Permission denied errors after patching 0.8.6b

[socal]

All, after patching my 0.8.6b setup per the 0.8.6b Official Patches site, I received many permission denied error messages and was unable to log back in (after refreshing).

System:
Windows XP & SP2 in a "Workgroup" (as in not in a domain)
php: 4.3.8.8
cacti: 0.8.6b
apache: 2.0.50
mysql: 4.0.21
rrdtool: version ?

After replacing all of the patched files with the backups, I am seeing the following on the top header when viewing graphs, also none of the graphs are showing:

Warning: main(C:\apache\Apache2\htdocs\cacti\lib/rrd.php): failed to open stream: Permission denied in C:\apache\Apache2\htdocs\cacti\include\top_graph_header.php on line 31

Warning: main(): Failed opening 'C:\apache\Apache2\htdocs\cacti\lib/rrd.php' for inclusion (include_path='.;c:\php4\pear') in C:\apache\Apache2\htdocs\cacti\include\top_graph_header.php on line 31

I've reviewed BSOD2600's Windows install guide and FAQ, however since I do not have access to the "Security" tabs on file/folder properties (Workgroup related?), I am unsure of any file permission issues.

When viewing Graph Debugging outputs on any item, I see the follwing error:

RRDTool Says:
Fatal error: Call to undefined function: rrdtool_function_graph() in C:\apache\Apache2\htdocs\cacti\graphs.php on line 845

Polling is still functional, and I see that the rra files are being updated. What next? All assistance is greatly appreciated.

[mcutting]

You won't see security permissions in XP if it's in a workgroup natively. Open My Computer, click tools, options, go to view, and remove the tick from "use simple file sharing".

Choose ok, and then you should see the security tab on your folders. What you are seeing are NTFS permisions related.

Hope this helps..

[socal]

Thanks mc. I'm still back to square one. I failed to mention that when viewing the Graph Management web page (http://myserver/cacti/graphs.php), the web page header shows:

Warning: main(./lib/rrd.php): failed to open stream: Permission denied in C:\apache\Apache2\htdocs\cacti\graphs.php on line 35

Warning: main(): Failed opening './lib/rrd.php' for inclusion (include_path='.;c:\php4\pear') in C:\apache\Apache2\htdocs\cacti\graphs.php on line 35

When viewing Data Sources web page (http://myserver/cacti/data_sources.php), the web page header shows:

Warning: main(./lib/rrd.php): failed to open stream: Permission denied in C:\apache\Apache2\htdocs\cacti\data_sources.php on line 33

Warning: main(): Failed opening './lib/rrd.php' for inclusion (include_path='.;c:\php4\pear') in C:\apache\Apache2\htdocs\cacti\data_sources.php on line 33

So, as you can see I'm still kinda stuck. Again, any and all assistance is greatly appreciated!

[BSOD2600]

1) Upgrade your cacti version to 0.8.6j and its patches!!
2) Read http://forums.cacti.net/viewtopic.php?t=11747
3) Yes, you STILL are having NTFS problems. Reset the security so the IUSR account has read/execute rights on all cacti files. Refer to my installation guide.

[socal]

Thanks BSOD2600. Well, that burns a little. I'm unsure as to why reverting to the previous files would not restore my system to it's previous state. I'm not looking forward to upgrading a system that was working for ~1.5+ years or. I've given as many permissions that I can find for the "Administrator" account, on which this Cacti server runs on, thanks to mcutting's post on how to view the Security tab!

Without going through the joys of an upgrade, what else is there to look for? FYI: I am not using IIS. I am able to browse through the different pages, however receiving the above posted errors on the Graph, Graph Management & Data Source pages. Regards.

[BSOD2600]

*sigh*

Fire up Sysinternals FileMon while you're viewing the pages which give you php errors. Turn on highlighting in FileMon for 'denied' and look at all the red lines in the log file where the user account is getting denied -- those files need their NTFS permission set properly.

[socal]

*sigh* ? No need to belittle the lesser experienced folks!

Regardless, I found what I thought was a gem (Cacti-Security script) on your "Installing Under Windows" site, however that apparently didn't correct the NTFS errors.

After pulling a few remaining hairs that I have left and using Procmon (Filemon is obsolete), I found that XP's "SYSTEM" user was denied access to C:\apache\Apache2\htdocs\cacti\lib\rrd.php. I added "SYSTEM" and applied the correct credentials, and all is well. I have yet to reapply the 0.8.6b patches, possibly next week or so.

Thanks for your assistance. I might take up the upgrade offer....someday, but not now. Regards.

[BSOD2600]

I still refer users to use FileMon because its simpler than using Procmon for our purposes. Promon out of the gate, spams too much info at the unknowing user.

I glazed over your error path (long day at work) and should've noticed you were running apache. Since the Apache service typically runs under the SYSTEM account (as you've noticed), it will need read/execute NTFS rights on all /cacti/ files and folders. Additionally it'll need Modify rights to the /cacti/log/ and /cacti/rrd/ folders.

You really shouldn't be running apache with the default SYSTEM account though for security reasons. Should create a separate user and have it run under that (which means you would need to reapply NTFS security again). Additionally, you are strongly recommended to upgrade cacti to 0.8.6j, since there have literally been hundreds of bugs fixed and many new features since 0.8.6b. Lastly, there are several critical security flaws in older cacti versions, which are not patched in 0.8.6b. Those exploiting these flaws can take over your server!

[socal]

Thanks for the input & recommendations BSOD2600. I will consider the upgrade for some time in the future, however given the fact that I attempted an upgrade in the past and it failed (most likely due to the same NTFS permission errors!), it might be some time before doing so. Regards.