I have a conflict in my /etc/group file: Code: . admispconfig:x:101:admispconfig web1:x:10001:admispconfig,mysite1 web2:x:10002:admispconfig,mysite2 ossec:x:10003:apache web3:x:10003:admispconfig,mysite3 When I installed Ossec it automatically created "ossec:x:10003". Later when I created mysite3 in ISPConfig it duplicated "10003". I have to leave Ossec at 10003 or it will not work. What's the best way to fix this?
You could change web3 from 10003 to 10004. Then fix permissions with: Code: chgrp -R 10004 /var/www/web3 Or you could backup the web3 account, delete it, then restore it as a new account.
This will be the better solution. If you just change the group number with chgrp, you will get a conflict with the next web created by ISPConfig.
Thanks but... It looks to me that ISPConfig is using an auto_increment counter in it's MySQL database to generate 10001,10002,10003, etc. If I can simply change the Next Autoindex to 10005 then the chgrp fix would work. Unfortunately, I don't know what table in the database holds this value.
That doesn't make sense to me... I don't see a field in the isp_isp_user table that would correspond to the groups (10001,10002,10003,etc). I would think it would be isp_isp_web. That is where my 3 websites are and the doc_id has a Next Autoindex of 4. Can't I just change that to 5 in phpMyAdmin? Then I can do the chgrp to make web3 10004.
The group ID should correspond to the doc_id if the table isp_isp_web (you must add the minimum group id that is set in server settings to the doc_id, the default is 10000). The userid corresponds to doc_id in the table isp_isp_user.
Thanks Till. I think you were posting your response at the same time I was revising my post above! I don't think I would need to change anything in isp_isp_user. As far as I can see, the only conflict I have is with the group id. Correct?
Fixed! To recap, I did these first 2 steps in phpMyAdmin: 1) Changed doc_id Next Autoindex to 5 in table isp_isp_web 2) Changed doc_id to 4 in table isp_isp_web for web3 3) Next I edited /etc/group changed Code: web3:x:10003:admispconfig,mysite3 to Code: web3:x:10004:admispconfig,mysite3 4) Then I did Code: chgrp -R 10004 /var/www/web3 5) Finally I did this Code: chown -h root:root /var/www/web3/Maildir I don't know if step 5 was critical but it did make the Maildir synlink group ownership consistent with the way ISPConfig creates the Maildir symlink in my other webs.
Possible bug in ISPConfig? I spoke too soon... For some reason the above steps did not solve my problem. In fact, I believe it somehow led to the deletion of my entire /var/www directory when I tried later to delete mysite3 (/var/www/web3) in ISPConfig. I think there is a bug in ISPConfig in the way it assigns group numbers. This is the sequence of events and what happened: 1) I created Mysite1 in ISPConfig (/var/www/web1) ISPConfig assigned web1 to GID 10001 2) I created Mysite2 in ISPConfig (/var/www/web2) ISPConfig assigned web2 to GID 10002 3) I installed ossec (a program) and CentOS assigned it to GID 10003 4) I created Mysite3 in ISPConfig (/var/www/web3) ISPConfig assigned web3 to GID 10003 This won't work! web3 and ossec cannot both be 10003. It appears that ISPConfig is not looking at the /etc/group file before it assigns group numbers. It is simply using an auto increment field in the isp_isp_web table of the IPSConfig MySQL database to generate group numbers. If that is true then it's a BIG problem! Am I wrong?
Thats no bug in ISPConfig. The group number range that you set in ISPConfig under management > server > settings is reserved for ISPConfig. So if you create any group manually, the ID does never be in the range that you reserved for ISPConfig. Thats a prerequisite for ISPConfig.
I do not understand I am confused... How did ossec get group 10003 if that is within the range reserved for ISPConfig? On my test server I installed Ossec and Snort. They were assigned 10003 and 10004. Both of those groups are within the ISPConfig range.
The problem is that the rpm or apt package installer has use the next free GID and in your case, these gid's where in the reserved range of ISPConfig. which starts at GID 10000 and leaves the GID's < 10000 for other applications. If you create a group manually, you will have to set the GID to a free ID < 10000 and make sure that thet there is no conflict with ISPConfig. A better solution for your problem might have been to change the GID of ossec and snort right after you installed it to a GID < 10000 and change the GID of all files installed by snort and ossec to this lower GID too.
Ok, so you are saying that whenever I install any software I should inspect the GID that software was assigned in /etc/group to make sure it is not in the 10000 range? If it is in that range then I need to edit /etc/group and change the GID for the software and also find every file installed by that software and change the ownership (chown)? That sounds like a lot of work and potential source of errors! Do I understand correctly?
Another way... Let me offer an alternative solution for your consideration. I have tested this on my test server and verified that it works. Facts as I understand them: - With the default configuration, ISPConfig sets GID starting at 10001 and increments +1 for each new group added by using an auto increment counter in the isp_isp_web table of the ISPConfig MySQL database. ISPConfig does not verify that a GID is previously assigned before it assigns it. - CentOS 5 (and I assume all Linux distributions) looks at /etc/group and assigns the next GID based on the highest existing GID +1. My proposed solution: 1) Create a new dummy GID Code: groupadd admispconfig2 2) Edit /etc/group to change admispconfig2 GID to 20000 3) Run group check to update /etc/gshadow Code: grpck 4) Create a new dummy UID and add it to the admispconfig2 group Code: useradd -s /sbin/nologin admispconfig2 -g admispconfig2 5) Edit /etc/passwd to change UID to 20000 6) Run password check Code: pwck What this does - It forces CentOS to only create new GID's and UID's above 20000 - It allows ISPConfig to create GID's and UID's between 10001 and 19999 Comments?
