[Serusers] Re: serweb issu
Zeus Ng
zeus.ng at isquare.com.au
Wed Apr 28 02:54:59 CEST 2004
That's exactly what I'm asking on the other mail. Since the introduction of
daemonize() function, the fifo file is always own by root even I instruct
SER to run as say 'ser'. The problem lies on the do_suid() sequence in the
main.c file.
To me, if we change uid and/or group id to a less privileged user, the fifo
file should be created under the new user's permission as well. Here is what
I've changed to suit my environment. See the sequence of the ------> line.
---- Before ----
/* intialize fifo server -- we need to open the fifo before
* do_suid() and start the fifo server after all the socket
* are initialized, to inherit them*/
if (init_fifo_server()<0) {
LOG(L_ERR, "initializing fifo server failed\n");
goto error;
}
/* Initialize Unix domain socket server */
if (init_unixsock_socket()<0) {
LOG(L_ERR, "Error while creating unix domain
sockets\n");
goto error;
}
--------> if (do_suid()==-1) goto error; /* try to drop priviledges */
/* process_no now initialized to zero -- increase from now
on
as new processes are forked (while skipping 0 reserved
for main
*/
---- After ----
--------> if (do_suid()==-1) goto error; /* try to drop priviledges */
/* intialize fifo server -- we need to open the fifo before
* do_suid() and start the fifo server after all the socket
* are initialized, to inherit them*/
if (init_fifo_server()<0) {
LOG(L_ERR, "initializing fifo server failed\n");
goto error;
}
/* Initialize Unix domain socket server */
if (init_unixsock_socket()<0) {
LOG(L_ERR, "Error while creating unix domain
sockets\n");
goto error;
}
----
Sorry, I do not know how to do that 'cvs diff' kind of thing. So, the cum's
bit above. Not sure whether the CVS source will be changed either. There
must be a reason the author do it that way. In my opinion, no offence, it's
a bug but I'm open to discussion.
Zeus
> -----Original Message-----
> From: serusers-bounces at lists.iptel.org
> [mailto:serusers-bounces at lists.iptel.org] On Behalf Of Klaus Darilion
> Sent: Wednesday, 28 April 2004 5:40 AM
> To: John LI
> Cc: Jiri Kuthan; Serusers; John LI
> Subject: [Serusers] Re: serweb issu
>
>
> That's not all - because next time you restart ser, ser will set the
> permissions again to 660 and apache can't write to the fifo.
>
> So, try to solve it as I said.
>
> I created a user ser and a group ser.
> I'm starting ser with:
> ser -g ser
>
> Furthermore I added the apache user to the group 'ser'
>
> This allows apache to write to the fifo without changing the
> permissions
> of the fifo.
>
> This works fine for me with ser 0.8.12 stable. recently there
> were some
> changes to the fifo and user/group switching in unstable ser. So, I
> don't know if this also works with unstable ser.
>
> regards
> klaus
>
> John LI wrote:
> > Hi Klaus,
> >
> > That is great!
> >
> > I have change the /tmp/ser_fifo's mode to a+w, and the the warning
> > disapeared. and seemed everything working fine.
> >
> > Thanks so much for your help
> >
> > John
> >
> > ----- Original Message -----
> > From: "Klaus Darilion" <klaus.mailinglists at pernau.at>
> > To: "John LI" <john at signalphone.com>
> > Cc: "John LI" <john at signalc.com>; "Serusers"
> <serusers at lists.iptel.org>; "Jiri
> > Kuthan" <jiri at iptel.org>
> > Sent: Tuesday, April 27, 2004 11:30 AM
> > Subject: Re: serweb issu
> >
> >
> >
> >>you can change the problem by giving rw access to /tmp/ser_fifo for
> >>everybody. But this of course is a security risk if there are other
> >>useres which have access to the server.
> >>
> >>You can overcome this by changing the userid and groupid of
> ser after
> >>startup /usr/local/sbin/ser -h
> >>should give you the hints how to set user and group id.
> >>
> >>Then put apache and the ser user into the same group, then
> apache can
> >>write to the fifo.
> >>
> >>klaus
> >>
> >>John LI wrote:
> >>
> >>
> >>>Hi Jiri and Klaus,
> >>>
> >>>I installed the serweb, and when log in to user accout, get the
> >>>warning:
> >>>
> >>>Warning: fopen(/tmp/ser_fifo): failed to open stream: Permission
> >>>denied
> >
> > in
> >
> >>>/var/www/html/serweb_2004-01-04/html/functions.php on line 206
> >>>
> >>>
> >>>I am runing ser using the root, and I wonder how can I resolve this
> >
> > problem?
> >
> >>>what ownership should I assign to the /tmp/ser_fifo?
> >>>
> >>>Thanks
> >>>
> >>>John
> >>>
> >>>
> >>>----- Original Message -----
> >>>From: "Jiri Kuthan" <jiri at iptel.org>
> >>>To: "Klaus Darilion" <klaus.mailinglists at pernau.at>; "John LI"
> >>><john at signalc.com>; "Serusers" <serusers at lists.iptel.org>
> >>>Sent: Saturday, March 27, 2004 5:46 PM
> >>>Subject: Re: [Serusers] The problem when enable the MySql
> >>>
> >>>
> >>>
> >>>
> >>>>At 01:29 AM 3/28/2004, Klaus Darilion wrote:
> >>>>
> >>>>
> >>>>>What do you mean by "tools"? For symmetric NATs, the proxy that
> >>>>>sends
> >
> > the
> >
> >>>request to the UA must have the same IP address as the proxy that
> >
> > received
> >
> >>>the REGISTER request - so I thought of using IP takeover
> (heartbeat)
> >>>is
> >
> > the
> >
> >>>only way (except UAs which can register at multiple proxies). Is
> >>>there
> >
> > any
> >
> >>>other way to solve this problem?
> >>>
> >>>
> >>>>no, you need to take-over IP. There are different tools
> to achieve
> >>>>so,
> >>>
> >>>hearbeat one
> >>>
> >>>
> >>>>of them, VRRP another one and potentialy some more.
> >>>>
> >>>>-jiri
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >
> >
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
>
More information about the sr-users
mailing list