LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 06-24-2007, 05:06 PM   #1
toes
Member
 
Registered: Mar 2005
Location: Arkansas
Distribution: Mandy 2006, FC5
Posts: 154

Rep: Reputation: 30
Hosed network conn with permissions?


I've broken my network connection again and this time I think it's through permissions problems.

After setting up a dyndns and other related modifications (sshd, updated /etc/hosts, and such), the box dropped off the network last week and doesn't allow a normal user to connect. Root can ping outside, but normal users get an "unknown host" error. Related, Firefox shows no web pages, and BZFlag doesn't allow me to login (the important stuff, you know).

To confirm this was a permissions problem, I added the normal user to the root group for testing. This allowed the normal user the expected network access.

Even now, I'm connected to the box via SSH with the dyndns name and can perform various tasks, but the normal user still can't ping externally.

For reference...
Code:
[root@scrape ~]# ll /etc/host*
-rw-r--r--  2 root root  51 Dec 27  2004 /etc/host.conf
-rw-r--r--  2 root root 171 Jun 23 20:01 /etc/hosts
-rw-r--r--  1 root root 161 Aug 23  2005 /etc/hosts.allow
-rw-r--r--  1 root root 347 Aug 23  2005 /etc/hosts.deny
-rw-r--r--  1 root root 100 Dec 22  2005 /etc/hosts.mdkgiorig

[root@scrape ~]# ll /etc/resolv.conf
-rw-r--r--  1 root root 209 Jun 23 20:01 /etc/resolv.conf

-rwxr-x---  1 root root   18 Jun 23 17:35 /etc/sysconfig/net_monitorrc*
-rwxr-xr-x  1 root root   83 Jun 23 20:01 /etc/sysconfig/network*
drwxr-xr-x  5 root root 4096 Jul 23  2006 /etc/sysconfig/networking/
drwxr-xr-x  6 root root 4096 Jun 23 20:09 /etc/sysconfig/network-scripts/


[normal-user@scrape ~]$ ping google.com
ping: unknown host google.com
Could someone point me in the right direction as to what network file I'm overlooking? I'm sure I've broken some permissions through my miscellaneous configs, but I don't know where else to look. TIA
 
Old 06-24-2007, 06:01 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,693
Blog Entries: 54

Rep: Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961
Quote:
other related modifications / (..) I've broken some permissions through my miscellaneous configs
Exactly *what* changes did you make?


[normal-user@scrape ~]$ ping google.com
ping: unknown host google.com

If you "strace ping google.com 2>&1| grep "=.\-1"" as that unprivileged user what does it say?
 
Old 06-24-2007, 06:39 PM   #3
toes
Member
 
Registered: Mar 2005
Location: Arkansas
Distribution: Mandy 2006, FC5
Posts: 154

Original Poster
Rep: Reputation: 30
First, thanks for the assistance. I'm headed out the door but will try to be accurate in my brevity.

Quote:
Originally Posted by unSpawn
Exactly *what* changes did you make?
A whole group of changes were made around the same time.

Generically, the related changes were... set up dyndns, modified /etc/hosts, installed and set up postfix (for emailing logs), installed and configured sshd, installed and configured ddclient.

More specifically and as root user... changed /etc/hosts by hand and by `hostname` (several times) to reflect new hostname (it wouldn't "catch" for some reason), changed configuration of ddclient several times trying to make it work, slight tweaking to postfix's conf files to allow for a send-only implementation, modifying sshd_config. I have a habit of copying a conf file to a backup before modifying the original. I have caught myself at times, though, using a `mv` instead, which further adds to my conviction that this is permissions.

"Unrealted" changes around this time included changing perms (convenient, no?) on several world-writable files as returned by msec. I've gone back through that list, though, and it seems as though nothing of importance was outside of ~/.kde. (I confirmed that this problem exists in Gnome, but I haven't tested init 3.)

Quote:
Originally Posted by unSpawn
[normal-user@scrape ~]$ ping google.com
ping: unknown host google.com

If you "strace ping google.com 2>&1| grep "=.\-1"" as that unprivileged user what does it say?
It essentially takes a dump on the screen but includes some EACCES errors which I'll look into.

Here's the (quite hefty) output...
Code:
[tom@scrape ~]$ strace ping google.com 2>&1| grep "=.\-1"
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY)    = -1 EACCES (Permission denied)
open("/lib/libnss_dns.so.2", O_RDONLY)  = -1 EACCES (Permission denied)
open("/lib/tls/i686/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686", 0xbfe0524c)     = -1 ENOENT (No such file or directory)
open("/lib/tls/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/sse/mmx", 0xbfe0524c)  = -1 ENOENT (No such file or directory)
open("/lib/tls/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/sse", 0xbfe0524c)      = -1 ENOENT (No such file or directory)
open("/lib/tls/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/mmx", 0xbfe0524c)      = -1 ENOENT (No such file or directory)
open("/lib/tls/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/i686/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/i686/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/sse", 0xbfe0524c)     = -1 ENOENT (No such file or directory)
open("/lib/i686/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/mmx", 0xbfe0524c)     = -1 ENOENT (No such file or directory)
open("/lib/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/sse/mmx", 0xbfe0524c)      = -1 ENOENT (No such file or directory)
open("/lib/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/sse", 0xbfe0524c)          = -1 ENOENT (No such file or directory)
open("/lib/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/mmx", 0xbfe0524c)          = -1 ENOENT (No such file or directory)
open("/lib/libnss_dns.so.2", O_RDONLY)  = -1 EACCES (Permission denied)
open("/usr/lib/tls/i686/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/i686/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/i686/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/i686/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/i686/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/i686/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/i686", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/sse", 0xbfe0524c)  = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/mmx", 0xbfe0524c)  = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/sse/mmx", 0xbfe0524c)  = -1 ENOENT (No such file or directory)
open("/usr/lib/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/sse", 0xbfe0524c)      = -1 ENOENT (No such file or directory)
open("/usr/lib/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/mmx", 0xbfe0524c)      = -1 ENOENT (No such file or directory)
open("/usr/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libnss_files.so.2", O_RDONLY) = -1 EACCES (Permission denied)
open("/lib/tls/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/i686/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libnss_files.so.2", O_RDONLY) = -1 EACCES (Permission denied)
open("/usr/lib/tls/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
FYI, as root...
Code:
[root@scrape ~]# strace ping google.com 2>&1| grep "=.\-1"
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfeae4a8) = -1 EINVAL (Invalid argument)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
...with those last lines repeating as a ping hits, I expect.
 
Old 06-24-2007, 07:15 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,693
Blog Entries: 54

Rep: Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961
open("/etc/nsswitch.conf", O_RDONLY) = -1 EACCES (Permission denied): file needs to have mode 0644.


I have a habit of copying a conf file to a backup before modifying the original. I have caught myself at times, though, using a `mv` instead, which further adds to my conviction that this is permissions.
Yeah, that's why I use a RCS wrapper around Vi. If the config is b0rken I just rlog and checkout previous revisions. I also log changes to the system, make daily backups and run Aide, which will alert me just in case I miss some changes.


"Unrealted" changes around this time included changing perms (convenient, no?) on several world-writable files as returned by msec. I've gone back through that list, though, and it seems as though nothing of importance was outside of ~/.kde.
Msec has a global scope and AFAIK it doesn't consider stuff in /home/*, so you better look again.
 
Old 06-24-2007, 10:26 PM   #5
toes
Member
 
Registered: Mar 2005
Location: Arkansas
Distribution: Mandy 2006, FC5
Posts: 154

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn
open("/etc/nsswitch.conf", O_RDONLY) = -1 EACCES (Permission denied): file needs to have mode 0644.
Made that change, but problem remains. I'm going to look at the other permissions complaints shortly. Thanks for the point in this direction.


Quote:
Originally Posted by unSpawn
Yeah, that's why I use a RCS wrapper around Vi. If the config is b0rken I just rlog and checkout previous revisions. I also log changes to the system, make daily backups and run Aide, which will alert me just in case I miss some changes.
Not familiar with that, but I need to look at it. Sound useful enough for home, but even more useful for work.


Quote:
Originally Posted by unSpawn
Msec has a global scope and AFAIK it doesn't consider stuff in /home/*, so you better look again.
Here's a few lines from the msec report before I made the changes...
Code:
               - /home/tom/.kde
               - /home/tom/.kde/Autostart
               - /home/tom/.kde/Autostart/.alignment-icons
               - /home/tom/.kde/Autostart/.directory
               - /home/tom/.kde/DESKTOP_ENTRY
               - /home/tom/.kde/share
               - /home/tom/.kde/share/applnk
 
Old 06-24-2007, 10:56 PM   #6
toes
Member
 
Registered: Mar 2005
Location: Arkansas
Distribution: Mandy 2006, FC5
Posts: 154

Original Poster
Rep: Reputation: 30
Changed /lib/libnss_files-2.3.6.so from 750 to 755 and I can ping out now. Also reverted the /etc/nsswitch.conf to to 640 for testing and still pinged outside. I'm going to reboot and get on the local box to see if everything still works.
 
Old 06-24-2007, 11:06 PM   #7
toes
Member
 
Registered: Mar 2005
Location: Arkansas
Distribution: Mandy 2006, FC5
Posts: 154

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by toes
Changed /lib/libnss_files-2.3.6.so from 750 to 755 and I can ping out now. Also reverted the /etc/nsswitch.conf to to 640 for testing and still pinged outside. I'm going to reboot and get on the local box to see if everything still works.
Okay, the local machine is working correctly now. I don't know how I ended up with changed perms on an .so file, unless something else I did cascaded to that level. Perhaps I just got sloppy with a copy/paste or something.

Regarding the perms on /etc/nsswitch.conf: with the conn working now, should I leave them at the original 640 or is a 644 necessary? The mod date on this file was 2005. An .rpmnew version with a 2006 date had 644 perms.
 
Old 06-25-2007, 02:17 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,693
Blog Entries: 54

Rep: Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961Reputation: 2961
Well, there's only a few files in /etc that unprivved users shouldn't read. As you can see from running "strace" it is necessary for that process to read nsswitch.conf to determine how it should go about resolving addresses. By default it should have mode 0644. (If you want to restore more permissions using your RPM database as starting point, check out thread http://www.linuxquestions.org/questi...d.php?t=563039 for a script.)
 
Old 06-25-2007, 07:58 AM   #9
toes
Member
 
Registered: Mar 2005
Location: Arkansas
Distribution: Mandy 2006, FC5
Posts: 154

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by unSpawn
Well, there's only a few files in /etc that unprivved users shouldn't read. As you can see from running "strace" it is necessary for that process to read nsswitch.conf to determine how it should go about resolving addresses. By default it should have mode 0644. (If you want to restore more permissions using your RPM database as starting point, check out thread http://www.linuxquestions.org/questi...d.php?t=563039 for a script.)
Ah! Thanks for the explanation. I may make use of that permissions restoration script. Sounds like a good way to clean up some of my early blunders on this installation from 3 years ago, too. And it looks like I need to learn to use strace, too.

Thanks for the help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to set up network permissions for user accounts. Restrict network access. r00tb33r Linux - Networking 7 02-04-2007 10:10 PM
How To Share WiFi Conn. djrayon Linux - Wireless Networking 0 12-11-2005 11:13 AM
Using a tv out rca conn under mandrake tzonga1 Linux - Hardware 0 01-25-2005 02:17 PM
FC2 + Win4Lin 5.0 dialup problem Network Device Control AND KPPP hosed alizard Fedora - Installation 0 08-17-2004 02:05 AM
IP and network conn. lost on reboot... edtbjon Linux - Networking 2 09-11-2001 06:17 AM


All times are GMT -5. The time now is 09:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration