Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've broken my network connection again and this time I think it's through permissions problems.
After setting up a dyndns and other related modifications (sshd, updated /etc/hosts, and such), the box dropped off the network last week and doesn't allow a normal user to connect. Root can ping outside, but normal users get an "unknown host" error. Related, Firefox shows no web pages, and BZFlag doesn't allow me to login (the important stuff, you know).
To confirm this was a permissions problem, I added the normal user to the root group for testing. This allowed the normal user the expected network access.
Even now, I'm connected to the box via SSH with the dyndns name and can perform various tasks, but the normal user still can't ping externally.
Could someone point me in the right direction as to what network file I'm overlooking? I'm sure I've broken some permissions through my miscellaneous configs, but I don't know where else to look. TIA
other related modifications / (..) I've broken some permissions through my miscellaneous configs
Exactly *what* changes did you make?
[normal-user@scrape ~]$ ping google.com
ping: unknown host google.com
If you "strace ping google.com 2>&1| grep "=.\-1"" as that unprivileged user what does it say?
First, thanks for the assistance. I'm headed out the door but will try to be accurate in my brevity.
Quote:
Originally Posted by unSpawn
Exactly *what* changes did you make?
A whole group of changes were made around the same time.
Generically, the related changes were... set up dyndns, modified /etc/hosts, installed and set up postfix (for emailing logs), installed and configured sshd, installed and configured ddclient.
More specifically and as root user... changed /etc/hosts by hand and by `hostname` (several times) to reflect new hostname (it wouldn't "catch" for some reason), changed configuration of ddclient several times trying to make it work, slight tweaking to postfix's conf files to allow for a send-only implementation, modifying sshd_config. I have a habit of copying a conf file to a backup before modifying the original. I have caught myself at times, though, using a `mv` instead, which further adds to my conviction that this is permissions.
"Unrealted" changes around this time included changing perms (convenient, no?) on several world-writable files as returned by msec. I've gone back through that list, though, and it seems as though nothing of importance was outside of ~/.kde. (I confirmed that this problem exists in Gnome, but I haven't tested init 3.)
Quote:
Originally Posted by unSpawn
[normal-user@scrape ~]$ ping google.com
ping: unknown host google.com
If you "strace ping google.com 2>&1| grep "=.\-1"" as that unprivileged user what does it say?
It essentially takes a dump on the screen but includes some EACCES errors which I'll look into.
Here's the (quite hefty) output...
Code:
[tom@scrape ~]$ strace ping google.com 2>&1| grep "=.\-1"
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not permitted)
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY) = -1 EACCES (Permission denied)
open("/lib/libnss_dns.so.2", O_RDONLY) = -1 EACCES (Permission denied)
open("/lib/tls/i686/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/i686", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/tls/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/tls/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/i686/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/i686/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/i686/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/i686/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/lib/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/lib/libnss_dns.so.2", O_RDONLY) = -1 EACCES (Permission denied)
open("/usr/lib/tls/i686/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/i686/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/i686/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/i686/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/i686/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/i686/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/i686", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/tls/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/tls/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/i686/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/sse/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/sse/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/sse/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/sse", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/mmx/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
stat64("/usr/lib/mmx", 0xbfe0524c) = -1 ENOENT (No such file or directory)
open("/usr/lib/libnss_dns.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libnss_files.so.2", O_RDONLY) = -1 EACCES (Permission denied)
open("/lib/tls/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/i686/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib/libnss_files.so.2", O_RDONLY) = -1 EACCES (Permission denied)
open("/usr/lib/tls/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/i686/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
FYI, as root...
Code:
[root@scrape ~]# strace ping google.com 2>&1| grep "=.\-1"
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfeae4a8) = -1 EINVAL (Invalid argument)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/var/nis/NIS_COLD_START", O_RDONLY) = -1 ENOENT (No such file or directory)
...with those last lines repeating as a ping hits, I expect.
open("/etc/nsswitch.conf", O_RDONLY) = -1 EACCES (Permission denied): file needs to have mode 0644.
I have a habit of copying a conf file to a backup before modifying the original. I have caught myself at times, though, using a `mv` instead, which further adds to my conviction that this is permissions.
Yeah, that's why I use a RCS wrapper around Vi. If the config is b0rken I just rlog and checkout previous revisions. I also log changes to the system, make daily backups and run Aide, which will alert me just in case I miss some changes.
"Unrealted" changes around this time included changing perms (convenient, no?) on several world-writable files as returned by msec. I've gone back through that list, though, and it seems as though nothing of importance was outside of ~/.kde.
Msec has a global scope and AFAIK it doesn't consider stuff in /home/*, so you better look again.
open("/etc/nsswitch.conf", O_RDONLY) = -1 EACCES (Permission denied): file needs to have mode 0644.
Made that change, but problem remains. I'm going to look at the other permissions complaints shortly. Thanks for the point in this direction.
Quote:
Originally Posted by unSpawn
Yeah, that's why I use a RCS wrapper around Vi. If the config is b0rken I just rlog and checkout previous revisions. I also log changes to the system, make daily backups and run Aide, which will alert me just in case I miss some changes.
Not familiar with that, but I need to look at it. Sound useful enough for home, but even more useful for work.
Quote:
Originally Posted by unSpawn
Msec has a global scope and AFAIK it doesn't consider stuff in /home/*, so you better look again.
Here's a few lines from the msec report before I made the changes...
Changed /lib/libnss_files-2.3.6.so from 750 to 755 and I can ping out now. Also reverted the /etc/nsswitch.conf to to 640 for testing and still pinged outside. I'm going to reboot and get on the local box to see if everything still works.
Changed /lib/libnss_files-2.3.6.so from 750 to 755 and I can ping out now. Also reverted the /etc/nsswitch.conf to to 640 for testing and still pinged outside. I'm going to reboot and get on the local box to see if everything still works.
Okay, the local machine is working correctly now. I don't know how I ended up with changed perms on an .so file, unless something else I did cascaded to that level. Perhaps I just got sloppy with a copy/paste or something.
Regarding the perms on /etc/nsswitch.conf: with the conn working now, should I leave them at the original 640 or is a 644 necessary? The mod date on this file was 2005. An .rpmnew version with a 2006 date had 644 perms.
Well, there's only a few files in /etc that unprivved users shouldn't read. As you can see from running "strace" it is necessary for that process to read nsswitch.conf to determine how it should go about resolving addresses. By default it should have mode 0644. (If you want to restore more permissions using your RPM database as starting point, check out thread http://www.linuxquestions.org/questi...d.php?t=563039 for a script.)
Well, there's only a few files in /etc that unprivved users shouldn't read. As you can see from running "strace" it is necessary for that process to read nsswitch.conf to determine how it should go about resolving addresses. By default it should have mode 0644. (If you want to restore more permissions using your RPM database as starting point, check out thread http://www.linuxquestions.org/questi...d.php?t=563039 for a script.)
Ah! Thanks for the explanation. I may make use of that permissions restoration script. Sounds like a good way to clean up some of my early blunders on this installation from 3 years ago, too. And it looks like I need to learn to use strace, too.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.