/etc/group problem

Discussion in 'General' started by wpwood3, Nov 7, 2007.

  1. wpwood3

    wpwood3 New Member

    I have a conflict in my /etc/group file:

    Code:
     
    .
    admispconfig:x:101:admispconfig
    web1:x:10001:admispconfig,mysite1
    web2:x:10002:admispconfig,mysite2
    ossec:x:10003:apache
    web3:x:10003:admispconfig,mysite3
    
    When I installed Ossec it automatically created "ossec:x:10003".
    Later when I created mysite3 in ISPConfig it duplicated "10003".

    I have to leave Ossec at 10003 or it will not work.

    What's the best way to fix this?
     
  2. Theophilus

    Theophilus New Member

    You could change web3 from 10003 to 10004.

    Then fix permissions with:

    Code:
    chgrp -R 10004 /var/www/web3
    Or you could backup the web3 account, delete it, then restore it as a new account.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    This will be the better solution. If you just change the group number with chgrp, you will get a conflict with the next web created by ISPConfig.
     
  4. wpwood3

    wpwood3 New Member

    Thanks but...

    It looks to me that ISPConfig is using an auto_increment counter in it's MySQL database to generate 10001,10002,10003, etc.

    If I can simply change the Next Autoindex to 10005 then the chgrp fix would work. Unfortunately, I don't know what table in the database holds this value.
     
  5. falko

    falko Super Moderator Howtoforge Staff

    It's isp_isp_user.
     
  6. wpwood3

    wpwood3 New Member

    That doesn't make sense to me...
    I don't see a field in the isp_isp_user table that would correspond to the groups (10001,10002,10003,etc).

    I would think it would be isp_isp_web. That is where my 3 websites are and the doc_id has a Next Autoindex of 4. Can't I just change that to 5 in phpMyAdmin?

    Then I can do the chgrp to make web3 10004.
     
    Last edited: Nov 8, 2007
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The group ID should correspond to the doc_id if the table isp_isp_web (you must add the minimum group id that is set in server settings to the doc_id, the default is 10000).

    The userid corresponds to doc_id in the table isp_isp_user.
     
  8. wpwood3

    wpwood3 New Member

    Thanks Till.
    I think you were posting your response at the same time I was revising my post above!

    I don't think I would need to change anything in isp_isp_user. As far as I can see, the only conflict I have is with the group id.

    Correct?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, changing the autoincrement value of the isp_isp_web table should be enough.
     
  10. wpwood3

    wpwood3 New Member

    Fixed!

    To recap, I did these first 2 steps in phpMyAdmin:

    1) Changed doc_id Next Autoindex to 5 in table isp_isp_web

    2) Changed doc_id to 4 in table isp_isp_web for web3

    3) Next I edited /etc/group

    changed
    Code:
    web3:x:10003:admispconfig,mysite3
    to
    Code:
    web3:x:10004:admispconfig,mysite3
    4) Then I did
    Code:
    chgrp -R 10004 /var/www/web3
    5) Finally I did this
    Code:
    chown -h root:root /var/www/web3/Maildir
    I don't know if step 5 was critical but it did make the Maildir synlink group ownership consistent with the way ISPConfig creates the Maildir symlink in my other webs.
     
    Last edited: Nov 11, 2007
  11. wpwood3

    wpwood3 New Member

    Possible bug in ISPConfig?

    I spoke too soon...

    For some reason the above steps did not solve my problem.
    In fact, I believe it somehow led to the deletion of my entire /var/www directory when I tried later to delete mysite3 (/var/www/web3) in ISPConfig.

    I think there is a bug in ISPConfig in the way it assigns group numbers.
    This is the sequence of events and what happened:

    1) I created Mysite1 in ISPConfig (/var/www/web1)
    ISPConfig assigned web1 to GID 10001

    2) I created Mysite2 in ISPConfig (/var/www/web2)
    ISPConfig assigned web2 to GID 10002

    3) I installed ossec (a program) and
    CentOS assigned it to GID 10003

    4) I created Mysite3 in ISPConfig (/var/www/web3)
    ISPConfig assigned web3 to GID 10003

    This won't work! web3 and ossec cannot both be 10003.

    It appears that ISPConfig is not looking at the /etc/group file before it assigns group numbers. It is simply using an auto increment field in the isp_isp_web table of the IPSConfig MySQL database to generate group numbers. If that is true then it's a BIG problem!

    Am I wrong?
     
    Last edited: Nov 11, 2007
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats no bug in ISPConfig. The group number range that you set in ISPConfig under management > server > settings is reserved for ISPConfig. So if you create any group manually, the ID does never be in the range that you reserved for ISPConfig. Thats a prerequisite for ISPConfig.
     
  13. wpwood3

    wpwood3 New Member

    I do not understand

    I am confused...

    How did ossec get group 10003 if that is within the range reserved for ISPConfig?

    On my test server I installed Ossec and Snort. They were assigned 10003 and 10004. Both of those groups are within the ISPConfig range. :confused:
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem is that the rpm or apt package installer has use the next free GID and in your case, these gid's where in the reserved range of ISPConfig. which starts at GID 10000 and leaves the GID's < 10000 for other applications.

    If you create a group manually, you will have to set the GID to a free ID < 10000 and make sure that thet there is no conflict with ISPConfig.

    A better solution for your problem might have been to change the GID of ossec and snort right after you installed it to a GID < 10000 and change the GID of all files installed by snort and ossec to this lower GID too.
     
  15. wpwood3

    wpwood3 New Member

    Ok, so you are saying that whenever I install any software I should inspect the GID that software was assigned in /etc/group to make sure it is not in the 10000 range?

    If it is in that range then I need to edit /etc/group and change the GID for the software and also find every file installed by that software and change the ownership (chown)?

    That sounds like a lot of work and potential source of errors!

    Do I understand correctly?
     
  16. wpwood3

    wpwood3 New Member

    Another way...

    Let me offer an alternative solution for your consideration.
    I have tested this on my test server and verified that it works.

    Facts as I understand them:

    - With the default configuration, ISPConfig sets GID starting at 10001 and increments +1 for each new group added by using an auto increment counter in the isp_isp_web table of the ISPConfig MySQL database. ISPConfig does not verify that a GID is previously assigned before it assigns it.

    - CentOS 5 (and I assume all Linux distributions) looks at /etc/group and assigns the next GID based on the highest existing GID +1.

    My proposed solution:

    1) Create a new dummy GID
    Code:
    groupadd admispconfig2
    2) Edit /etc/group to change admispconfig2 GID to 20000

    3) Run group check to update /etc/gshadow
    Code:
    grpck
    4) Create a new dummy UID and add it to the admispconfig2 group

    Code:
    useradd -s /sbin/nologin admispconfig2 -g admispconfig2
    5) Edit /etc/passwd to change UID to 20000

    6) Run password check

    Code:
    pwck
    What this does

    - It forces CentOS to only create new GID's and UID's above 20000

    - It allows ISPConfig to create GID's and UID's between 10001 and 19999


    Comments?
     
    Last edited: Nov 11, 2007
  17. falko

    falko Super Moderator Howtoforge Staff

    Sounds good. :)
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Sounds like a smart solution. I added this as todo to the bugtracking system.
     

Share This Page