We recently encountered a problem with directory permissions on one of our web servers and so decided to update our Xymon installation (v4.2.3) to monitor it. Unfortunately I think I've found a bug in the code that facilitates this.
In the hobbit-client.cfg file we have a test like this:
FILE /var/somefile mode=755 owner=root groupid=root yellowThe owner test works fine but the group test doesn't, instead it say that the file should be owned by group 'd=root'. Further investigation shows that the owner test also fails in the same way if we use the 'ownerid=root' variation of the owner test. It's almost as if the code is assuming that the first 6 characters of the token is the name and everything else is the value. This works fine with the 'owner=root' variation but fails dismally with the 'ownerid=root' and 'groupid=root' variations. It would be fine if we could use 'group=root' but as that's a reserved word it's not allowed.
Unfortunately my C coding is virtually non-existent, I can get by with reading it but not writing it! Has anyone encountered this before and written a patch for it? Or has it been fixed in the 4.3.0 beta?
Thank you, Ian Marsh
IT Service Operations - Network Services
In <E59BC4D3B3BA7B4790CFD721B5991FD40261F5C7 at EXVSRVB3.it2000.hants.gov.uk> "Marsh, Ian" <ian.marsh at hants.gov.uk> writes: Hi Ian,
In the hobbit-client.cfg file we have a test like this:
FILE /var/somefile mode=755 owner=root groupid=root yellow
The owner test works fine but the group test doesn't, instead it say that the file should be owned by group 'd=root'. Further investigation shows that the owner test also fails in the same way if we use the 'ownerid=root' variation of the owner test. It's almost as if the code is assuming that the first 6 characters of the token is the name and everything else is the value.
your analysis is spot-on. Classical cut-and-paste error, I'm afraid, and it is also present in the current 4.3.0 code. So I'm glad You spotted it! A diff for 4.2.3 is below. For 4.3.0, I'll commit a change later today - there are some other fixes in the same area of code that I am working on (relating to the Windows client SVC checks). Regards, Henrik Index: hobbitd/client_config.c =================================================================== --- hobbitd/client_config.c (revision 6333) +++ hobbitd/client_config.c (working copy) @@ -827,10 +827,11 @@ } else if ((strncasecmp(tok, "owner=", 6) == 0) || (strncasecmp(tok, "ownerid=", 8) == 0)) { - char *eptr; + char *p, *eptr; int uid; - - uid = strtol(tok+6, &eptr, 10); + + p = strchr(tok, '='); + uid = strtol(p+1, &eptr, 10); if (*eptr == '\0') { /* All numeric */ currule->flags |= FCHK_OWNERID; @@ -843,10 +844,11 @@ } else if (strncasecmp(tok, "groupid=", 8) == 0) { /* Cannot use "group" because that is reserved */ - char *eptr; + char *p, *eptr; int uid; - - uid = strtol(tok+6, &eptr, 10); + + p = strchr(tok, '='); + uid = strtol(p+1, &eptr, 10); if (*eptr == '\0') { /* All numeric */ currule->flags |= FCHK_GROUPID;
Henrik, Thanks for such a quick response! I can confirm that the patch works, but only if you test against the numeric uid's and gid's. If you try to test against the names then you get the same result I was seeing before; the MAN page for hobbit-clients.cfg says you can use either but that doesn't appear to be the case.... I'd prefer to use the user and group names if possible, just so that it makes more sense to the less experienced members of the support team! Thank you, Ian Marsh IT Service Operations - Network Services -----Original Message----- From: Henrik "Størner [mailto:henrik at hswn.dk] Sent: 14 January 2011 12:06 To: xymon at xymon.com Subject: Re: [xymon] Problem with file owner/group check In <E59BC4D3B3BA7B4790CFD721B5991FD40261F5C7 at EXVSRVB3.it2000.hants.gov.uk> "Marsh, Ian" <ian.marsh at hants.gov.uk> writes: Hi Ian,
In the hobbit-client.cfg file we have a test like this:
FILE /var/somefile mode=755 owner=root groupid=root yellow
The owner test works fine but the group test doesn't, instead it say that the file should be owned by group 'd=root'. Further investigation shows that the owner test also fails in the same way if we use the 'ownerid=root' variation of the owner test. It's almost as if the code is assuming that the first 6 characters of the token is the name and everything else is the value.
your analysis is spot-on. Classical cut-and-paste error, I'm afraid, and it is also present in the current 4.3.0 code. So I'm glad You spotted it! A diff for 4.2.3 is below. For 4.3.0, I'll commit a change later today - there are some other fixes in the same area of code that I am working on (relating to the Windows client SVC checks). Regards, Henrik Index: hobbitd/client_config.c =================================================================== --- hobbitd/client_config.c (revision 6333) +++ hobbitd/client_config.c (working copy) @@ -827,10 +827,11 @@ } else if ((strncasecmp(tok, "owner=", 6) == 0) || (strncasecmp(tok, "ownerid=", 8) == 0)) { - char *eptr; + char *p, *eptr; int uid; - - uid = strtol(tok+6, &eptr, 10); + + p = strchr(tok, '='); + uid = strtol(p+1, &eptr, 10); if (*eptr == '\0') { /* All numeric */ currule->flags |= FCHK_OWNERID; @@ -843,10 +844,11 @@ } else if (strncasecmp(tok, "groupid=", 8) == 0) { /* Cannot use "group" because that is reserved */ - char *eptr; + char *p, *eptr; int uid; - - uid = strtol(tok+6, &eptr, 10); + + p = strchr(tok, '='); + uid = strtol(p+1, &eptr, 10); if (*eptr == '\0') { /* All numeric */ currule->flags |= FCHK_GROUPID; To unsubscribe from the xymon list, send an e-mail to xymon-unsubscribe at xymon.com
In <E59BC4D3B3BA7B4790CFD721B5991FD40261F5C9 at EXVSRVB3.it2000.hants.gov.uk> "Marsh, Ian" <ian.marsh at hants.gov.uk> writes:
Thanks for such a quick response! I can confirm that the patch = works, but only if you test against the numeric uid's and gid's. If you = try to test against the names then you get the same result I was seeing = before; the MAN page for hobbit-clients.cfg says you can use either but = that doesn't appear to be the case.... I'd prefer to use the user and = group names if possible, just so that it makes more sense to the less = experienced members of the support team!
I should have looked at little further down in the code... if you search the hobbitd/client_config.c file for "ownerid=" you'll see that is where the patch went in. And just a few lines further down is a line with
currule->flags |= FCHK_OWNERSTR; currule->rule.fcheck.ownerstr = strdup(tok+6);
Change that line to "p+1" instead of "tok+6":
currule->rule.fcheck.ownerstr = strdup(p+1);
and usernames should work. An identical fix some 15 lines or so further down fixes it for the groupnames.
Regards, Henrik
Thanks for that, it all works now. :)
Thank you, Ian Marsh
IT Service Operations - Network Services
-----Original Message----- From: Henrik "Størner [mailto:henrik at hswn.dk] Sent: 14 January 2011 15:42 To: xymon at xymon.com Subject: Re: [xymon] Problem with file owner/group check
In <E59BC4D3B3BA7B4790CFD721B5991FD40261F5C9 at EXVSRVB3.it2000.hants.gov.uk> "Marsh, Ian" <ian.marsh at hants.gov.uk> writes:
Thanks for such a quick response! I can confirm that the patch = works, but only if you test against the numeric uid's and gid's. If you = try to test against the names then you get the same result I was seeing = before; the MAN page for hobbit-clients.cfg says you can use either but = that doesn't appear to be the case.... I'd prefer to use the user and = group names if possible, just so that it makes more sense to the less = experienced members of the support team!
I should have looked at little further down in the code... if you search the hobbitd/client_config.c file for "ownerid=" you'll see that is where the patch went in. And just a few lines further down is a line with
currule->flags |= FCHK_OWNERSTR; currule->rule.fcheck.ownerstr = strdup(tok+6);
Change that line to "p+1" instead of "tok+6":
currule->rule.fcheck.ownerstr = strdup(p+1);
and usernames should work. An identical fix some 15 lines or so further down fixes it for the groupnames.
Regards, Henrik
To unsubscribe from the xymon list, send an e-mail to xymon-unsubscribe at xymon.com
participants (2)
-
henrik@hswn.dk
-
ian.marsh@hants.gov.uk