Not sure what Linux you are running, but have you looked SELinux This could be causing you your access issues.

Check this link out on ways to turn it off to see if it is the culprit.

http://www.crypt.gen.nz/selinux/disable_selinux.html

Alan

From: xymon-bounces at xymon.com [mailto:xymon-bounces at xymon.com] On Behalf Of Josh Luthman Sent: Tuesday, 29 March 2011 1:21 PM To: Adam Goryachev Cc: xymon at xymon.com Subject: Re: [Xymon] Hobbit Permission Problem

Xymon probably isn't running as root and hence the user has no permission to read that file.

Use group permission for the file and add the Xymon user to that group.

Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373

On Mon, Mar 28, 2011 at 10:51 PM, Adam Goryachev <adam at websitemanagers.com.au<mailto:adam at websitemanagers.com.au>> wrote: Hi all,

I've got a bit of a problem across a number of machines which I'm having some trouble working out.

Basically, the problem is my hobbit user can't display my log files: hobbit at host:/var/log$ cat messages cat: messages: Permission denied

However, the user has these permissions/groups hobbit at host:/var/log$ id uid=110(hobbit) gid=110(hobbit) groups=0(root),4(adm),110(hobbit)

The directories leading to the file have these permissions: hobbit at host:/var/log$ ls -ld / drwxr-xr-x 24 root root 4096 Nov 19 2009 / hobbit at host:/var/log$ ls -ld /var drwxr-xr-x 15 root root 4096 Nov 19 2009 /var hobbit at host:/var/log$ ls -ld /var/log drwxr-xr-x 14 root root 4096 Mar 29 08:46 /var/log

The file has read permissions to the adm group of which we are a member (above) hobbit at host:/var/log$ ls -ld /var/log/messages -rw-r----- 1 root adm 21353 Mar 29 13:27 /var/log/messages

Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100

I'm running a fairly standard Debian lenny

The root user has no problem reading/writing the file/etc....

Any pointers would be appreciated....

Regards, Adam

Xymon mailing list Xymon at xymon.com<mailto:Xymon at xymon.com> http://lists.xymon.com/mailman/listinfo/xymon

This email (including all attachments) may contain personal information and is intended solely for the named addressee. It is confidential and may be subject to legal or other professional privilege and any confidentiality or privilege is not waived or lost because this email has been sent to you by mistake. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. Any personal Information in this email must be handled in accordance with the Privacy Act 1988 (Cth). If you have received it in error, please let Stanwell Corporation Limited know by reply email, delete it from your system and destroy any copies. Stanwell is not responsible for any changes made to a document other than those made by Stanwell. Stanwell accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. If you have any doubts about the authenticity of an email purportedly sent by us, please contact us immediately. If this is a commercial electronic message within the meaning of the Spam Act 2003 (Cth), you may indicate that you do not wish to receive any further commercial electronic messages from Stanwell by emailing mailto:privacy at stanwell.com...

On 29/03/2011 3:09 PM, David Baldwin wrote:

...

Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100

I'm running a fairly standard Debian lenny

The root user has no problem reading/writing the file/etc....

Any pointers would be appreciated.... My solution to this one is to modify /etc/logrotate.d/syslog and change group permissions on the file in question. A better solution might be to use ACLs, but I tried that once and ran into an issue where '-r' test didn't respect ACLs when checking it could read the log file! That may have been back in the days of BB even... Group permissions haven't caused any issues anyway :) Thanks for your suggestion, but I have other processes that rely on the adm group having access to the log files, and I don't want to make them world readable.

The very short problem is:

1. I am a user with a supplemental group (adm)
2. I have a file with my supplemental group (adm) which is group readable
3. I can't read the file

I understand permissions, groups, etc very well, I understand logrotate and it's config files, but I am stumped as to why this isn't working....

Thanks, Adam

On 29/03/2011 3:40 PM, David Baldwin wrote:

On 29/03/11 3:34 PM, Adam Goryachev wrote:

...

On 29/03/2011 3:09 PM, David Baldwin wrote:

...

...

Finally, here is all the info I can see on the file: hobbit at host:/var/log$ stat /var/log/messages File: `/var/log/messages' Size: 21353 Blocks: 48 IO Block: 1048576 regular file Device: eh/14d Inode: 4202796 Links: 1 Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 4/ adm) Access: 2011-03-28 20:21:00.000000000 +1100 Modify: 2011-03-29 13:27:00.000000000 +1100 Change: 2011-03-29 13:27:00.000000000 +1100

I'm running a fairly standard Debian lenny

The root user has no problem reading/writing the file/etc....

Any pointers would be appreciated.... My solution to this one is to modify /etc/logrotate.d/syslog and change group permissions on the file in question. A better solution might be to use ACLs, but I tried that once and ran into an issue where '-r' test didn't respect ACLs when checking it could read the log file! That may have been back in the days of BB even... Group permissions haven't caused any issues anyway :) Thanks for your suggestion, but I have other processes that rely on the adm group having access to the log files, and I don't want to make them world readable.

Sorry, didn't read all your message closely enough.

...

The very short problem is:

1. I am a user with a supplemental group (adm)
2. I have a file with my supplemental group (adm) which is group readable
3. I can't read the file

I understand permissions, groups, etc very well, I understand logrotate and it's config files, but I am stumped as to why this isn't working.... Did you restart the hobbit client process after you changed the group membership of the hobbit user? Yes, this problem has been around for a while, I've rebooted the system a number of times as well....

Regards, Adam

On 29/03/2011 4:15 PM, Josh Luthman wrote:

So (user) hobbit is in group adm

ll shows the file is owned by group adm

(user) hobbit can not read the file?

Yep, that's the problem.... (or at least, it has me befuddled)....

Thanks, Adam