec
 +
  -r-------- 1 glexec root     123 2010-02-29 12:34 glexec.conf  
 +
 
 +
*For running gLExec in '''logging only''' mode, ''preferably'' use the following mode:
 +
  -rwx--x--x 1 root  root   12345 2010-02-29 12:34 glexec
 +
  -r--r--r-- 1 glexec root     123 2010-02-29 12:34 glexec.conf
 +
 
 +
Note that these settings are also possible on a NFS mount.
 +
 
 +
Also note that YAIM will still install gLExec with either the ''setuid-and-setgid'' or ''logging-only-mode'' settings of [[#Versions up to 0.6.8-3|the previous versions]] which are still valid, and are also possible on an NFS mount.
 +
 
 +
The non-YAIM ''only-setuid'' set of permissions of [[#Versions up to 0.6.8-3|the previous versions]] no longer works.
  
 
== Before continuing with testing: The gLExec Exit Codes and the Environment variables ==
 
== Before continuing with testing: The gLExec Exit Codes and the Environment variables ==

Revision as of 15:10, 14 April 2010

Here are some useful things to check and mention when contacting us for help:

Check the version of the gLExec version:

/opt/glite/sbin/glexec -v

Check the file permissions of the gLExec executable.

For all run-modes of gLExec, the gLExec must be executable for all users.

Versions up to 0.6.8-3

  • For running gLExec in setuid mode, preferably use the following mode (setuid and setgid):
  -r-sr-sr-x 1 root   root   12345 2010-02-29 12:34 glexec
  -rw-r----- 1 root   glexec   123 2010-02-29 12:34 glexec.conf
  • In case setgid is not possible, preferably use the following mode (only setuid):
  -r-sr-xr-x 1 root   root   12345 2010-02-29 12:34 glexec
  -rw-r--r-- 1 root   glexec   123 2010-02-29 12:34 glexec.conf
  • For running gLExec in logging only mode, preferably use the following mode:
  -r-xr-xr-x 1 root   root   12345 2010-02-29 12:34 glexec
  -rw-r--r-- 1 root   glexec   123 2010-02-29 12:34 glexec.conf

Note that these settings are also possible on a NFS mount.

Version 0.7.0-2

  • For running gLExec in setuid mode, preferably use the following mode (only setuid):
  -rws--x--x 1 root   root   12345 2010-02-29 12:34 glexec 
  -r-------- 1 glexec root     123 2010-02-29 12:34 glexec.conf 
  • For running gLExec in logging only mode, preferably use the following mode:
  -rwx--x--x 1 root   root   12345 2010-02-29 12:34 glexec 
  -r--r--r-- 1 glexec root     123 2010-02-29 12:34 glexec.conf

Note that these settings are also possible on a NFS mount.

Also note that YAIM will still install gLExec with either the setuid-and-setgid or logging-only-mode settings of the previous versions which are still valid, and are also possible on an NFS mount.

The non-YAIM only-setuid set of permissions of the previous versions no longer works.

Before continuing with testing: The gLExec Exit Codes and the Environment variables

The following pages might hold interesting to glance through before proceeding with your debugging:

Test the exit codes by printing them on the shell by showing the value of $? Example:

/opt/glite/sbin/glexec /usr/bin/id -a; echo $?

Execute with exported GLEXEC_CLIENT_CERT and exported X509_USER_PROXY, with the full path

See Proxy file handling in gLExec for the purpose of these environment variables.

export GLEXEC_CLIENT_CERT=`pwd`/mkproxy-x509-voms
export X509_USER_PROXY=`pwd`/mkproxy-x509-voms

Is the user account that tries to use gLExec whitelisted?

Method 1.: the calling account is a member of the 'glexec' primary or secondary group.

Method 2.: the account or the pool is whitelisted in the glexec.conf. See the Man pages of gLExec for more details on the whitelist options.

Note: when gLExec fails with a 'user not whitelisted' error, this might be caused by an unreadable glexec.conf file: in case the glexec.conf file is unreadable, gLExec uses its buildin defaults, including whitelisting only unix accounts which are member of the glexec group. Check the file permissions of the gLExec executable.

Example test script for gLExec

Testing basic functionality:

#!/bin/sh

TESTPROXY=/tmp/x509up_`id -u`

export GLEXEC_CLIENT_CERT=$TESTPROXY
export X509_USER_PROXY=$TESTPROXY

/opt/glite/sbin/glexec /usr/bin/id -a ; echo $?


Testing with the transfer of a specific proxy file:

#!/bin/sh

TESTPROXY=/tmp/x509up_`id -u`

export GLEXEC_CLIENT_CERT=$TESTPROXY
export X509_USER_PROXY=$TESTPROXY
export GLEXEC_SOURCE_PROXY=$TESTPROXY

/opt/glite/sbin/glexec /usr/bin/id -a ; echo $?


Testing multi-user Pilot Job scenarios:

#!/bin/sh

VOMSINFO=`which voms-proxy-info`

PILOT_PROXY=/tmp/x509up_`id -u`
TARGET_USER_PROXY=`pwd`/other.proxy 

export X509_USER_PROXY=$PILOT_PROXY
export GLEXEC_CLIENT_CERT=$TARGET_USER_PROXY
export GLEXEC_SOURCE_PROXY=$TARGET_USER_PROXY

$VOMSINFO -all
/opt/glite/sbin/glexec $VOMSINFO -all