Hosed network conn with permissions?
 

I've broken my network connection again and this time I think it's through permissions problems.

After setting up a dyndns and other related modifications (sshd, updated /etc/hosts, and such), the box dropped off the network last week and doesn't allow a normal user to connect. Root can ping outside, but normal users get an "unknown host" error. Related, Firefox shows no web pages, and BZFlag doesn't allow me to login (the important stuff, you know).

To confirm this was a permissions problem, I added the normal user to the root group for testing. This allowed the normal user the expected network access.

Even now, I'm connected to the box via SSH with the dyndns name and can perform various tasks, but the normal user still can't ping externally.

For reference...
Could someone point me in the right direction as to what network file I'm overlooking? I'm sure I've broken some permissions through my miscellaneous configs, but I don't know where else to look. TIA

Exactly *what* changes did you make?


[normal-user@scrape ~]$ ping google.com
ping: unknown host google.com
If you "strace ping google.com 2>&1| grep "=.\-1"" as that unprivileged user what does it say?

First, thanks for the assistance. I'm headed out the door but will try to be accurate in my brevity.

A whole group of changes were made around the same time.

Generically, the related changes were... set up dyndns, modified /etc/hosts, installed and set up postfix (for emailing logs), installed and configured sshd, installed and configured ddclient.

More specifically and as root user... changed /etc/hosts by hand and by `hostname` (several times) to reflect new hostname (it wouldn't "catch" for some reason), changed configuration of ddclient several times trying to make it work, slight tweaking to postfix's conf files to allow for a send-only implementation, modifying sshd_config. I have a habit of copying a conf file to a backup before modifying the original. I have caught myself at times, though, using a `mv` instead, which further adds to my conviction that this is permissions.

"Unrealted" changes around this time included changing perms (convenient, no?) on several world-writable files as returned by msec. I've gone back through that list, though, and it seems as though nothing of importance was outside of ~/.kde. (I confirmed that this problem exists in Gnome, but I haven't tested init 3.)

It essentially takes a dump on the screen but includes some EACCES errors which I'll look into.

Here's the (quite hefty) output...
FYI, as root...
...with those last lines repeating as a ping hits, I expect.

open("/etc/nsswitch.conf", O_RDONLY) = -1 EACCES (Permission denied): file needs to have mode 0644.


I have a habit of copying a conf file to a backup before modifying the original. I have caught myself at times, though, using a `mv` instead, which further adds to my conviction that this is permissions.
Yeah, that's why I use a RCS wrapper around Vi. If the config is b0rken I just rlog and checkout previous revisions. I also log changes to the system, make daily backups and run Aide, which will alert me just in case I miss some changes.


"Unrealted" changes around this time included changing perms (convenient, no?) on several world-writable files as returned by msec. I've gone back through that list, though, and it seems as though nothing of importance was outside of ~/.kde.
Msec has a global scope and AFAIK it doesn't consider stuff in /home/*, so you better look again.

Made that change, but problem remains. I'm going to look at the other permissions complaints shortly. Thanks for the point in this direction.


Not familiar with that, but I need to look at it. Sound useful enough for home, but even more useful for work.


Here's a few lines from the msec report before I made the changes...

Changed /lib/libnss_files-2.3.6.so from 750 to 755 and I can ping out now. Also reverted the /etc/nsswitch.conf to to 640 for testing and still pinged outside. I'm going to reboot and get on the local box to see if everything still works.

Okay, the local machine is working correctly now. I don't know how I ended up with changed perms on an .so file, unless something else I did cascaded to that level. Perhaps I just got sloppy with a copy/paste or something.

Regarding the perms on /etc/nsswitch.conf: with the conn working now, should I leave them at the original 640 or is a 644 necessary? The mod date on this file was 2005. An .rpmnew version with a 2006 date had 644 perms.

Well, there's only a few files in /etc that unprivved users shouldn't read. As you can see from running "strace" it is necessary for that process to read nsswitch.conf to determine how it should go about resolving addresses. By default it should have mode 0644. (If you want to restore more permissions using your RPM database as starting point, check out thread http://www.linuxquestions.org/questi...d.php?t=563039 for a script.)

Ah! Thanks for the explanation. I may make use of that permissions restoration script. Sounds like a good way to clean up some of my early blunders on this installation from 3 years ago, too. And it looks like I need to learn to use strace, too.

Thanks for the help.