That's exactly what I'm asking on the other mail. Since the introduction of daemonize() function, the fifo file is always own by root even I instruct SER to run as say 'ser'. The problem lies on the do_suid() sequence in the main.c file.
To me, if we change uid and/or group id to a less privileged user, the fifo file should be created under the new user's permission as well. Here is what I've changed to suit my environment. See the sequence of the ------> line.
---- Before ---- /* intialize fifo server -- we need to open the fifo before * do_suid() and start the fifo server after all the socket * are initialized, to inherit them*/ if (init_fifo_server()<0) { LOG(L_ERR, "initializing fifo server failed\n"); goto error; } /* Initialize Unix domain socket server */ if (init_unixsock_socket()<0) { LOG(L_ERR, "Error while creating unix domain sockets\n"); goto error; } --------> if (do_suid()==-1) goto error; /* try to drop priviledges */ /* process_no now initialized to zero -- increase from now on as new processes are forked (while skipping 0 reserved for main */
---- After ---- --------> if (do_suid()==-1) goto error; /* try to drop priviledges */ /* intialize fifo server -- we need to open the fifo before * do_suid() and start the fifo server after all the socket * are initialized, to inherit them*/ if (init_fifo_server()<0) { LOG(L_ERR, "initializing fifo server failed\n"); goto error; } /* Initialize Unix domain socket server */ if (init_unixsock_socket()<0) { LOG(L_ERR, "Error while creating unix domain sockets\n"); goto error; } ----
Sorry, I do not know how to do that 'cvs diff' kind of thing. So, the cum's bit above. Not sure whether the CVS source will be changed either. There must be a reason the author do it that way. In my opinion, no offence, it's a bug but I'm open to discussion.
Zeus
-----Original Message----- From: serusers-bounces@lists.iptel.org [mailto:serusers-bounces@lists.iptel.org] On Behalf Of Klaus Darilion Sent: Wednesday, 28 April 2004 5:40 AM To: John LI Cc: Jiri Kuthan; Serusers; John LI Subject: [Serusers] Re: serweb issu
That's not all - because next time you restart ser, ser will set the permissions again to 660 and apache can't write to the fifo.
So, try to solve it as I said.
I created a user ser and a group ser. I'm starting ser with: ser -g ser
Furthermore I added the apache user to the group 'ser'
This allows apache to write to the fifo without changing the permissions of the fifo.
This works fine for me with ser 0.8.12 stable. recently there were some changes to the fifo and user/group switching in unstable ser. So, I don't know if this also works with unstable ser.
regards klaus
John LI wrote:
Hi Klaus,
That is great!
I have change the /tmp/ser_fifo's mode to a+w, and the the warning disapeared. and seemed everything working fine.
Thanks so much for your help
John
----- Original Message ----- From: "Klaus Darilion" klaus.mailinglists@pernau.at To: "John LI" john@signalphone.com Cc: "John LI" john@signalc.com; "Serusers"
serusers@lists.iptel.org; "Jiri
Kuthan" jiri@iptel.org Sent: Tuesday, April 27, 2004 11:30 AM Subject: Re: serweb issu
you can change the problem by giving rw access to /tmp/ser_fifo for everybody. But this of course is a security risk if there are other useres which have access to the server.
You can overcome this by changing the userid and groupid of
ser after
startup /usr/local/sbin/ser -h should give you the hints how to set user and group id.
Then put apache and the ser user into the same group, then
apache can
write to the fifo.
klaus
John LI wrote:
Hi Jiri and Klaus,
I installed the serweb, and when log in to user accout, get the warning:
Warning: fopen(/tmp/ser_fifo): failed to open stream: Permission denied
in
/var/www/html/serweb_2004-01-04/html/functions.php on line 206
I am runing ser using the root, and I wonder how can I resolve this
problem?
what ownership should I assign to the /tmp/ser_fifo?
Thanks
John
----- Original Message ----- From: "Jiri Kuthan" jiri@iptel.org To: "Klaus Darilion" klaus.mailinglists@pernau.at; "John LI" john@signalc.com; "Serusers" serusers@lists.iptel.org Sent: Saturday, March 27, 2004 5:46 PM Subject: Re: [Serusers] The problem when enable the MySql
At 01:29 AM 3/28/2004, Klaus Darilion wrote:
What do you mean by "tools"? For symmetric NATs, the proxy that sends
the
request to the UA must have the same IP address as the proxy that
received
the REGISTER request - so I thought of using IP takeover
(heartbeat)
is
the
only way (except UAs which can register at multiple proxies). Is there
any
other way to solve this problem?
no, you need to take-over IP. There are different tools
to achieve
so,
hearbeat one
of them, VRRP another one and potentialy some more.
-jiri
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers