Difference between revisions of "Debugging hints"
(34 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | Here are some useful things to check and mention when contacting us for help | + | Here are some useful things to check and mention when contacting us for help which should help you shoot (some) trouble. |
== Check the version of the gLExec version: == | == Check the version of the gLExec version: == | ||
+ | gLite: | ||
+ | /opt/glite/sbin/glexec -v | ||
+ | Other: | ||
+ | /usr/sbin/glexec -v | ||
+ | |||
+ | == The special "glexec" account == | ||
+ | |||
+ | A '''glexec''' Unix account must be present on the system. Both the username and the groupname are treated ''special'' by gLExec. | ||
+ | |||
+ | Check if the account exists and that it has (only) a '''glexec''' group associated to the username: | ||
+ | id glexec | ||
+ | Expected answer (note: numbers are site/node specific): | ||
+ | uid=55811(glexec) gid=2503(glexec) groups=2503(glexec) | ||
+ | Or (without the secondary GID): | ||
+ | uid=55811(glexec) gid=2503(glexec) | ||
+ | Important: Note that the account name '''glexec''' resolves for both the username and the (primary) groupname of the '''glexec''' account. | ||
+ | |||
+ | == Check the file permissions of the gLExec executable. == | ||
+ | |||
+ | For all run-modes of gLExec, the gLExec must be ''executable'' for all users. | ||
+ | |||
+ | === Versions up to 0.6.8-3 === | ||
+ | |||
+ | *For running gLExec in '''setuid''' mode, ''preferably'' use the following mode ('''setuid''' and '''setgid'''): | ||
+ | -r-sr-sr-x 1 root root 12345 2010-02-29 12:34 glexec | ||
+ | -rw-r----- 1 root glexec 123 2010-02-29 12:34 glexec.conf | ||
+ | |||
+ | *In case ''setgid'' is not possible, ''preferably'' use the following mode (only '''setuid'''): | ||
+ | -r-sr-xr-x 1 root root 12345 2010-02-29 12:34 glexec | ||
+ | -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf | ||
+ | |||
+ | *For running gLExec in '''logging only''' mode, ''preferably'' use the following mode: | ||
+ | -r-xr-xr-x 1 root root 12345 2010-02-29 12:34 glexec | ||
+ | -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf | ||
+ | |||
+ | Note that these settings are also possible on a NFS mount. | ||
+ | |||
+ | === Version 0.7.0-2 and higher === | ||
+ | |||
+ | *For running gLExec in '''setuid''' mode, ''preferably'' use the following mode (only '''setuid'''): | ||
+ | -rws--x--x 1 root root 12345 2010-02-29 12:34 glexec | ||
+ | -r-------- 1 glexec root 123 2010-02-29 12:34 glexec.conf | ||
+ | |||
+ | *For running gLExec in '''logging only''' mode, ''preferably'' use the following mode: | ||
+ | -rwx--x--x 1 root root 12345 2010-02-29 12:34 glexec | ||
+ | -r--r--r-- 1 glexec root 123 2010-02-29 12:34 glexec.conf | ||
+ | |||
+ | Note that these settings are also possible on a NFS mount. | ||
+ | |||
+ | Also note that YAIM will still install gLExec with either the ''setuid-and-setgid'' or ''logging-only-mode'' settings of [[#Versions up to 0.6.8-3|the previous versions]] which are still valid, and are also possible on an NFS mount. | ||
− | The | + | The non-YAIM ''only-setuid'' set of permissions of [[#Versions up to 0.6.8-3|the previous versions]] no longer works: when the setuid-root bit is on, the glexec.conf file should be at most readable by the group glexec, i.e. not readable by others and either not group-readable or have group glexec. |
− | + | == Before continuing with testing: The gLExec Exit Codes and the Environment variables == | |
+ | |||
+ | The following pages might hold interesting to glance through before proceeding with your debugging: | ||
+ | * [[Proxy file handling in gLExec]]: All the details about the environment variables used by gLExec. | ||
+ | * [[Exit codes of gLExec]]: All the details about the exit codes of gLExec. | ||
− | + | Test the exit codes by printing them on the shell by showing the value of $? Example: | |
− | + | /opt/glite/sbin/glexec /usr/bin/id -a; echo $? | |
− | |||
− | + | == Execute with exported GLEXEC_CLIENT_CERT and exported X509_USER_PROXY, with the full path == | |
− | |||
− | + | See [[Proxy file handling in gLExec]] for the purpose of these environment variables. | |
− | |||
− | |||
export GLEXEC_CLIENT_CERT=`pwd`/mkproxy-x509-voms | export GLEXEC_CLIENT_CERT=`pwd`/mkproxy-x509-voms | ||
export X509_USER_PROXY=`pwd`/mkproxy-x509-voms | export X509_USER_PROXY=`pwd`/mkproxy-x509-voms | ||
− | + | == Is the user account that tries to use gLExec whitelisted? == | |
− | == | ||
Method 1.: the calling account is a member of the 'glexec' primary or secondary group. | Method 1.: the calling account is a member of the 'glexec' primary or secondary group. | ||
− | Method 2.: the account or the pool is whitelisted in the glexec.conf. See the | + | Method 2.: the account or the pool is whitelisted in the glexec.conf. See the [[Man pages of gLExec]] for more details on the whitelist options. |
+ | |||
+ | '''''Note''''': when gLExec fails with a 'user not whitelisted' error, this might be caused by an unreadable '''glexec.conf''' file: in case the '''glexec.conf''' file is unreadable, gLExec uses its buildin defaults, including whitelisting ''only'' unix accounts which are member of the glexec group. [[#Check the file permissions of the gLExec executable.|Check the file permissions of the gLExec executable.]] | ||
+ | |||
+ | == Squashing root? == | ||
+ | |||
+ | gLExec is capable of being installed on a root-squashed NFS file system. We even support the '''glexec.conf''' to be installed on a root-squashed file system. | ||
+ | |||
+ | === NFS === | ||
+ | |||
+ | The NFS root-squash will squash all the effective root privileges of a process on the kernel level. gLExec has a safe way around this security measure, it lowers itself to the '''glexec''' account on the system to read the glexec.conf file. Besides keeping root-squash there, it adds the security measure that gLExec isn't reading anything with elevated privileges. | ||
+ | |||
+ | Ensure that you install gLExec with the advertised privileges from our Wiki (the latest YAIM configurations should support this too) to make use of this method. | ||
+ | |||
+ | === nosuid === | ||
+ | |||
+ | Running gLExec in the normal (or full) mode requires it to be installed with functional setuid bits on the binary. Therefor the file system of where the gLExec binary is installed can not be mounted with the option '''nosuid'''. | ||
+ | |||
+ | The gLExec binary is a root-owned setuid-bit enabled binary, like sudo and su. In the normal run mode gLExec requires the setuid functionality to be functional. The gLExec binary must there for be installed on a file system that does not make use of the optional '''nosuid''' setting. | ||
+ | |||
+ | The error message that you might encounter is: | ||
+ | [gLExec]: The user, uid=X, is not whitelisted. The calling user account is not privileged to execute and use gLExec. | ||
+ | |||
+ | The cause for the error message is because gLExec has a build-in feature to trust all users with the '''glexec''' secondary GID, this is why it tries to do its work and fails with this message and a 203 exit code. Looking at the file settings for both the {/opt/glite}/sbin/glexec and {/opt/glite}/etc/glexec.conf could come to the conclusion that everything is ok. If so, then you should check the file system and it's mount options. Non-POSIX file systems might not have a setuid capability or the file system of the {/opt/glite}/sbin/glexec binary might have the setting '''nosuid'''. Test this with the '''mount''' tool: | ||
+ | |||
+ | [root@asen ~]# mount | grep /opt | ||
+ | /dev/sdb1 on /opt type ext3 (rw,nosuid,nodev) | ||
== Example test script for gLExec == | == Example test script for gLExec == | ||
Line 55: | Line 130: | ||
/opt/glite/sbin/glexec /usr/bin/id -a ; echo $? | /opt/glite/sbin/glexec /usr/bin/id -a ; echo $? | ||
+ | |||
+ | |||
+ | Testing multi-user Pilot Job scenarios: | ||
+ | |||
+ | #!/bin/sh | ||
+ | |||
+ | VOMSINFO=`which voms-proxy-info` | ||
+ | |||
+ | PILOT_PROXY=/tmp/x509up_`id -u` | ||
+ | TARGET_USER_PROXY=`pwd`/other.proxy | ||
+ | |||
+ | export X509_USER_PROXY=$PILOT_PROXY | ||
+ | export GLEXEC_CLIENT_CERT=$TARGET_USER_PROXY | ||
+ | export GLEXEC_SOURCE_PROXY=$TARGET_USER_PROXY | ||
+ | |||
+ | $VOMSINFO -all | ||
+ | /opt/glite/sbin/glexec $VOMSINFO -all |
Latest revision as of 11:59, 27 August 2012
Here are some useful things to check and mention when contacting us for help which should help you shoot (some) trouble.
Check the version of the gLExec version:
gLite:
/opt/glite/sbin/glexec -v
Other:
/usr/sbin/glexec -v
The special "glexec" account
A glexec Unix account must be present on the system. Both the username and the groupname are treated special by gLExec.
Check if the account exists and that it has (only) a glexec group associated to the username:
id glexec
Expected answer (note: numbers are site/node specific):
uid=55811(glexec) gid=2503(glexec) groups=2503(glexec)
Or (without the secondary GID):
uid=55811(glexec) gid=2503(glexec)
Important: Note that the account name glexec resolves for both the username and the (primary) groupname of the glexec account.
Check the file permissions of the gLExec executable.
For all run-modes of gLExec, the gLExec must be executable for all users.
Versions up to 0.6.8-3
- For running gLExec in setuid mode, preferably use the following mode (setuid and setgid):
-r-sr-sr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r----- 1 root glexec 123 2010-02-29 12:34 glexec.conf
- In case setgid is not possible, preferably use the following mode (only setuid):
-r-sr-xr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf
- For running gLExec in logging only mode, preferably use the following mode:
-r-xr-xr-x 1 root root 12345 2010-02-29 12:34 glexec -rw-r--r-- 1 root glexec 123 2010-02-29 12:34 glexec.conf
Note that these settings are also possible on a NFS mount.
Version 0.7.0-2 and higher
- For running gLExec in setuid mode, preferably use the following mode (only setuid):
-rws--x--x 1 root root 12345 2010-02-29 12:34 glexec -r-------- 1 glexec root 123 2010-02-29 12:34 glexec.conf
- For running gLExec in logging only mode, preferably use the following mode:
-rwx--x--x 1 root root 12345 2010-02-29 12:34 glexec -r--r--r-- 1 glexec root 123 2010-02-29 12:34 glexec.conf
Note that these settings are also possible on a NFS mount.
Also note that YAIM will still install gLExec with either the setuid-and-setgid or logging-only-mode settings of the previous versions which are still valid, and are also possible on an NFS mount.
The non-YAIM only-setuid set of permissions of the previous versions no longer works: when the setuid-root bit is on, the glexec.conf file should be at most readable by the group glexec, i.e. not readable by others and either not group-readable or have group glexec.
Before continuing with testing: The gLExec Exit Codes and the Environment variables
The following pages might hold interesting to glance through before proceeding with your debugging:
- Proxy file handling in gLExec: All the details about the environment variables used by gLExec.
- Exit codes of gLExec: All the details about the exit codes of gLExec.
Test the exit codes by printing them on the shell by showing the value of $? Example:
/opt/glite/sbin/glexec /usr/bin/id -a; echo $?
Execute with exported GLEXEC_CLIENT_CERT and exported X509_USER_PROXY, with the full path
See Proxy file handling in gLExec for the purpose of these environment variables.
export GLEXEC_CLIENT_CERT=`pwd`/mkproxy-x509-voms export X509_USER_PROXY=`pwd`/mkproxy-x509-voms
Is the user account that tries to use gLExec whitelisted?
Method 1.: the calling account is a member of the 'glexec' primary or secondary group.
Method 2.: the account or the pool is whitelisted in the glexec.conf. See the Man pages of gLExec for more details on the whitelist options.
Note: when gLExec fails with a 'user not whitelisted' error, this might be caused by an unreadable glexec.conf file: in case the glexec.conf file is unreadable, gLExec uses its buildin defaults, including whitelisting only unix accounts which are member of the glexec group. Check the file permissions of the gLExec executable.
Squashing root?
gLExec is capable of being installed on a root-squashed NFS file system. We even support the glexec.conf to be installed on a root-squashed file system.
NFS
The NFS root-squash will squash all the effective root privileges of a process on the kernel level. gLExec has a safe way around this security measure, it lowers itself to the glexec account on the system to read the glexec.conf file. Besides keeping root-squash there, it adds the security measure that gLExec isn't reading anything with elevated privileges.
Ensure that you install gLExec with the advertised privileges from our Wiki (the latest YAIM configurations should support this too) to make use of this method.
nosuid
Running gLExec in the normal (or full) mode requires it to be installed with functional setuid bits on the binary. Therefor the file system of where the gLExec binary is installed can not be mounted with the option nosuid.
The gLExec binary is a root-owned setuid-bit enabled binary, like sudo and su. In the normal run mode gLExec requires the setuid functionality to be functional. The gLExec binary must there for be installed on a file system that does not make use of the optional nosuid setting.
The error message that you might encounter is:
[gLExec]: The user, uid=X, is not whitelisted. The calling user account is not privileged to execute and use gLExec.
The cause for the error message is because gLExec has a build-in feature to trust all users with the glexec secondary GID, this is why it tries to do its work and fails with this message and a 203 exit code. Looking at the file settings for both the {/opt/glite}/sbin/glexec and {/opt/glite}/etc/glexec.conf could come to the conclusion that everything is ok. If so, then you should check the file system and it's mount options. Non-POSIX file systems might not have a setuid capability or the file system of the {/opt/glite}/sbin/glexec binary might have the setting nosuid. Test this with the mount tool:
[root@asen ~]# mount | grep /opt /dev/sdb1 on /opt type ext3 (rw,nosuid,nodev)
Example test script for gLExec
Testing basic functionality:
#!/bin/sh TESTPROXY=/tmp/x509up_`id -u` export GLEXEC_CLIENT_CERT=$TESTPROXY export X509_USER_PROXY=$TESTPROXY /opt/glite/sbin/glexec /usr/bin/id -a ; echo $?
Testing with the transfer of a specific proxy file:
#!/bin/sh TESTPROXY=/tmp/x509up_`id -u` export GLEXEC_CLIENT_CERT=$TESTPROXY export X509_USER_PROXY=$TESTPROXY export GLEXEC_SOURCE_PROXY=$TESTPROXY /opt/glite/sbin/glexec /usr/bin/id -a ; echo $?
Testing multi-user Pilot Job scenarios:
#!/bin/sh VOMSINFO=`which voms-proxy-info` PILOT_PROXY=/tmp/x509up_`id -u` TARGET_USER_PROXY=`pwd`/other.proxy export X509_USER_PROXY=$PILOT_PROXY export GLEXEC_CLIENT_CERT=$TARGET_USER_PROXY export GLEXEC_SOURCE_PROXY=$TARGET_USER_PROXY $VOMSINFO -all /opt/glite/sbin/glexec $VOMSINFO -all