whoami Permission Denied

Curtor · 03-10-2008, 01:45 PM

Hello again.
I am following a tutorial online, and I am having trouble running a certain command. The command is written as follows:

Code:

[jane@GRID10 globus]$ /usr/bin/rsh GRID10 /usr/bin/whoami
Permission denied.

Though, it should read

Code:

[jane@GRID10 globus]$ /usr/bin/rsh GRID10 /usr/bin/whoami
jane

I just installed Fedora 8, and before doing this, I installed xinetd and created a file named "/etc/hosts.equiv" and placed my IP in it. The exact tutorial of what I was following can be found at the url:
http://globusconsortium.org/tutorial/ch2/page_1.php
Thanks for any help!

raskin · 03-10-2008, 02:27 PM

Can you get just remote shell? What does 'ls -l /usr/bin/whoami /bin/whoami' say (on remote machine)?

Curtor · 03-10-2008, 03:07 PM

Code:

[jane@GRID10 bin]$  /usr/bin/rsh GRID10 /usr/bin/whoami
Permission denied.
[jane@GRID10 bin]$ ls -l /usr/bin/whoami /bin/whoami
ls: cannot access /bin/whoami: No such file or directory
-rwxr-xr-x 1 root root 15744 2008-03-06 08:00 /usr/bin/whoami
[jane@GRID10 bin]$ /usr/bin/rsh ls -l /usr/bin/whoami /bin/whoami
ls.localdomain.com: Connection refused

raskin · 03-10-2008, 03:09 PM

The last command tries to connect to host "ls", not to GRID10. Also, does '/usr/bin/rsh GRID10 /bin/sh' work?

Curtor · 03-10-2008, 03:12 PM

Permission is denied for that last command you said, even if I run it as root.

raskin · 03-10-2008, 03:29 PM

Maybe your rshd daemon log can reveal some information.. Or try to use strace and attach to rshd (as root, of course). You probably need -f to follow spawned processes, '-o /root/log' to write it to file you can later read, '-s 1024' to get most strings uncut, and '-p [PID]' to connect to running process (rshd or inetd). What syscall causes EPERM?

Curtor · 03-11-2008, 08:26 AM

Sorry, I'm not really certain what a lot of that you just said meant. Are those parameters I should be running with the command? What is the final command I should be running to try and see what happens? I want to get this working, i just don't want to screw something else up in the process :P

Curtor · 03-11-2008, 09:06 AM

Not sure if this is exactly what you were looking for, but I ran *this* with the strace (not as root though..). I didn't want to spam the thread, but let me know what I should run here please.

Code:

[jane@GRID10 bin]$ strace  /usr/bin/rsh GRID10 /usr/bin/whoami
execve("/usr/bin/rsh", ["/usr/bin/rsh", "GRID10", "/usr/bin/whoami"], [/* 43 vars */]) = 0
brk(0)                                  = 0xb8d02000
fcntl64(0, F_GETFD)                     = 0
fcntl64(1, F_GETFD)                     = 0
fcntl64(2, F_GETFD)                     = 0
access("/etc/suid-debug", F_OK)         = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=59662, ...}) = 0
mmap2(NULL, 59662, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f42000
close(3)                                = 0
open("/lib/libcrypt.so.1", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0 \227r\0064\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=45316, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f41000
mmap2(NULL, 201020, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x12e000
mmap2(0x137000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x8) = 0x137000
mmap2(0x139000, 155964, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x139000
close(3)                                = 0
open("/lib/libutil.so.1", O_RDONLY)     = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\232\234\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=15204, ...}) = 0
mmap2(NULL, 12428, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x160000
mmap2(0x162000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0x162000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\324\25\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1692524, ...}) = 0
mmap2(NULL, 1410608, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x164000
mmap2(0x2b7000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x153) = 0x2b7000
mmap2(0x2ba000, 9776, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2ba000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f40000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7f406c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0x2b7000, 8192, PROT_READ)     = 0
mprotect(0x162000, 4096, PROT_READ)     = 0
mprotect(0x137000, 4096, PROT_READ)     = 0
mprotect(0x12b000, 4096, PROT_READ)     = 0
munmap(0xb7f42000, 59662)               = 0
getuid32()                              = 101
brk(0)                                  = 0xb8d02000
brk(0xb8d23000)                         = 0xb8d23000
socket(PF_FILE, SOCK_STREAM, 0)         = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
open("/etc/nsswitch.conf", O_RDONLY)    = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=1696, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f50000
read(3, "#\n# /etc/nsswitch.conf\n#\n# An ex"..., 4096) = 1696
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb7f50000, 4096)                = 0
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=59662, ...}) = 0
mmap2(NULL, 59662, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f42000
close(3)                                = 0
open("/lib/libnss_files.so.2", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\30\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=50768, ...}) = 0
mmap2(NULL, 45712, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2bd000
mmap2(0x2c7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9) = 0x2c7000
close(3)                                = 0
mprotect(0x2c7000, 4096, PROT_READ)     = 0
munmap(0xb7f42000, 59662)               = 0
open("/etc/passwd", O_RDONLY|0x80000 /* O_??? */) = 3
fcntl64(3, F_GETFD)                     = 0x1 (flags FD_CLOEXEC)
fstat64(3, {st_mode=S_IFREG|0644, st_size=2079, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f50000
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2079
close(3)                                = 0
munmap(0xb7f50000, 4096)                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
open("/etc/services", O_RDONLY|0x80000 /* O_??? */) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=362047, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f50000
read(3, "# /etc/services:\n# $Id: services"..., 4096) = 4096
read(3, " News Transfer Protocol\nntp\t\t123"..., 4096) = 4096
read(3, "ebook\nphonebook\t767/udp\nrsync\t\t8"..., 4096) = 4096
close(3)                                = 0
munmap(0xb7f50000, 4096)                = 0
getpid()                                = 25152
socket(PF_NETLINK, SOCK_RAW, 0)         = 3
bind(3, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0
getsockname(3, {sa_family=AF_NETLINK, pid=25152, groups=00000000}, [12]) = 0
time(NULL)                              = 1205243978
sendto(3, "\24\0\0\0\26\0\1\3J\220\326G\0\0\0\0\0\0\0\0", 20, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"0\0\0\0\24\0\2\0J\220\326G@b\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 108
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"@\0\0\0\24\0\2\0J\220\326G@b\0\0\n\200\200\376\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 128
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\24\0\0\0\3\0\2\0J\220\326G@b\0\0\0\0\0\0\1\0\0\0\24\0\1\0\0\0\0\0"..., 4096}], msg_controllen=0, msg_flags=0}, 0) = 20
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
socket(PF_FILE, SOCK_STREAM, 0)         = 3
fcntl64(3, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (No such file or directory)
close(3)                                = 0
open("/etc/resolv.conf", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=75, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f50000
read(3, "search localdomain.com\nnameserve"..., 4096) = 75
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb7f50000, 4096)                = 0
open("/etc/hosts", O_RDONLY|0x80000 /* O_??? */) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=240, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f50000
read(3, "# Do not remove the following li"..., 4096) = 240
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb7f50000, 4096)                = 0
open("/etc/hosts", O_RDONLY|0x80000 /* O_??? */) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=240, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f50000
read(3, "# Do not remove the following li"..., 4096) = 240
close(3)                                = 0
munmap(0xb7f50000, 4096)                = 0
open("/etc/host.conf", O_RDONLY)        = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=17, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f50000
read(3, "order hosts,bind\n", 4096)     = 17
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0xb7f50000, 4096)                = 0
open("/etc/hosts", O_RDONLY|0x80000 /* O_??? */) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=240, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f50000
read(3, "# Do not remove the following li"..., 4096) = 240
close(3)                                = 0
munmap(0xb7f50000, 4096)                = 0
rt_sigprocmask(SIG_BLOCK, [URG], [], 8) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(1023), sin_addr=inet_addr("0.0.0.0")}, 16) = -1 EACCES (Permission denied)
close(3)                                = 0
write(2, "rcmd: socket: Permission denied\n", 32rcmd: socket: Permission denied
) = 32
rt_sigprocmask(SIG_SETMASK, [], [URG], 8) = 0
exit_group(1)                           = ?

raskin · 03-11-2008, 10:45 AM

Is rsh command setuid on your system? looks like it calls rcmd which demonstratively uses privileged ports to show it is genuine rsh made setuid by root, not some unprivileged-user's dirty tricks.

Curtor · 03-11-2008, 12:39 PM

Not that I know of? Unless that is what one of the commands in the tutorial did, or it comes default as such, I did not set up the rsh command as setuid.

raskin · 03-11-2008, 01:54 PM

ls -l /usr/bin/rsh
May be or not SUID be default.

Curtor · 03-11-2008, 02:26 PM

Code:

[jane@GRID10 bin]$ ls -l /usr/bin/rsh
-rwsr-xr-x 1 root root 9064 2007-10-16 09:49 /usr/bin/rsh

chrism01 · 03-11-2008, 07:58 PM

Have you activated the rsh file in the /etc/xinetd.d dir?
Normally rexec, rsh, remsh etc are defaulted to OFF because (like telnet) they use plain text logins, so easy to capture username/passwd.

Curtor · 03-12-2008, 08:21 AM

I'm fairly sure that it is activated. Here is the file here, I believe:

Code:

[root@GRID10 globus]# cat /etc/xinetd.d/rsh 
# default: on
# description: The rshd server is the server for the rcmd(3) routine and, \
#       consequently, for the rsh(1) program.  The server provides \
#       remote execution facilities with authentication based on \
#       privileged port numbers from trusted hosts.
service shell
{
        socket_type             = stream
        wait                    = no
        user                    = root
        log_on_success          += USERID
        log_on_failure          += USERID
        server                  = /usr/sbin/in.rshd
        disable                 = no
}
[root@GRID10 globus]#

Perhaps I have to reboot after editing it to not be disabled? Though, before trying the whoami command from the beginning, I did edit this file and /etc/xinetd.d/rlogin and set disable = no in both of them, and then issued a "/etc/init.d/xinetd restart" command. (As is says to do so in the tutorial)

chrism01 · 03-12-2008, 06:50 PM

How about firewall? According to this http://www.spirit.com/Resources/ports.html rshd receives on 514/tcp.