spine +s and problems with perl scripts

Post support questions that directly relate to Linux/Unix operating systems.

Moderators: Developers, Moderators

Post Reply
pk-
Posts: 1
Joined: Tue Jan 25, 2011 1:53 am

spine +s and problems with perl scripts

Post by pk- »

Hello,

I have a strange problem with spine. All perl scripts (including predefined ones like loadavg.pl, linux_memory.pl, unix_processes.pl, unix_users.pl) are not executed when I chmod +s spine (I need ICMP ping)
I found in this forum very similar problem http://forums.cacti.net/about36935.html, unfortunately without a solution for me.
I changed the path to perl to a full one - /usr/bin/perl and Rebuild Poller Cache with no result. I have installed package perl-suid, still no result.
When I remove +s flag on spine binary – perl scripts are executed correctly.
My crontab running poller.php is:
*/5 * * * * www-data php /srv/www/cacti/poller.php >/dev/null 2>&1

Here is some output of cacti.log

With +s flag:
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] DEBUG: ICMP Host Alive, Try Count:1, Time:0.5739 ms
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] PING Result: ICMP: Host is Alive
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] SNMP Result: Host responded to SNMP
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] TH[1] RECACHE: Processing 1 items in the auto reindex cache for '192.168.13.45'
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] TH[1] NOTE: There are '13' Polling Items for this Host
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] DEBUG: The NIFTY POPEN returned the following File Descriptor 8
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] ERROR: Empty result [192.168.13.45]: '/usr/bin/perl /srv/www/cacti/scripts/fw-cps.pl gprs-data 192.168.13.45'
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] TH[1] DS[133] SCRIPT: /usr/bin/perl /srv/www/cacti/scripts/fw-cps.pl gprs-data 192.168.13.45, output: 0

Without +s flag running as user – www-data
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] SNMP Result: Host responded to SNMP
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] RECACHE: Processing 1 items in the auto reindex cache for '192.168.13.45'
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] NOTE: There are '13' Polling Items for this Host
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[127] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.1, value: 78390495
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[127] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.1, value: 80394672
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[128] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.2, value: 0
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[128] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.2, value: 0
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[129] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.3, value: 13017913749922
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[129] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.3, value: 1660701017622
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[130] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.4, value: 109408992
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[130] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.4, value: 151310084
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[131] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.5, value: 4514209081
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[131] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.5, value: 5128654798
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] DEBUG: The NIFTY POPEN returned the following File Descriptor 8
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[133] SCRIPT: /usr/bin/perl /srv/www/cacti/scripts/fw-cps.pl gprs-data 192.168.13.45, output: Xlates:465 AllConns:1345 TCPConns:529 UDPConns:653
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[132] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.6, value: 1657731880745
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[132] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.6, value: 13068614876145
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DEBUG: HOST COMPLETE: About to Exit Host Polling Thread Function

I’m using OS – debian lenny 5.0.7, 64bit.
My cacti version is cacti-0.8.7g, spine is cacti-spine-0.8.7g patched with http://www.cacti.net/downloads/spine/pa ... sues.patch


Thanks in advance,
Plamen
Top
ari
Posts: 24
Joined: Fri Jan 08, 2010 10:29 am

Re: spine +s and problems with perl scripts

Post by ari »

We are having the exact same problem.

The only "solution" we found is changing www-data with "root" as the owner for the cron poller process. We also did setuid in spine to fix icmp pings (and indeed we could fix that) but that broke the perl scripts.

We are running the same cacti version as you, installed the perl-suid package. This is in ubuntu 10.04 64 bits.

Did you ever find a solution to this issue? (I mean, other than changing www-data with "root" in /etc/cron.d/cacti)

Thanks
Top
noname
Cacti Guru User
Posts: 1566
Joined: Thu Aug 05, 2010 2:04 am
Location: Japan

Re: spine +s and problems with perl scripts

Post by noname »

In order to record what occurred, replace '/dev/null' with any other file in crontab entry.

ex.)
*/5 * * * * www-data php /srv/www/cacti/poller.php >>/tmp/poller.log 2>&1
Top
ari
Posts: 24
Joined: Fri Jan 08, 2010 10:29 am

Re: spine +s and problems with perl scripts

Post by ari »

noname wrote:In order to record what occurred, replace '/dev/null' with any other file in crontab entry.

ex.)
*/5 * * * * www-data php /srv/www/cacti/poller.php >>/tmp/poller.log 2>&1
In cacti's log, when we set "www-data" as owner in the poller line of /etc/cron.d/cacti, ICMP pings continue to work fine (thanks to the setuid on /usr/local/spine/spine, but a few of the scripts in /var/www/cacti/scripts generate errors in the cacti log:

Code: Select all

04/14/2011 05:52:05 PM - SPINE: Poller[0] Host[224] ERROR: Empty result [10.10.10.112]: 'perl /var/www/cacti/scripts/unix_users.pl '
04/14/2011 05:52:05 PM - SPINE: Poller[0] Host[224] ERROR: Empty result [10.10.10.112]: 'perl /var/www/cacti/scripts/unix_processes.pl'
04/14/2011 05:52:05 PM - SPINE: Poller[0] Host[223] ERROR: Empty result [10.10.1.212]: 'perl /var/www/cacti/scripts/query_unix_partitions.pl  get available /dev/cciss/c0d0p1'
When we remove the setuid from spine, the ICMP pings fail (as expected) but the scripts above work fine.

I've tried "su www-data", and then executing the above scripts, and indeed the scripts work just fine.

Code: Select all

www-data@tor-cacti:~/cacti/scripts$ perl unix_users.pl 
1
All errors go away when running the poller as root in cron.

Now in poller.log, the following does show up when running as www-data (and I have no clue why):

Code: Select all

....
Insecure dependency in `` while running setgid at /var/www/cacti/scripts/dnsResponseTimePing.pl line 224.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/linux_memory.pl line 3.
Insecure $ENV{PATH} while running setuid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/linux_memory.pl line 3.
Insecure $ENV{PATH} while running setuid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure dependency in `` while running setgid at /var/www/cacti/scripts/dnsResponseTimePing.pl line 224.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_users.pl line 8.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/linux_memory.pl line 3.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_processes.pl line 3.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/linux_memory.pl line 3.
Insecure $ENV{PATH} while running setuid at /var/www/cacti/scripts/unix_users.pl line 8.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_processes.pl line 3.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_users.pl line 8.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_processes.pl line 3.
Insecure $ENV{PATH} while running setuid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
...
I tried to do "setuid" in some of the scripts above (chown root:root /var/www/cacti/scripts/unix_process.pl; chmod u+s /var/www/cacti/scripts/unix_process.pl) but that didn't help at all. The 'empty results' errors still show up in cacti's log.

Gotta have a permission problem somewhere but this is a tough nut to crack.
Top
noname
Cacti Guru User
Posts: 1566
Joined: Thu Aug 05, 2010 2:04 am
Location: Japan

Re: spine +s and problems with perl scripts

Post by noname »

Code: Select all

....
Insecure dependency in `` while running setgid at /var/www/cacti/scripts/dnsResponseTimePing.pl line 224.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
...
Though I don't know in detail, here is some description about these errors:
http://perldoc.perl.org/perlsec.html#Laundering-and-Detecting-Tainted-Data

e.g. Do you have writable directory in your 'PATH' environment variable?
Top
ari
Posts: 24
Joined: Fri Jan 08, 2010 10:29 am

Re: spine +s and problems with perl scripts

Post by ari »

noname wrote:

Code: Select all

....
Insecure dependency in `` while running setgid at /var/www/cacti/scripts/dnsResponseTimePing.pl line 224.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
...
Though I don't know in detail, here is some description about these errors:
http://perldoc.perl.org/perlsec.html#Laundering-and-Detecting-Tainted-Data

e.g. Do you have writable directory in your 'PATH' environment variable?
Just the standard ubuntu server PATH, nothing is writable except for root:

Code: Select all

echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Top
noname
Cacti Guru User
Posts: 1566
Joined: Thu Aug 05, 2010 2:04 am
Location: Japan

Re: spine +s and problems with perl scripts

Post by noname »

Then, try 'Cleaning Up Your Path' section of the above documents.
But sorry, I'm not familiar with Linux distributions... (I'm mainly using Solaris)
Top
jele4
Posts: 1
Joined: Mon Aug 13, 2012 2:27 am

Re: spine +s and problems with perl scripts

Post by jele4 »

I realise this is an old post but I had the same problem running the poller as a non-root user with:

chmod +s /usr/local/spine/bin/spine

Running spine debug (/usr/local/spine/bin/spine --verbosity=5 1 1) as the www-data user showed:
Insecure $ENV{PATH} while running setgid at /usr/share/cacti/scripts/linux_memory.pl line 3.
08/13/2012 04:22:57 PM - SPINE: Poller[0] Host[1] ERROR: Empty result [127.0.0.1]: 'perl /usr/share/cacti/scripts/linux_memory.pl MemFree:'

I changed the +s to u+s:
chmod -s /usr/local/spine/bin/spine
chmod u+s /usr/local/spine/bin/spine

Then it all worked.
Top
abackstrom
Posts: 1
Joined: Tue Feb 22, 2011 9:42 am

Re: spine +s and problems with perl scripts

Post by abackstrom »

This chmod fixed my problem. Spine itself recommends chmod +s if it's not running as root. I'm not sure if this patch is necessary:

Code: Select all

--- cacti-spine-0.8.8a/util.c   2012-04-03 21:54:33.000000000 -0400
+++ new/util.c  2013-03-29 10:01:00.000000000 -0400
@@ -1286,7 +1286,7 @@                seteuid(0);

                if (geteuid() != 0) {
-                       SPINE_LOG_DEBUG(("WARNING: Spine NOT running asroot.  This is required if using ICMP.  Please run \"chmod +s;chown root:root spine\" to resolve."));
+                       SPINE_LOG_DEBUG(("WARNING: Spine NOT running asroot.  This is required if using ICMP.  Please run \"chmod u+s spine;chown root:root spine\" to resolve."));                        set.icmp_avail = FALSE;
                }else{
                        SPINE_LOG_DEBUG(("DEBUG: Spine is running asroot."));
For additional background, here's my poller log:

Code: Select all

Insecure $ENV{PATH} while running setgid at /var/www/cacti.sixohthree.com/html/scripts/unix_processes.pl line 3.
03/29/2013 09:40:01 AM - SPINE: Poller[0] Host[1] ERROR: Empty result [127.0.0.1]: 'perl /var/www/cacti.sixohthree.com/html/scripts/unix_processes.pl'
03/29/2013 09:40:01 AM - SPINE: Poller[0] Host[1] TH[1] DS[7] SCRIPT: perl /var/www/cacti.sixohthree.com/html/scripts/unix_processes.pl, output: U
Top
Post Reply

Return to “Help: Linux/Unix Specific”

Who is online

Users browsing this forum: No registered users and 1 guest