Difference between revisions of "Debugging hints"
Line 65: | Line 65: | ||
'''''Note''''': when gLExec fails with a 'user not whitelisted' error, this might be caused by an unreadable '''glexec.conf''' file: in case the '''glexec.conf''' file is unreadable, gLExec uses its buildin defaults, including whitelisting ''only'' unix accounts which are member of the glexec group. [[#Check the file permissions of the gLExec executable.|Check the file permissions of the gLExec executable.]] | '''''Note''''': when gLExec fails with a 'user not whitelisted' error, this might be caused by an unreadable '''glexec.conf''' file: in case the '''glexec.conf''' file is unreadable, gLExec uses its buildin defaults, including whitelisting ''only'' unix accounts which are member of the glexec group. [[#Check the file permissions of the gLExec executable.|Check the file permissions of the gLExec executable.]] | ||
− | |||
== Squashing root? == | == Squashing root? == |
Revision as of 14:01, 11 November 2010
Here are some useful things to check and mention when contacting us for help:
Check the version of the gLExec version:
/opt/glite/sbin/glexec -v
Check the file permissions of the gLExec executable.
For all run-modes of gLExec, the gLExec must be executable for all users.
Versions up to 0.6.8-3
- For running gLExec in setuid mode, preferably use the following mode (setuid and setgid):
-r-sr-sr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r----- 1 root glexec 123 2010-02-29 12:34 glexec.conf
- In case setgid is not possible, preferably use the following mode (only setuid):
-r-sr-xr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf
- For running gLExec in logging only mode, preferably use the following mode:
-r-xr-xr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf
Note that these settings are also possible on a NFS mount.
Version 0.7.0-2
- For running gLExec in setuid mode, preferably use the following mode (only setuid):
-rws--x--x 1 root root 12345 2010-02-29 12:34 glexec -r-------- 1 glexec root 123 2010-02-29 12:34 glexec.conf
- For running gLExec in logging only mode, preferably use the following mode:
-rwx--x--x 1 root root 12345 2010-02-29 12:34 glexec -r--r--r-- 1 glexec root 123 2010-02-29 12:34 glexec.conf
Note that these settings are also possible on a NFS mount.
Also note that YAIM will still install gLExec with either the setuid-and-setgid or logging-only-mode settings of the previous versions which are still valid, and are also possible on an NFS mount.
The non-YAIM only-setuid set of permissions of the previous versions no longer works: when the setuid-root bit is on, the glexec.conf file should be at most readable by the group glexec, i.e. not readable by others and either not group-readable or have group glexec.
Before continuing with testing: The gLExec Exit Codes and the Environment variables
The following pages might hold interesting to glance through before proceeding with your debugging:
- Proxy file handling in gLExec: All the details about the environment variables used by gLExec.
- Exit codes of gLExec: All the details about the exit codes of gLExec.
Test the exit codes by printing them on the shell by showing the value of $? Example:
/opt/glite/sbin/glexec /usr/bin/id -a; echo $?
Execute with exported GLEXEC_CLIENT_CERT and exported X509_USER_PROXY, with the full path
See Proxy file handling in gLExec for the purpose of these environment variables.
export GLEXEC_CLIENT_CERT=`pwd`/mkproxy-x509-voms export X509_USER_PROXY=`pwd`/mkproxy-x509-voms
Is the user account that tries to use gLExec whitelisted?
Method 1.: the calling account is a member of the 'glexec' primary or secondary group.
Method 2.: the account or the pool is whitelisted in the glexec.conf. See the Man pages of gLExec for more details on the whitelist options.
Note: when gLExec fails with a 'user not whitelisted' error, this might be caused by an unreadable glexec.conf file: in case the glexec.conf file is unreadable, gLExec uses its buildin defaults, including whitelisting only unix accounts which are member of the glexec group. Check the file permissions of the gLExec executable.
Squashing root?
tbd
Example test script for gLExec
Testing basic functionality:
#!/bin/sh TESTPROXY=/tmp/x509up_`id -u` export GLEXEC_CLIENT_CERT=$TESTPROXY export X509_USER_PROXY=$TESTPROXY /opt/glite/sbin/glexec /usr/bin/id -a ; echo $?
Testing with the transfer of a specific proxy file:
#!/bin/sh TESTPROXY=/tmp/x509up_`id -u` export GLEXEC_CLIENT_CERT=$TESTPROXY export X509_USER_PROXY=$TESTPROXY export GLEXEC_SOURCE_PROXY=$TESTPROXY /opt/glite/sbin/glexec /usr/bin/id -a ; echo $?
Testing multi-user Pilot Job scenarios:
#!/bin/sh VOMSINFO=`which voms-proxy-info` PILOT_PROXY=/tmp/x509up_`id -u` TARGET_USER_PROXY=`pwd`/other.proxy export X509_USER_PROXY=$PILOT_PROXY export GLEXEC_CLIENT_CERT=$TARGET_USER_PROXY export GLEXEC_SOURCE_PROXY=$TARGET_USER_PROXY $VOMSINFO -all /opt/glite/sbin/glexec $VOMSINFO -all