spine +s and problems with perl scripts
Moderators: Developers, Moderators
spine +s and problems with perl scripts
Hello,
I have a strange problem with spine. All perl scripts (including predefined ones like loadavg.pl, linux_memory.pl, unix_processes.pl, unix_users.pl) are not executed when I chmod +s spine (I need ICMP ping)
I found in this forum very similar problem http://forums.cacti.net/about36935.html, unfortunately without a solution for me.
I changed the path to perl to a full one - /usr/bin/perl and Rebuild Poller Cache with no result. I have installed package perl-suid, still no result.
When I remove +s flag on spine binary – perl scripts are executed correctly.
My crontab running poller.php is:
*/5 * * * * www-data php /srv/www/cacti/poller.php >/dev/null 2>&1
Here is some output of cacti.log
With +s flag:
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] DEBUG: ICMP Host Alive, Try Count:1, Time:0.5739 ms
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] PING Result: ICMP: Host is Alive
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] SNMP Result: Host responded to SNMP
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] TH[1] RECACHE: Processing 1 items in the auto reindex cache for '192.168.13.45'
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] TH[1] NOTE: There are '13' Polling Items for this Host
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] DEBUG: The NIFTY POPEN returned the following File Descriptor 8
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] ERROR: Empty result [192.168.13.45]: '/usr/bin/perl /srv/www/cacti/scripts/fw-cps.pl gprs-data 192.168.13.45'
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] TH[1] DS[133] SCRIPT: /usr/bin/perl /srv/www/cacti/scripts/fw-cps.pl gprs-data 192.168.13.45, output: 0
Without +s flag running as user – www-data
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] SNMP Result: Host responded to SNMP
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] RECACHE: Processing 1 items in the auto reindex cache for '192.168.13.45'
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] NOTE: There are '13' Polling Items for this Host
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[127] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.1, value: 78390495
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[127] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.1, value: 80394672
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[128] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.2, value: 0
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[128] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.2, value: 0
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[129] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.3, value: 13017913749922
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[129] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.3, value: 1660701017622
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[130] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.4, value: 109408992
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[130] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.4, value: 151310084
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[131] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.5, value: 4514209081
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[131] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.5, value: 5128654798
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] DEBUG: The NIFTY POPEN returned the following File Descriptor 8
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[133] SCRIPT: /usr/bin/perl /srv/www/cacti/scripts/fw-cps.pl gprs-data 192.168.13.45, output: Xlates:465 AllConns:1345 TCPConns:529 UDPConns:653
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[132] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.6, value: 1657731880745
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[132] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.6, value: 13068614876145
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DEBUG: HOST COMPLETE: About to Exit Host Polling Thread Function
I’m using OS – debian lenny 5.0.7, 64bit.
My cacti version is cacti-0.8.7g, spine is cacti-spine-0.8.7g patched with http://www.cacti.net/downloads/spine/pa ... sues.patch
Thanks in advance,
Plamen
I have a strange problem with spine. All perl scripts (including predefined ones like loadavg.pl, linux_memory.pl, unix_processes.pl, unix_users.pl) are not executed when I chmod +s spine (I need ICMP ping)
I found in this forum very similar problem http://forums.cacti.net/about36935.html, unfortunately without a solution for me.
I changed the path to perl to a full one - /usr/bin/perl and Rebuild Poller Cache with no result. I have installed package perl-suid, still no result.
When I remove +s flag on spine binary – perl scripts are executed correctly.
My crontab running poller.php is:
*/5 * * * * www-data php /srv/www/cacti/poller.php >/dev/null 2>&1
Here is some output of cacti.log
With +s flag:
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] DEBUG: ICMP Host Alive, Try Count:1, Time:0.5739 ms
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] PING Result: ICMP: Host is Alive
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] SNMP Result: Host responded to SNMP
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] TH[1] RECACHE: Processing 1 items in the auto reindex cache for '192.168.13.45'
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] TH[1] NOTE: There are '13' Polling Items for this Host
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] DEBUG: The NIFTY POPEN returned the following File Descriptor 8
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] ERROR: Empty result [192.168.13.45]: '/usr/bin/perl /srv/www/cacti/scripts/fw-cps.pl gprs-data 192.168.13.45'
01/24/2011 07:45:12 PM - SPINE: Poller[0] Host[7] TH[1] DS[133] SCRIPT: /usr/bin/perl /srv/www/cacti/scripts/fw-cps.pl gprs-data 192.168.13.45, output: 0
Without +s flag running as user – www-data
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] SNMP Result: Host responded to SNMP
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] RECACHE: Processing 1 items in the auto reindex cache for '192.168.13.45'
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] NOTE: There are '13' Polling Items for this Host
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[127] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.1, value: 78390495
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[127] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.1, value: 80394672
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[128] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.2, value: 0
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[128] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.2, value: 0
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[129] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.3, value: 13017913749922
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[129] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.3, value: 1660701017622
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[130] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.4, value: 109408992
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[130] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.4, value: 151310084
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[131] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.5, value: 4514209081
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[131] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.5, value: 5128654798
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] DEBUG: The NIFTY POPEN returned the following File Descriptor 8
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[133] SCRIPT: /usr/bin/perl /srv/www/cacti/scripts/fw-cps.pl gprs-data 192.168.13.45, output: Xlates:465 AllConns:1345 TCPConns:529 UDPConns:653
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[132] SNMP: v2: 192.168.13.45, dsname: traffic_out, oid: .1.3.6.1.2.1.31.1.1.1.10.6, value: 1657731880745
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DS[132] SNMP: v2: 192.168.13.45, dsname: traffic_in, oid: .1.3.6.1.2.1.31.1.1.1.6.6, value: 13068614876145
01/25/2011 09:15:12 AM - SPINE: Poller[0] Host[7] TH[1] DEBUG: HOST COMPLETE: About to Exit Host Polling Thread Function
I’m using OS – debian lenny 5.0.7, 64bit.
My cacti version is cacti-0.8.7g, spine is cacti-spine-0.8.7g patched with http://www.cacti.net/downloads/spine/pa ... sues.patch
Thanks in advance,
Plamen
Re: spine +s and problems with perl scripts
We are having the exact same problem.
The only "solution" we found is changing www-data with "root" as the owner for the cron poller process. We also did setuid in spine to fix icmp pings (and indeed we could fix that) but that broke the perl scripts.
We are running the same cacti version as you, installed the perl-suid package. This is in ubuntu 10.04 64 bits.
Did you ever find a solution to this issue? (I mean, other than changing www-data with "root" in /etc/cron.d/cacti)
Thanks
The only "solution" we found is changing www-data with "root" as the owner for the cron poller process. We also did setuid in spine to fix icmp pings (and indeed we could fix that) but that broke the perl scripts.
We are running the same cacti version as you, installed the perl-suid package. This is in ubuntu 10.04 64 bits.
Did you ever find a solution to this issue? (I mean, other than changing www-data with "root" in /etc/cron.d/cacti)
Thanks
Re: spine +s and problems with perl scripts
In order to record what occurred, replace '/dev/null' with any other file in crontab entry.
ex.)
*/5 * * * * www-data php /srv/www/cacti/poller.php >>/tmp/poller.log 2>&1
ex.)
*/5 * * * * www-data php /srv/www/cacti/poller.php >>/tmp/poller.log 2>&1
Re: spine +s and problems with perl scripts
In cacti's log, when we set "www-data" as owner in the poller line of /etc/cron.d/cacti, ICMP pings continue to work fine (thanks to the setuid on /usr/local/spine/spine, but a few of the scripts in /var/www/cacti/scripts generate errors in the cacti log:noname wrote:In order to record what occurred, replace '/dev/null' with any other file in crontab entry.
ex.)
*/5 * * * * www-data php /srv/www/cacti/poller.php >>/tmp/poller.log 2>&1
Code: Select all
04/14/2011 05:52:05 PM - SPINE: Poller[0] Host[224] ERROR: Empty result [10.10.10.112]: 'perl /var/www/cacti/scripts/unix_users.pl '
04/14/2011 05:52:05 PM - SPINE: Poller[0] Host[224] ERROR: Empty result [10.10.10.112]: 'perl /var/www/cacti/scripts/unix_processes.pl'
04/14/2011 05:52:05 PM - SPINE: Poller[0] Host[223] ERROR: Empty result [10.10.1.212]: 'perl /var/www/cacti/scripts/query_unix_partitions.pl get available /dev/cciss/c0d0p1'
I've tried "su www-data", and then executing the above scripts, and indeed the scripts work just fine.
Code: Select all
www-data@tor-cacti:~/cacti/scripts$ perl unix_users.pl
1
Now in poller.log, the following does show up when running as www-data (and I have no clue why):
Code: Select all
....
Insecure dependency in `` while running setgid at /var/www/cacti/scripts/dnsResponseTimePing.pl line 224.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/linux_memory.pl line 3.
Insecure $ENV{PATH} while running setuid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/linux_memory.pl line 3.
Insecure $ENV{PATH} while running setuid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure dependency in `` while running setgid at /var/www/cacti/scripts/dnsResponseTimePing.pl line 224.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_users.pl line 8.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/linux_memory.pl line 3.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_processes.pl line 3.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/linux_memory.pl line 3.
Insecure $ENV{PATH} while running setuid at /var/www/cacti/scripts/unix_users.pl line 8.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_processes.pl line 3.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_users.pl line 8.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/unix_processes.pl line 3.
Insecure $ENV{PATH} while running setuid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
...
Gotta have a permission problem somewhere but this is a tough nut to crack.
Re: spine +s and problems with perl scripts
Code: Select all
....
Insecure dependency in `` while running setgid at /var/www/cacti/scripts/dnsResponseTimePing.pl line 224.
Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12.
...
http://perldoc.perl.org/perlsec.html#Laundering-and-Detecting-Tainted-Data
e.g. Do you have writable directory in your 'PATH' environment variable?
Re: spine +s and problems with perl scripts
Just the standard ubuntu server PATH, nothing is writable except for root:noname wrote:Though I don't know in detail, here is some description about these errors:Code: Select all
.... Insecure dependency in `` while running setgid at /var/www/cacti/scripts/dnsResponseTimePing.pl line 224. Insecure $ENV{PATH} while running setgid at /var/www/cacti/scripts/query_unix_partitions.pl line 12. ...
http://perldoc.perl.org/perlsec.html#Laundering-and-Detecting-Tainted-Data
e.g. Do you have writable directory in your 'PATH' environment variable?
Code: Select all
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Re: spine +s and problems with perl scripts
Then, try 'Cleaning Up Your Path' section of the above documents.
But sorry, I'm not familiar with Linux distributions... (I'm mainly using Solaris)
But sorry, I'm not familiar with Linux distributions... (I'm mainly using Solaris)
Re: spine +s and problems with perl scripts
I realise this is an old post but I had the same problem running the poller as a non-root user with:
chmod +s /usr/local/spine/bin/spine
Running spine debug (/usr/local/spine/bin/spine --verbosity=5 1 1) as the www-data user showed:
Insecure $ENV{PATH} while running setgid at /usr/share/cacti/scripts/linux_memory.pl line 3.
08/13/2012 04:22:57 PM - SPINE: Poller[0] Host[1] ERROR: Empty result [127.0.0.1]: 'perl /usr/share/cacti/scripts/linux_memory.pl MemFree:'
I changed the +s to u+s:
chmod -s /usr/local/spine/bin/spine
chmod u+s /usr/local/spine/bin/spine
Then it all worked.
chmod +s /usr/local/spine/bin/spine
Running spine debug (/usr/local/spine/bin/spine --verbosity=5 1 1) as the www-data user showed:
Insecure $ENV{PATH} while running setgid at /usr/share/cacti/scripts/linux_memory.pl line 3.
08/13/2012 04:22:57 PM - SPINE: Poller[0] Host[1] ERROR: Empty result [127.0.0.1]: 'perl /usr/share/cacti/scripts/linux_memory.pl MemFree:'
I changed the +s to u+s:
chmod -s /usr/local/spine/bin/spine
chmod u+s /usr/local/spine/bin/spine
Then it all worked.
-
- Posts: 1
- Joined: Tue Feb 22, 2011 9:42 am
Re: spine +s and problems with perl scripts
This chmod fixed my problem. Spine itself recommends chmod +s if it's not running as root. I'm not sure if this patch is necessary:
For additional background, here's my poller log:
Code: Select all
--- cacti-spine-0.8.8a/util.c 2012-04-03 21:54:33.000000000 -0400
+++ new/util.c 2013-03-29 10:01:00.000000000 -0400
@@ -1286,7 +1286,7 @@ seteuid(0);
if (geteuid() != 0) {
- SPINE_LOG_DEBUG(("WARNING: Spine NOT running asroot. This is required if using ICMP. Please run \"chmod +s;chown root:root spine\" to resolve."));
+ SPINE_LOG_DEBUG(("WARNING: Spine NOT running asroot. This is required if using ICMP. Please run \"chmod u+s spine;chown root:root spine\" to resolve.")); set.icmp_avail = FALSE;
}else{
SPINE_LOG_DEBUG(("DEBUG: Spine is running asroot."));
Code: Select all
Insecure $ENV{PATH} while running setgid at /var/www/cacti.sixohthree.com/html/scripts/unix_processes.pl line 3.
03/29/2013 09:40:01 AM - SPINE: Poller[0] Host[1] ERROR: Empty result [127.0.0.1]: 'perl /var/www/cacti.sixohthree.com/html/scripts/unix_processes.pl'
03/29/2013 09:40:01 AM - SPINE: Poller[0] Host[1] TH[1] DS[7] SCRIPT: perl /var/www/cacti.sixohthree.com/html/scripts/unix_processes.pl, output: U
Who is online
Users browsing this forum: No registered users and 5 guests