Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Niels, Thanks for your input on this issue... 1) Your test confirms that nobody cannot access the file from outside the CWD... [Steve@regret tmp]$ sudo -u nobody cp /home/Steve/Shared/workspace/xxx/xxx/bootrom.pxe.0 . cp: cannot stat `/home/Steve/Shared/workspace/xxx/xxx/bootrom.pxe.0': Permission denied 2) I do have Selinux installed but I have turned off enforcing [Steve@regret tmp]$ cat /selinux/enforce 0 3) For the moment I lauch dnsmasq with --user Steve and achieve my pxe download. But I still think I am missing something about the general case - Can dnsmasq-tftp serve an arbitary file? How can I setup dnsmasq to serve files owned by different users? I need to think a little deeper about my directory structure for these downloads. Thanks again for your input Steve
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Steve Elliott wrote: But I still think I am missing something about the general case - Can dnsmasq-tftp serve an arbitary file? Plain files for sure, yes. How can I setup dnsmasq to serve files owned by different users? Either put the files into a group shared by both dnsmasq and these users or make the files world readable and all directories above world executable. clemens
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Helmut Hullen wrote: Can anyone suggest why I get 'Permission denied' for this access? May 14 16:01:27 regret dnsmasq-tftp[13285]: cannot access /home/Steve/Shared/workspace/xxx/xxx/bootrom.pxe.0: Permission denied May 14 16:01:27 regret dnsmasq-tftp[13285]: cannot access /home/Steve/Shared/workspace/xxx/xxx/bootrom.pxe.0: Permission denied ftp_root=/home/Steve/Shared/workspace /home/Steve/Shared/workspace/xxx/xxx/ -rwxrwxr-x. 1 Steve Steve 482040 2010-05-13 17:32 bootrom.pxe.0 Are you allowed to put this directory to /tftpboot with the directory rights 755? Or to /home/Steve/PXE with 755 for /home/Steve and /home/Steve/ PXE? I'd be inclined to follow Helmuts argument. _All_ directories from the root '/' down to '/home/Steve/Shared/workspace/xxx/xxx/' with _all intermediate directories_ need that 'x' bit for the user or group dnsmasq is running as. The 'x' bit on directories specify search permissions needed to find any file. Then dnsmasq obviously needs to be able to 'r' read that file. clemens
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Simon, Thanks again. - I'm showing my Linux user ignorance!! My user nobody cannot login or accept an su but sudo -u nobody cp bootrom.pxe.o /tmp/ Works OK and leaves the expected entry -rwxr-xr-x. 1 nobody nobody 482040 2010-05-16 11:41 /tmp/bootrom.pxe.0 So user nobody CAN read the file - dnsmasq is running as nobody ps uax | grep dnsmasq nobody3661 0.0 0.0 14828 628 ?S11:31 0:00 /usr/sbin/dnsmasq -s norese.com.au Steve 4057 0.0 0.0 102744 820 pts/0S+ 11:53 0:00 grep dnsmasq But dnsmasq-tftp still fails to read the file. I'm puzzled. Steve
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Hi, I would like you to check this: cd /tmp sudo -u nobody cp /home/Steve/Shared/workspace/xxx/xxx/bootrom.pxe.o . This is different in de sense that the working dorectory is different. Also I have another possibility to consider: Do you have something like SELinux or AppArmor enabled?? Niels Basjes 2010/5/16 Steve Elliott stevecgelli...@embeddedoverflow.com.au: Simon, Thanks again. - I'm showing my Linux user ignorance!! My user nobody cannot login or accept an su but sudo -u nobody cp bootrom.pxe.o /tmp/ Works OK and leaves the expected entry -rwxr-xr-x. 1 nobody nobody 482040 2010-05-16 11:41 /tmp/bootrom.pxe.0 So user nobody CAN read the file - dnsmasq is running as nobody ps uax | grep dnsmasq nobody 3661 0.0 0.0 14828 628 ? S 11:31 0:00 /usr/sbin/dnsmasq -s norese.com.au Steve 4057 0.0 0.0 102744 820 pts/0 S+ 11:53 0:00 grep dnsmasq But dnsmasq-tftp still fails to read the file. I'm puzzled. Steve ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss -- Met vriendelijke groeten, Niels Basjes
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Steve Elliott wrote:
sudo -u nobody cp bootrom.pxe.o /tmp/
Works OK and leaves the expected entry
-rwxr-xr-x. 1 nobody nobody 482040 2010-05-16 11:41 /tmp/bootrom.pxe.0
So user nobody CAN read the file - dnsmasq is running as nobody
The command sudo -u nobody cp f1 f2 will run the cp command as user
nobody, but cp _creates_ file f2 subject to the current umask.
Also, directory /tmp/ might be mounted with options forcing certain
permissions!
My theory is that one of the directories your bootrom.pxe.o is burried
in doesn't have execute permissions for user nobody.
For this kind of trouble I have this little bash function:
dirperms() {
local d=${1-$(pwd)}
local dlist=
until [[ -z ${d} ]]
do
[[ $(stat --printf=%F ${d}) =~ link ]] {
d=/$(readlink -n ${d})
}
dlist=${dlist} ${d}
d=${d%/*}
done
ls -Ffl -d ${dlist} /
}
It is used with the directory containing some file as an argument and
outputs all the directories up to the root and it should show which one
lacks proper permissions.
The cheapquick alternative is simply to ls -ld all the directories.
The ones owned by anybody else than user nobody _must_ have the x bit
for world access.
clemens
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Dnia 2010-05-16, o godz. 20:32:07
clemens fischer ino-n...@spotteswoode.dnsalias.org napisał(a):
Steve Elliott wrote:
[...]
My theory is that one of the directories your bootrom.pxe.o is burried
in doesn't have execute permissions for user nobody.
For this kind of trouble I have this little bash function:
dirperms() {
[...]
Why don't you check it with:
su -s /bin/bash - nobody
and trying to read that file then?
--
jasiu
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Jan Psota wrote: Why don't you check it with: su -s /bin/bash - nobody and trying to read that file then? Or like su -c 'whoami; cat -tv that-file | head' nobody. That works even when login is prohibited for user nobody. But he already showed the permissions, it must be some directory higher up. clemens
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Simon, Thanks for the response. I do not have --tftp-secure. But I do launch with sudo /etc/rc.d/initd/dnsmasq So it seems that it will be run by root. Therefore I need world readable permission on my bootrom.pxe.0. I thought I had that! --- /home/Steve/Shared/workspace/xxx/xxx/ -rwxrwxr-x. 1 Steve Steve 482040 2010-05-13 17:32 bootrom.pxe.0 --- This is my config: (I leave /etc/dnsmasq.conf as delivered and customise /etc/dnsmasq.d/01dnsmasq.more.conf /etc/dnsmasq.d/10service.conf) Left file: /etc/dnsmasq.conf Right file: /etc/dnsmasq.d/01dnsmasq.more.conf 25a26 filterwin2k 107a109 no-hosts 146a149,151 # Defer dhcp to another dhcp-server dhcp-range=10.0.0.0,proxy 363a369 pxe-prompt=Which bootrom shall I load? 390a397 enable-tftp 393a401 tftp-root=/home/Steve/Shared/workspace 536a545 log-dhcp With /etc/dnsmasq.d/10service.conf # Loads a file from dnsmasq TFTP server. #pxe-service=x86PC, Install Linux, pxelinux pxe-service=x86PC, , /xxx/xxx/bootrom.pxe Steve Elliott - Embedded Overflow 4, Glassop St., Balmain, NSW 2041. -- -- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Hallo, Steve, Du meintest am 15.05.10: But I do launch with sudo /etc/rc.d/initd/dnsmasq So it seems that it will be run by root. Therefore I need world readable permission on my bootrom.pxe.0. I thought I had that! --- /home/Steve/Shared/workspace/xxx/xxx/ -rwxrwxr-x. 1 Steve Steve 482040 2010-05-13 17:32 bootrom.pxe.0 --- world may need the x rights (go into the next subdir) in the directory tree too. Viele Gruesse! Helmut
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Steve Elliott wrote: Simon, Thanks for the response. I do not have --tftp-secure. But I do launch with sudo /etc/rc.d/initd/dnsmasq So it seems that it will be run by root. No, it will be running as non-privileged user, nobody or dnsmasq unless you have user=root somewhere. Try su nobody and then reading that file. Cheers, Simon. Therefore I need world readable permission on my bootrom.pxe.0. I thought I had that! --- /home/Steve/Shared/workspace/xxx/xxx/ -rwxrwxr-x. 1 Steve Steve 482040 2010-05-13 17:32 bootrom.pxe.0 --- This is my config: (I leave /etc/dnsmasq.conf as delivered and customise /etc/dnsmasq.d/01dnsmasq.more.conf /etc/dnsmasq.d/10service.conf) Left file: /etc/dnsmasq.conf Right file: /etc/dnsmasq.d/01dnsmasq.more.conf 25a26 filterwin2k 107a109 no-hosts 146a149,151 # Defer dhcp to another dhcp-server dhcp-range=10.0.0.0,proxy 363a369 pxe-prompt=Which bootrom shall I load? 390a397 enable-tftp 393a401 tftp-root=/home/Steve/Shared/workspace 536a545 log-dhcp With /etc/dnsmasq.d/10service.conf # Loads a file from dnsmasq TFTP server. #pxe-service=x86PC, Install Linux, pxelinux pxe-service=x86PC, , /xxx/xxx/bootrom.pxe Steve Elliott - Embedded Overflow 4, Glassop St., Balmain, NSW 2041. -- -- ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Steve Elliott wrote: Can anyone suggest why I get 'Permission denied' for this access? May 14 16:01:23 regret dnsmasq-dhcp[13285]: 1811947682 Available DHCP subnet: 10.0.0.0/255.255.255.0 May 14 16:01:23 regret dnsmasq-dhcp[13285]: 1811947682 Vendor class: PXEClient:Arch:0:UNDI:002001 May 14 16:01:23 regret dnsmasq-dhcp[13285]: 1811947682 PXE(eth0) 00:23:6b:00:20:a2 proxy May 14 16:01:23 regret dnsmasq-dhcp[13285]: 1811947682 tags: eth0 May 14 16:01:23 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 1 option: 53:message-type 02 May 14 16:01:23 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 4 option: 54:server-identifier 10.0.0.150 May 14 16:01:23 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 9 option: 60:vendor-class 50:58:45:43:6c:69:65:6e:74 May 14 16:01:23 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 17 option: 97:client-machine-id 00:00:00:00:00:00:00:00:00:00:00:00:00... May 14 16:01:23 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 79 option: 43:vendor-encap 06:01:03:08:0e:80:00:01:0a:00:00:96:80... May 14 16:01:24 regret dnsmasq-dhcp[13285]: 1811947682 Available DHCP subnet: 10.0.0.0/255.255.255.0 May 14 16:01:24 regret dnsmasq-dhcp[13285]: 1811947682 Vendor class: PXEClient:Arch:0:UNDI:002001 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 Available DHCP subnet: 10.0.0.0/255.255.255.0 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 Vendor class: PXEClient:Arch:0:UNDI:002001 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 PXE(eth0) 10.0.0.140 00:23:6b:00:20:a2 /xxx/xxx/bootrom.pxe.0 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 tags: eth0 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 bootfile name: /xxx/xxx/bootrom.pxe.0 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 next server: 10.0.0.150 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 1 option: 53:message-type 05 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 4 option: 54:server-identifier 10.0.0.150 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 9 option: 60:vendor-class 50:58:45:43:6c:69:65:6e:74 May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 17 option: 97:client-machine-id 00:00:00:00:00:00:00:00:00:00:00:00:00... May 14 16:01:26 regret dnsmasq-dhcp[13285]: 1811947682 sent size: 37 option: 43:vendor-encap 47:04:80:00:00:00:0a:1c:ff:57:68:69:63... May 14 16:01:27 regret dnsmasq-tftp[13285]: cannot access /home/Steve/Shared/workspace/xxx/xxx/bootrom.pxe.0: Permission denied May 14 16:01:27 regret dnsmasq-tftp[13285]: cannot access /home/Steve/Shared/workspace/xxx/xxx/bootrom.pxe.0: Permission denied ftp_root=/home/Steve/Shared/workspace /home/Steve/Shared/workspace/xxx/xxx/ -rwxrwxr-x. 1 Steve Steve 482040 2010-05-13 17:32 bootrom.pxe.0 Have you got --tftp-secure set? --tftp-secure Enable TFTP secure mode: without this, any file which is readable by the dnsmasq process under normal unix access-control rules is available via TFTP. When the --tftp-secure flag is given, only files owned by the user running the dnsmasq process are accessible. If dnsmasq is being run as root, different rules apply: --tftp-secure has no effect, but only files which have the world-readable bit set are accessible. It is not recommended to run dnsmasq as root with TFTP enabled, and certainly not without specifying --tftp-root. Doing so can expose any world-readable file on the server to any host on the net. Cheers, Simon. Steve Elliott - Embedded Overflow 4, Glassop St., Balmain, NSW 2041. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] tftp 'Permission denied' issue...
Hallo, Steve, Du meintest am 14.05.10: Can anyone suggest why I get 'Permission denied' for this access? May 14 16:01:27 regret dnsmasq-tftp[13285]: cannot access /home/Steve/Shared/workspace/xxx/xxx/bootrom.pxe.0: Permission denied May 14 16:01:27 regret dnsmasq-tftp[13285]: cannot access /home/Steve/Shared/workspace/xxx/xxx/bootrom.pxe.0: Permission denied ftp_root=/home/Steve/Shared/workspace /home/Steve/Shared/workspace/xxx/xxx/ -rwxrwxr-x. 1 Steve Steve 482040 2010-05-13 17:32 bootrom.pxe.0 Are you allowed to put this directory to /tftpboot with the directory rights 755? Or to /home/Steve/PXE with 755 for /home/Steve and /home/Steve/ PXE? Seems to be a PXE problem. Viele Gruesse! Helmut
