opendkim[8143]: initgroups(): Operation not permitted - postfix-mta

I have configure Opendkim with Postfix and configured everything as per the document referred multiple sites. But finally got the below error.
opendkim[8143]: initgroups(): Operation not permitted
Could anyone help on this fix the same. As i googled for the same and haven't found any solution.
Thanks

If you are running it chrooted, check that the user the service is running under is the same as defined in conf and added to relevant groups. Chrooted usually define opendkim to be ran as "postfix:postfix" user. You'll have to create folders under /var/spool/postfix/ for opendkim to hold socket file, add postfix user to opendkim group
postfix/main.cf:
smtpd_milters = unix:/var/run/opendkim/opendkim.sock unix:/var/run/opendmarc/opendmarc.sock
non_smtpd_milters = ${smtpd_milters}
opendkim.conf:
Socket local:/var/spool/postfix/var/run/opendkim/opendkim.sock
ls:
root#s1:/etc/postfix# ls -la /var/spool/postfix/var/run/
total 16
drwxr-xr-x 4 postfix postfix 4096 Dec 31 09:18 .
drwxr-xr-x 3 postfix postfix 4096 Dec 22 13:39 ..
drwxr-xr-x 2 postfix postfix 4096 Dec 22 14:07 opendkim
drwxr-xr-x 2 postfix postfix 4096 Dec 31 09:28 opendmarc

Related

How to grant nginx permissions to phpMyAdmin on synology diskstation

I have a Synology Diskstation DS216se running DSM 6.2.3-25426. I've installed MariaDB 10, Web Station, PHP 7.2, and myPhpAdmin, but when I open it at http://diskstation/phpMyAdmin/ I get this error message
"Sorry, the page you are looking for is not found."
I'm using an nginx server in Web Station, and the error log at /var/log/nginx/error.log contains multiple entries like the following
*621 open() "/var/services/web/phpMyAdmin/js/vendor/jquery/jquery.debounce-1.0.5.js" failed (13: Permission denied)
The file, and all other files with permission denied entries in the logs, exist in the /var/services/web/phpMyAdmin/ directory - what permissions need to be granted to the directory for this to succeed?
I hit this as well. I managed to recover, but it effectively amounts to hard clearing any evidence of prior installs of Web Station, PHP 7.2, phpMyAdmin, and any other web related services. Then manually ripping out some bad directories with broken symlinks/permissions.
My hypothesis is that I tried to install adminer prior to this and - having not done any set up for Web Station et. al. - it put the filesystem in a bad state.
I am not willing to try installing adminer again to test this hypothesis.
What I did to fix this:
Backup what you need (e.g., any personal web site).
SSH into your diskstation. Please be aware of what you are doing and keep in mind the big picture. Don't go deleting random things.
Uninstall Web Station, PHP 7.2, Apache, phpMyAdmin, etc. Anything that Web Station would ultimately be inclined to read and serve up.
Verify that /var/services/web doesn't contain anything you care about, and delete it (sudo rm -rf /var/services/web).
Verify that /volume1/web doesn't contain anything you care about, and delete everything inside it (sudo rm -rf /var/services/web). You may need to chmod permissions for this - I ended up leaving the web directory itself intact, but nothing inside.
Reboot. Mount any encrypted disks, etc.
Check that /var/services/web now shows it is symlinked to /volume1/web, e.g. sudo readlink -e /var/services/web.
Also check permissions for /volume1/web, e.g. ls -al /volume1. It should be owned by root:root and have permissive (777) bits.
Install Web Station, PHP 7.2, and phpMyAdmin in that order.
After this, I could open phpMyAdmin and be served its log in screen.
Debugging notes:
For me, when I SSH in I see in the logs similar issues:
2020/12/17 10:36:35 [error] 32658#32658: *1028 "/var/services/web/phpMyAdmin/index.php" is forbidden (13: Permission denied),
ps says that the nginx workers run as the http user (uid=1023(http) gid=1023(http) groups=1023(http)).
The directory /var/services/web/ appears to be owned by root, both group and user:
# ls -al /var/services/web/
total 424
drwxr-xr-x 3 root root 4096 Dec 17 10:29 .
drwxr-xr-x 3 root root 4096 Dec 17 10:22 ..
-rw-r--r-- 1 root root 27959 Apr 13 2016 adminer.css
-rw-r--r-- 1 root root 82 Apr 13 2016 .htaccess
-rw-r--r-- 1 root root 387223 Apr 13 2016 index.php
drwxr-xr-x 10 root root 4096 Dec 17 10:29 phpMyAdmin
It's not clear to me how Web Station's nginx is intended to work at all given the mismatch - perhaps some set of actions I took prior caused it to decide to install with bad ownership.
I decided to leave everything owned by root, but changed group permissions so that http can access:
# chown -R root:http /var/services/web/
# chmod -R 775 /var/services/web/
This got past the initial error, but revealed a new one:
"/usr/syno/synoman/phpMyAdmin/index.cgi" is not found (2: No such file or directory)
Indeed, there was no trace of phpMyAdmin anywhere in that directory. Evidence of a bad install.
I decided to uninstall anything web related: phpMyAdmin, PHP 7, Apache (happened to be installed), nginx, and Web Station. Once I did, I still had two files in /var/services/web: adminer.css index.php.
I had tried adminer prior to this. In /var/services, there were symlinks to specific volume locations, e.g.:
# ls -al /var/services/
total 12
drwxr-xr-x 3 root root 4096 Dec 17 10:22 .
drwxr-xr-x 17 root root 4096 Dec 17 10:21 ..
lrwxrwxrwx 1 root root 18 Jan 20 2020 download -> /volume1/#download
lrwxrwxrwx+ 1 root root 14 Dec 17 10:22 homes -> /volume1/homes
lrwxrwxrwx 1 root root 24 Jan 20 2020 pgsql -> /volume1/#database/pgsql
lrwxrwxrwx 1 root root 13 Dec 17 10:22 tmp -> /volume1/#tmp
lrwxrwxrwx 1 root root 13 Dec 17 10:22 web
Interestingly, web was not symlinked. I fully deleted /var/services/web.
Looking over at /volume1, I do see a /volume1/web, again fully owned by root but with extremely constrained permission:
d---------+ 1 root root 52 Dec 17 10:14 web
There are only a few things in here, which look related to a blank install of Web Station. I fully deleted everything within /volume1/web, but left it as is. With everything maximally cleaned I rebooted.
Upon boot, /var/services/web was now symlinked to /volume1/web, which now also had useful permission bits (777), and owned by root:root. Maybe this was done by some boot recover process, who knows. (I still have nothing web related installed at this point.)
I installed Web Station, then PHP 7.2, then phpMyAdmin.
I had the same issue when accessing my server via
<name>.local/phpMyAdmin/
It worked when I accessed it via
<local ip>/phpMyAdmin/

how to apply salt states to just one environment

I'm trying to apply a salt state to my non prod environment at /srv/salt/non-prod
I'm getting this result:
[root#salt non-prod]# salt '*' state.apply
salt.localdomain:
----------
ID: states
Function: no.None
Result: False
Comment: No Top file or external nodes data matches found.
Changes:
Summary for salt.localdomain
------------
Succeeded: 0
Failed: 1
I have this location defined in my master config
non-prod:
- /srv/non-prod
- /srv/salt/non-prod/services
- /srv/salt/non-prod/states
I have a top file located here:
[root#salt ~]# cat /srv/salt/non-prod/top.sls
base:
'*':
- apache
- python
- ssh
- users
These are the contents of the non-prod directory
[root#salt ~]# ls -lh /srv/salt/non-prod/
total 16K
drwxr-xr-x. 2 root root 4.0K Oct 3 21:02 apache
drwxr-xr-x. 2 root root 45 Oct 3 20:57 python
drwxr-xr-x. 2 salt salt 6 Oct 3 14:10 services
drwxr-xr-x. 2 root root 54 Oct 3 18:23 ssh
drwxr-xr-x. 2 salt salt 6 Oct 3 14:10 states
-rw-r--r--. 1 root root 80 Oct 3 15:29 state.template
-rw-r--r--. 1 root root 174 Oct 3 15:30 test.sls
-rw-r--r--. 1 root root 61 Oct 3 21:14 top.sls
drwxr-xr-x. 2 root root 22 Oct 3 21:03 users
drwxr-xr-x. 2 salt salt 99 Oct 3 18:28 webserver
it contains a few salt modules
How can I apply salt states to just the non-prod environment?
If you check the syntax using some yaml validation tools, then we can go to next step.
Read saltstack top documentation thoroughly, you will notice setting different environment, you first explicitly define alternate environment name on /etc/salt/master and also specify it under top.sls
i.e., you file_roots specify the non-prod environment
file_roots:
#non-prod environment
non-prod:
- /srv/non-prod
- /srv/salt/non-prod/services
- /srv/salt/non-prod/states
Thus your top.sls should use the environment name non-prod , not base
non-prod:
'*':
- apache
- python
- ssh
- users
Since saltstack always use "base" environment by default, you should apply the state explicitly.
salt '*' state.highstate saltenv=non-prod

Make Redis unixsocket owned by redis user

I have installed Redis 3.0.6 on Debian. There's a /etc/init.d/redis file which starts the Redis server when the system starts or I can invoke it manually to start/stop the server. Problem is that this script is run as root user.
I have a redis user and group that I want to make Redis run under. But I can't figure out how (I have not found an option to make Redis switch user ID after startup). In my config file I use
unixsocket /home/redis/redis.sock
unixsocketperm 770
But, of course, the redis.sock is owned by root.
drwxr-xr-x 2 redis redis 4096 Jan 18 03:34 bin
drwxr-xr-x 2 redis redis 4096 Jan 18 03:55 data
-rw-r--r-- 1 redis redis 41638 Jan 18 03:52 redis.conf
-rw-r--r-- 1 redis redis 16348 Jan 18 03:55 redis.log
-rw-r--r-- 1 root root 5 Jan 18 03:55 redis.pid
srwxrwx--- 1 root root 0 Jan 18 03:55 redis.sock
And the process is, too.
root 7913 0.1 0.1 38016 1976 ? Ssl 03:55 0:00 /home/redis/bin/redis-server *:6379
Ultimately, I have a git user that is also in the redis group and thus should in the end have access to redis.sock. (This is for a manual deployment of GitLab CE).
How I can I configure the Redis server that way?
Update your /etc/init.d to use sudo during start service (line 33):
sudo -u redis $EXEC $CONF
You may need to cleanup old files (in /var/lib) or reset their permission to redis.

phpmyadmin complains about permissions and open_basedir - but they all appear correct

phpmyadmin has been installed and working fine for months, installed via this repo:
deb http://ppa.launchpad.net/tuxpoldo/phpmyadmin/ubuntu utopic main
Suddenly, I couldn't login; no in-page errors but the logs showed:
PHP message: phpmyadmin: Failed to load /etc/phpmyadmin/config-db.php Check group www-data has read access and open_basedir restrictions"
PHP message: phpmyadmin: Failed to load /var/lib/phpmyadmin/config.inc.php Check group www-data has read access and open_basedir restrictions"
So, I checked:
ll /etc/phpmyadmin
drwxrwxr-x 3 www-data www-data 4096 Nov 16 20:11 ./
drwxr-xr-x 132 root root 12288 Nov 17 15:33 ../
-rw-r----- 1 www-data www-data 549 Nov 16 20:11 config-db.php
and
ll /var/lib/phpmyadmin
drwxr-xr-x 4 www-data www-data 4096 Oct 8 15:51 ./
drwxr-xr-x 62 root root 4096 Nov 12 13:10 ../
-rw-r----- 1 www-data www-data 4478 Nov 16 19:48 config.inc.php
I followed this SO answer and changed the user and group permissions to match the example (user:root, group:www-data) and changed the directory permissions to match.
I double, triple checked that no open-basedir restrictions are in effect, and I checked phpinfo()
I tried changing the permissions to be that of the fpm worker pool.
I rebooted.
I did an sudo apt-get install --reinstall phpmyadmin.
The ONLY thing I've done inbetween is to follow this guide to installing freePBX, and 90% of what it wanted was on my machine anyway; only things like sqlite were installed, and I can't even be sure it was that which stopped it working. Long shot, but perhaps worth mentioning.
Everything else, all other sites etc, are running fine. Before I lose any more hair than I have done in the last 5 hours, I'd really appreciate some ideas. Thanks!
Turns out this is a rather misleading message from phpmyadmin:
Check group www-data has read access and open_basedir restrictions.
But anyone running multiple sites, using php-fpm and concerned at all about security will have separate pools for each site.
The solution, in my particular case was:
chown -R phpma:phpma /var/lib/phpmyadmin
chown -R phpma:phpma /etc/phpmyadmin
chown -R phpma:phpma /usr/share/phpmyadmin
Then sudo dpkg-reconfigure -plow phpmyadmin
Incidentally, it appears that doing a package install on Ubuntu splatters files all over the place, and it goes a little something like this:
/etc/phpmyadmin/config.inc.php
includes the following files in this order, which really won't need touching unless you want to up the login cookie validity.
/var/lib/phpmyadmin/blowfish_secret.inc.php // self explanatory
/var/lib/phpmyadmin/config.inc.php // LoginCookieValidity etc
/etc/phpmyadmin/config-db.php // Leave this one alone
/usr/share/phpmyadmin/config.inc.php // auth, host, connection etc
I hope this helps someone else at any rate.
This is certainly due to the fact you are using mpm_itk_module.
If yes, you have to use in your apache settings :
<ifmodule mpm_itk_module>
AssignUserId myuser www-data
</ifmodule>
instead:
<ifmodule mpm_itk_module>
AssignUserId myuser myuser
</ifmodule>
phpmyadmin need group www-data, and if you use AssignUserId, with another group it fails off course.
And you can add to you apache config in "Directory":
php_admin_value open_basedir "/home/yourpath/htmldir:/etc/phpmyadmin:/var/lib/phpmyadmin"
Replace /home/yourpath/htmldir by your own web dir.
I hope this help

AIX not able to run applications in specific directory

This might be simple problem. But I am stuck with this for weeks now.
We have an AIX server in which we are facing this issue. I am not able to run programs inside a specific directory and its sub directories.
I am getting proper outputs for commands java and scp2 in /opt/FileNet directory. But when I am in /opt/FileNet/RM directory these commands stops working. Outputs are as below.
Java - JVMXM008: Error occured while initialising System ClassException in thread "main" Could not create the Java virtual machine.
SCP2 - Failed to parse installation path.
I have no idea why this is happening. Your thoughts please.
drwxr-xr-x 24 root system 4096 Feb 21 2012 opt
drwxr-xr-x 17 jxadmin wasadmin 4096 Aug 14 08:40 FileNet
drwxrwxr-x 17 jxadmin wasadmin 4096 Aug 14 08:45 RM
drwxrwxr-x 37 jxadmin wasadmin 4096 Feb 13 2012 AE (/opt/FileNet/AE, This directory is working as expected)
Couldn't find any ACLs.

Resources