[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IDD #VJN-743814]: GEMPAK



Hi Massoud,

re: Please send me the results of: ls -alt `which hupsyslog`

> [ldm@wimden ~]$ ls -alt `which hupsyslog`
> -rwxr-xr-x  1 ldm weather 5603 Jun 27 12:27 /home/ldm/bin/hupsyslog

This is very interesting.  This output shows that your hupsyslog
has _NOT_ been set to have setuid root privilege.  A listing you
sent previously, however, did show that hupsyslog had been set:

> -rwsr-xr-x 1 root users 201768 Jun 27 12:27 rpc.ldmd
> -rwsr-xr-x 1 root users 5603 Jun 27 12:27 hupsyslog

Questions:

- did you rebuild the LDM after June 27

- if you did not rebuild the LDM after June 27, how do you account
  for the fact that the file permissions on hupsyslog have changed

What you need to do now is:

<as 'ldm'>
ldmadmin stop

<as 'root'>
cd /home/ldm/ldm-6.6.5/src
make install_setuids

<as 'ldm'>
ldmadmin start
ldmadmin tail

After properly setting the permissions on hupsyslog, your LDM
should start normally, and there should be proper log messages
in the LDM log file, ~ldm/logs/ldmd.log.

Please keep an eye on the file permissions for ~ldm/bin/hupsyslog
and ~ldm/bin/rpc.ldmd.  If there is some process that is removing
the setuid root permissions on these executables, you will have to
work with your system administrator to find the process and stop it.

> > And also send the output of: env
> [ldm@wimden ~]$ env
> HOSTNAME=wimden.vams.nasa.gov
> SHELL=/bin/bash
> TERM=xterm
> HISTSIZE=1000
> QTDIR=/usr/lib/qt-3.3
> USER=ldm
> ...
> VDIR=ldm-6.6.5
> KDEDIR=/usr
> MAIL=/var/spool/mail/ldm
> PATH=/home/ldm/mclite/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/ldm/bin:/home/ldm/bin
> ...

I asked for the output of 'env' mainly to see the setting of your PATH.  It
looks OK.

re: delete and remake the LDM queue when it is damaged by a forced reboot

> My LDM is up and running.

Very good.

re: crontab actions for the user 'ldm'
> > #
> > # Rotate LDM log files
> > #
> > 0 21 * * * bin/ldmadmin newlog
> > 0 21 * * * bin/newlog logs/ldm-mcidas.log 7
> 
> I made the changes in 'crontab -e'. Also, someone from our
> lab suggested I should start using 'sudo hupsyslog' or
> 'sudo ldmadmin pqactHUP' and so far it has been working.
> What are your thoughts?

My thoughts are that something/someone removed the setuid root
permission on ~ldm/bin/hupsyslog and ~ldm/bin/rpc.ldmd.  This was
the cause of your logging problems.  You need to figure out what
was removing these permissions and have it stopped.  If some process
that a system administrator setup was causing the removal, please
let the system administrator know that both rpc.ldmd and hupsyslog
only run as root for the amount of time needed.  For rpc.ldmd, the
running as root stops as soon as access to the privileged port 388
has been secured.  For hupsyslog, the program exits immediately after
the HUP signal has been sent to syslogd.  These programs having
setuid root privilege are _not_ security risks.

Cheers,

Tom
****************************************************************************
Unidata User Support                                    UCAR Unidata Program
(303) 497-8642                                                 P.O. Box 3000
address@hidden                                   Boulder, CO 80307
----------------------------------------------------------------------------
Unidata HomePage                       http://www.unidata.ucar.edu
****************************************************************************


Ticket Details
===================
Ticket ID: VJN-743814
Department: Support IDD
Priority: Normal
Status: Closed