Article delegate-en/3056 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: how to authenticate admins by other means than identd or ftp ?
18 Aug 2005 10:23:17 GMT Armin Wies <p44fqbdyi-aipiirf2gulr.ml@ml.delegate.org>
http://freemail.web.de/



Hi Yutaka,

feedback@delegate.org wrote:
> PAM authentication not for the owner user of DeleGate process

Who is the owner of the DG process ? I thought it is "nobody" by default...
I am "root", run DG and do a "ps" and I see that the owner of the DG process is "nobody".

But even if I set a password for "nobody" and let "nobody" be the admin like this ...

user root #  /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:nobody" -f
<DeleGate/9.0.5-pre1> [18765] -P8080 READY
DGROOT=/var/spool/delegate-nobody
ADMIN=root@localhost
AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165
Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST)
-delegated[18765]- WARNING! ADMIN="your_mail_address" should be specified.
-delegated[18765]- INFO: using ADMIN=root@localhost given at compile time.


ERROR: gid=65534 egid=0
ERROR: gid=65534 egid=0

user root # ls -ld /var/spool/delegate-nobody/subin/
drwxr-xr-x  2 root root 144 Aug 16 03:38 /var/spool/delegate-nobody/subin/
user root # ls -l /var/spool/delegate-nobody/subin/
total 248
-r-sr-s---  1 root root 103323 Aug 16 14:32 dgbind
-r-sr-s---  1 root root   8765 Aug 16 14:32 dgchroot
-r-sr-s---  1 root root   8335 Aug 16 14:32 dgcpnod
-r-sr-s---  1 root root 120016 Aug 16 14:32 dgpam

(I installed subin with make install from /usr/local/src/delegate9.0.5-pre1/subin/ and "make install")

... I am not be able to log into http://mydgmachine:8080/-/admin/ with nobody:<nobody-password>

To me it looks like that "nobody" has a problem executing dgpam...

su to nobody (with a valid shell) and 

user nobody $ /var/spool/delegate-nobody/subin/dgpam
-su: /var/spool/delegate-nobody/subin/dgpam: Permission denied


So I did

user root # chmod o+rx /var/spool/delegate-nobody/subin/dgpam
user root # ls -l /var/spool/delegate-nobody/subin/dgpam
-r-sr-sr-x  1 root root 118247 Aug 16 03:36 /var/spool/delegate-nobody/subin/dgpam
user root # su - nobody
user nobody $ /var/spool/delegate-nobody/subin/dgpam
ERROR: gid=65534 egid=0

And this looks very much like the error I got when I tried to authenticate as "nobody"....

Is there a problem with dgpam, at least in my gentoo-setup ?

> requires
> to be executed in super user ownership.  So one of followings will
> solve the problem:
> 
>  - run the DeleGate with OWNER=dgadmin

user root # useradd -u 8080 -c "DeleGate Admin" -m dgadmin
user root # passwd dgadmin
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: password updated successfully
user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:nobody" OWNER=dgadmin -f
<DeleGate/9.0.5-pre1> [18798] -P8080 READY
DGROOT=/var/spool/delegate-nobody
[cut]

user root # cp -prv /var/spool/delegate-nobody/subin /home/dgadmin/delegate/
`/var/spool/delegate-nobody/subin' -> `/home/dgadmin/delegate/subin'
`/var/spool/delegate-nobody/subin/dgcpnod' -> `/home/dgadmin/delegate/subin/dgcpnod'
`/var/spool/delegate-nobody/subin/dgpam' -> `/home/dgadmin/delegate/subin/dgpam'
`/var/spool/delegate-nobody/subin/dgbind' -> `/home/dgadmin/delegate/subin/dgbind'
`/var/spool/delegate-nobody/subin/dgchroot' -> `/home/dgadmin/delegate/subin/dgchroot'

user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:nobody" OWNER=dgadmin -f
<DeleGate/9.0.5-pre1> [18820] -P8080 READY
DGROOT=/home/dgadmin/delegate
ADMIN=root@localhost
AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165
Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST)
-delegated[18820]- WARNING! ADMIN="your_mail_address" should be specified.
-delegated[18820]- INFO: using ADMIN=root@localhost given at compile time.

ERROR: gid=100 egid=0

Again I am not able to authenticate :-(

>  - run the DeleGate with OWNER=YourOwn and use YourOwn instead of "dgadmin"

user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:myself" OWNER=myself -f
<DeleGate/9.0.5-pre1> [18837] -P8080 READY
DGROOT=/home/myself/delegate
[cut]

user root #  cp -prv /var/spool/delegate-nobody/subin/ /home/bart/delegate/
[cut]

user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:myself" OWNER=myself -f
<DeleGate/9.0.5-pre1> [18859] -P8080 READY
DGROOT=/home/bart/delegate
ADMIN=root@localhost
AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165
Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST)
-delegated[18859]- WARNING! ADMIN="your_mail_address" should be specified.
-delegated[18859]- INFO: using ADMIN=root@localhost given at compile time.

ERROR: gid=100 egid=0
ERROR: gid=100 egid=0

... not able to authenticate.

Now I switched to the user himself:

user myself $ /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:myself" OWNER=myself -f
<DeleGate/9.0.5-pre1> [18870] -P8080 READY
DGROOT=/home/myself/delegate
ADMIN=root@localhost
AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165
Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST)
-delegated[18870]- WARNING! ADMIN="your_mail_address" should be specified.
-delegated[18870]- INFO: using ADMIN=root@localhost given at compile time.


Now I saw no error message, nevertheless I was not able to authenticate :-(


>  - install external dgpam with setuid flag on and owned by root user,
>    doing "make install" in ./subin (recommended)

./subin is available for every user now, see above....

>  - run the DeleGate with OWNER=root (not recommended)

user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:bart" OWNER=root -f
<DeleGate/9.0.5-pre1> [18893] -P8080 READY
DGROOT=/var/spool/delegate-root
[cut]

root user # cp -prv /var/spool/delegate-nobody/subin/ /var/spool/delegate-root/
[cut]

user root # /usr/local/sbin/delegated -P8080 SERVER=http MOUNT="/-/admin/* = AUTHORIZER=-pam" AUTH="admin:*:myself" OWNER=root -f
<DeleGate/9.0.5-pre1> [18896] -P8080 READY
DGROOT=/var/spool/delegate-root
ADMIN=root@localhost
AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165
Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
Copyright (c) 2001-2005 National Institute of Advanced Industrial Science and Technology (AIST)



No error message, but also not able to log in ;-(((

I remember that OWNER=root worked for the 9.0.4-version, and was the only way for me to authenticate the admin with PAM.

> I myself never execute DeleGate under root ownership.  With subin/dgpam
> and others installed, DeleGate can do PAM, chroot() and bind() which
> requires privilege as normal user.  For example, PAM authentication works
> with subin/dgpam as follows:
> 
> 08/13 06:03:09.81 [13097] 1+0: [0.00,105582][AUTH cache-EXPIRED: 105613 > 7] /home/me/delegate/adm/authorizer/passwd.-.pam/a90f8549157c6e1c874463fb66133b30-cache
> 08/13 06:03:09.82 [13097] 1+0: ## dgpam = /home/me/delegate/subin/dgpam
> ## pam_authenticate [passwd][root] = 0
> 08/13 06:03:10.04 [13097] 1+0: ## dgpam -a passwd root = HTTP/1.0 200^M
> 08/13 06:03:10.04 [13097] 1+0: ## Auth/PAM = 0 <root:****@-passwd.-.pam>
> 08/13 06:03:10.04 [13097] 1+0: ##[doAUTH] set ClientAuth [root@-pam]

Great, but what was the commandline and did you start it as a "normal user" ?

How to get this going in a RC-script ?

Best regards,
Armin

-- 
Armin Wies 
p44fqbdyi-aipiirf2gulr.ml@ml.delegate.org
______________________________________________________________
Verschicken Sie romantische, coole und witzige Bilder per SMS!
Jetzt bei WEB.DE FreeMail: http://f.web.de/?mc=021193


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V