Admin Access Denied - Cacti 0.8.6c fresh install [fixed]

[neomike]

I just installed 0.8.6c, as I have installed previous versions before, but once I perform my initial admin login and change the password, I get the following message:

"Access Denied: You are not permitted to access this section of Cacti. If you feel that you need access to this particular section, please contact the Cacti administrator."

My software versions:

• lighttpd 1.3.5
  php-fcgi 4.3.10
  mysql 4.0.22
  turck-mmcache 2.4.6

to be sure I did not screw anything up, I went back to the documentation and reinstalled from scratch following the instructions to a tee. Same error.

the installation process goes without errors, including the initial php screens prior to changing the admin password.

Even after not being able to log in, cron executed the poller.php script without issue, and I confirmed the data was collected (using rrdtool).

I have several other php sites running without issue using my configuration (lighttpd and php-fcgi), so I am assuming that is not the problem.

Anyone have any ideas?

Thanks,
Mike

[rony]

Curious...

Try disabling " turck-mmcache 2.4.6 " and see what happens.

[neomike]

changed /etc/php/cgi-php4/php.ini
from
mmcache.enable="1"
to
mmcache.enable="0"

restarted the php fcgi process.


Same error.


Was a good guess though , thanks. I tried deleting the cache directory (before this edit) with no success.

[TheWitness]

Use a tool such as mysql cc to edit the user_auth table and modify the hash value per Ian's instructions in the following article.

TheWitness

Excerpt instead:

Another user just brought this to my attention. There was a piece of backwards compatibility code removed from 0.8.6 for security reasons. This will probably cause logins to break after performing the upgrade. You will have to reset each password manually. To reset the admin password back to 'admin', just run the following SQL:

Code:
update user_auth set password='21232f297a57a5a743894a0e4a801fc3' where username='admin';


-Ian

[neomike]

Code: Select all

# mysql -u (myuser) -p (mydatabase)
Enter password:(mypassword)
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 24971 to server version: 4.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> update user_auth set password='21232f297a57a5a743894a0e4a801fc3' where username='admin';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

with firefox went to: http://cacti.mywebsite.com/logout.php
then cleared all my cookies (to be sure)
then went to: http://cacti.mywebsite.com/index.php

Entered Username: admin
Entered Password: admin

Access Denied: You are not permitted to access this section of Cacti. If you feel that you need access to this particular section, please contact the Cacti administrator.

No errors in my php or webserver logs. Blah. hate it where there is no information to debug with.

Its probably good to note that the website *IS* setting a session cookie and my browser is accepting it without issue.

Thanks Again,
Mike

[TheWitness]

This may be a realms issue. If you would like me to look at this, e-mail your database dump to my registered e-mail address. The command is:

mysqldump --user=root --password cacti > cacti.sql

TheWitness

[neomike]

I think I have a lead... what do you guys think?

From includes/auth.php

Code: Select all

        }elseif (!empty($_SESSION["sess_user_id"])) {
                $realm_id = 0;

                if (isset($user_auth_realm_filenames{basename($_SERVER["PHP_SELF"])})) {
                        $realm_id = $user_auth_realm_filenames{basename($_SERVER["PHP_SELF"])};
                }

                if ((!db_fetch_assoc("select
                        user_auth_realm.realm_id
                        from
                        user_auth_realm
                        where user_auth_realm.user_id='" . $_SESSION["sess_user_id"] . "'
                        and user_auth_realm.realm_id='$realm_id'")) || (empty($realm_id))) {

From what I have tested on my machine:

$_SERVER["PHP_SELF"] returns null on my configuration, possibly because of my FCGI configuration? What should it return?

Because of this my $realm_id == 0.

Thus the condition of the last if statement is always true because my realm_id is always zero, which always denies my access.

Is this true?

[neomike]

I made the following change, and now I can get in... meaning my assumption above seems true.

Code: Select all

                if(0) {
                #if ((!db_fetch_assoc("select
                        #user_auth_realm.realm_id
                        #from
                        #user_auth_realm
                        #where user_auth_realm.user_id='" . $_SESSION["sess_user_id"] . "'
                        #and user_auth_realm.realm_id='$realm_id'")) || (empty($realm_id))) {

Of course, I suspect a perminant solution would have to figure out a suitable alternative to PHP_SELF on my configuration.

[neomike]

I'm a total dumbass.

From the lighttpd documentation:
http://www.lighttpd.net/documentation/fastcgi.html

It is important that the php.ini contains:

cgi.fix_pathinfo = 1

Otherwise PHP_SELF won't be set correctly.

with a quick re-install of the database and fixing my code, everythnig works fine.

[rony]

Good to know..

[Brashquido]

I'm was having a similar problem on my test machine which runs Windows XP Pro/IIS 5.1, PHP 4.3.8 in fast cgi mode and Cacti 0.86c. I wasn't been given an error at all, I would just be returned to the login screen.

Turned out to be that when I had tried to install a second instance of php the ini file from the second installation was being loaded instead of my main one. In this secondary ini file I had disabled Turck mm cache as it apparently does not run in command line mode which meant I can't use cactid . Anyway, I set php to use my main ini file again and restarted IIS and all is now good , except for cactid .

[TheWitness]

You should be able to run the non Turk version of php by using an alternate php.ini file. Don't know how you would do this in Unix, but it can be done in Windows. Good luck.

TheWitness

[Brashquido]

Fun thing that actually. I could not run cactid 0.86c with Turck enabled as everytime I did I gout a message about Turck not being able to creat shared memory. Today I upgraded to cactid 0.86d and now I no longer have that problem.

Poller.php runs fine with Turck enabled as long as you specify the alternate ini, such as;

php.exe -c c:\path\to\alternate\php.ini c:\path\to\poller.php

However, once you set Cacti to use cmd.php I once again get the Turck messages about not being able to create shared memory. It seems that the cmd.php method must involke php.exe again somewhere without the additional command line option specifying the alternate php.ini file.

Doesn't worry me now as cactid is working fine, which I'd prefer anyway as it is heaps faster. Does this make any sense to you?

[TheWitness]

Druelling profusely. However, what I'm more interested in is does Turck speed up Cacti's UI? Have you benchmarked?

TheWitness

[Brashquido]

No benchies yet. I'm having trouble with Cacti modifying my data input method input field syntax which I haven't been able to find a solution for. Once I get that sorted though I'll be sure to do some benchies