Monday, June 20, 2022

Recent Questions - Server Fault

Recent Questions - Server Fault

Recent Questions - Server Fault

Is it possible to only generate mail notifications for some reject/defer codes in Postfix?

Posted: 20 Jun 2022 12:09 PM PDT

I run an SMTP server for important email. I'm relatively confident with my configuration at this point, but I still want to minimize any accidental mail loss; in case of any errors, all of my rejection replies are actually deferrals (unless otherwise specified) and I get a copy of the session (via notify_classes including policy) to manually verify.

Like many mail servers, I also get a lot of attempts to use me as an open relay. Most of them are repeat offenders that always try the same RCPT TO addresses, and I add them to a separate blacklist (in smtpd_recipient_restrictions) to specifically reject them (rather than the default defer). The problem is that they keep trying, sometimes hundreds of times per day.

I don't want to be notified of delivery failures (rejections) as a result of my manual blacklists, but I still want to receive copies of all other delivery failures (deferrals and remote rejections). Unfortunately, it seems that Postfix doesn't have such an option. To be clear, these are not "bounces"; they couldn't be filtered by separating that delivery mechanism.

If I could generate notifications for deferrals (4XX) but not rejections (5XX) that would be perfect. I'm hoping that there's just some Postfix option that I missed, but a few other solutions come to mind:

  1. I could apply header/body checks to the generated notifications to filter out incoming rejections; this seems as error-prone as not generating any notifications
  2. I could disable automatic notifications and manually add directives to generate notifications for each case that I want (warn_if_reject); this seems similarly error-prone
  3. I could stop rejecting and deferring via the SMTP session and instead generate bounces; this is a terrible idea that would likely contribute to the existing backscatter problem

Postfix relayhost. Connection refused

Posted: 20 Jun 2022 10:46 AM PDT

Postfix is refusing to send email as relayhost. It keeps saying:

connect to mydomain.com[xxx.xx.xxx.xxx]:25: Connection refused

However the port 25 is open:

sudo netstat -ntlp    tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      39162/mysqld          tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      57910/proftpd: (acc   tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      614/systemd-resolve   tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      762/sshd: /usr/sbin   tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      70265/master          tcp6       0      0 :::3306                 :::*                    LISTEN      39162/mysqld          tcp6       0      0 :::80                   :::*                    LISTEN      61217/apache2         tcp6       0      0 :::22                   :::*                    LISTEN      762/sshd: /usr/sbin   tcp6       0      0 ::1:25                  :::*                    LISTEN      70265/master          tcp6       0      0 :::443                  :::*                    LISTEN      61217/apache2

I have no idea where this problem comes from.
Can someone help me ?

How do you create a dynamic device group in Intune with membership based on the existence of a file?

Posted: 20 Jun 2022 12:13 PM PDT

How do you create a dynamic device group in Intune with membership based on the existence of a file? Within the add new group feature, I don't see a way to specify a file name, nor a way to utilize a script upon which to base the membership. Is it even possible? Thanks in advance.

Why do I always go to the error page if there is no error in error.log

Posted: 20 Jun 2022 10:23 AM PDT

I am trying to serve a Vue app which is basically serving static files. I have the simple configuration, which also includes the backend PHP API server.

When I go to api.localhost (I added it to the hosts file), I do see the backend html page. but when I go to localhost, it sends me to the 50x error page:

user       www-data;    http {      server {          listen 80;          server_name api.localhost;          root /var/www/php-backend/public;           add_header X-Frame-Options "SAMEORIGIN";          add_header X-Content-Type-Options "nosniff";           index index.php;             charset utf-8;             location / {              try_files $uri $uri/ /index.php?$query_string;          }             location = /favicon.ico { access_log off; log_not_found off; }          location = /robots.txt  { access_log off; log_not_found off; }             error_page 404 /index.php;             location ~ \.php$ {              fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;              fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;              include fastcgi_params;          }             location ~ /\.(?!well-known).* {              deny all;          }      }            server {          listen 80;          server_name localhost;          location /var/www/vue-frontend/dist {              root   /;              index  index.html;              try_files $uri $uri/ /index.html;          }          error_page   500 502 503 504  /50x.html;          location = /50x.html {              root   /usr/share/nginx/html;          }      }         }  events {}

When going to localhost, I keep seeing the index.html page that's inside /usr/share/nginx/html; instead of the Vue index.html. Why? the error.log at /var/log/nginx is not showing anything except for [notice]: signal process started

Wondering why first 2 hops of MTR look like this

Posted: 20 Jun 2022 09:29 AM PDT

Can anyone help me to understand why some MTR results would look like this? I am fairly new to network and trying to figure this out. MTR tool Results

Wireguard server: allow clients to communicate with devices local to the server through Wireguard (effectively using wireguard as a tunnel)

Posted: 20 Jun 2022 08:30 AM PDT

I've got a bit of a weird problem, and I'm not sure if I'm trying to fit a square peg through a round hole or if I'm just not sure how to ask the question I really want to ask.

At home, I have a headless server operating as a pihole and wireguard server. On my laptop, I wish to connect to this server and be able to communicate with devices on my home network (such as my desktop PC) as if I were there on the LAN.

The home network is a typical household network: off-the-shelf router provides DHCP service, issuing out IPs at 192.168.1.0/24 with leases starting at 100. My wireguard server is configured to operate as 192.168.2.1 with manually assigned ips in the same subnet, and allowedips are set to 192.168.0.0/16 because I don't want to connect to the internet through my home network, just my home network through the internet.

So far I'm able to communicate with devices connected via wireguard, including the wireguard server itself. What I cannot do is communicate with anything on the 192.168.1.0/24 subnet.

I fear that in order to do what I want to do, I'm going to need to disable the DHCP server in my router and setup my own one on the pihole server which will be able to manage both subnets at once, alternatively I could try simply not doing this seperate subnet stuff and just throw clients onto the DHCP server's subnet and see what happens...

I really don't know what to do here and like I said, I'm not sure if I even know what my question is at this point.

how to analyse intrusion on my debian server

Posted: 20 Jun 2022 08:43 AM PDT

I ve run a server since a few days and I have now 3 docker containers appearing in my docker ps -a that i ve never run or created :

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES  b44143529951 app-matangi_frontend_matangi "/bin/sh -c /start" 23 minutes ago Restarting (1) 50 seconds ago frontend_matangi  7dd9e687d1cf app-matangi_backend_matangi "/start" 23 minutes ago Up 23 minutes 0.0.0.0:8001->8000/tcp, :::8001->8000/tcp backend_matangi  8edcf9d9cb33 96000f229929 "/bin/sh -c 'apk upd…" 11 hours ago Exited (1) 11 hours ago strange_jepsen  26d37ed89a81 7b244af55dd9 "/bin/sh -c 'apk upd…" 11 hours ago Exited (1) 11 hours ago wonderful_cannon  927cbfdc4445 7b244af55dd9 "/bin/sh -c 'apk upd…" 11 hours ago Exited (1) 11 hours ago dreamy_visvesvaraya

The unwanted containers are dreamy_visvesvaraya,wonderful_cannon and strange_jepsen.

How can i check if my server was hacked and check the ssh or network access to my server.

I have tried to check the logs with journalctl but nothing appear in the logs at the creation times of the containers (found with docker inspect).

I have tried docker logs container_name on these 3 but had the error:

Error response from daemon: configured logging driver does not support reading

Thank you

When i run docker ps -a --no-trunc, i have :

8edcf9d9cb33f08e4a065870b6adffce06bf5c4420a07b2683a06787045aac74   sha256:96000f22992951774f2c795bfc0f2b8d1cb7a1e1f55789c32d029eccca4e39bf   "/bin/sh -c 'apk update &&     apk add nano &&     apk add certbot &&     mkdir -p /var/lib/letsencrypt &&     mkdir -p /var/lib/letsencrypt/.well-known &&     chgrp www-data /var/lib/letsencrypt &&     chmod g+s /var/lib/letsencrypt &&     mkdir -p /etc/nginx/snippets &&     touch /etc/nginx/snippets/letsencrypt.conf && \ttouch /etc/nginx/snippets/ssl.conf &&     echo 'location ^~/.well-known/acme-challenge/ {'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'allow all;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'root /var/lib/letsencrypt/;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'default_type \"text/plain\";'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'try_files $uri =404;'>> /etc/nginx/snippets/letsencrypt.conf && \techo '}'>> /etc/nginx/snippets/letsencrypt.conf && \tcertbot certonly --agree-tos --email matangi.dev@gmail.com --webroot -w /var/lib/letsencrypt/ -d matangi.dev && \techo \"server{\">>/etc/nginx/conf.d/nginx.conf && \techo \"listen 443 ssl http2;\">>/etc/nginx/conf.d/nginx.conf && \techo \"server_name matangi.dev;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate /etc/letsencrypt/live/matangi.dev/fullchain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate_key /etc/letsencrypt/live/matangi.dev/privkey.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_trusted_certificate /etc/letsencrypt/live/matangi.dev/chain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/letsencrypt.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/ssl.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"}\">>/etc/nginx/conf.d/nginx.conf'"   15 hours ago   Exited (1) 15 hours ago                                                     strange_jepsen  26d37ed89a815af8c39acb728c1d8003e1856b2351d0302c147c803d096dc449   sha256:7b244af55dd9e48841d311ea7eff7178bb92a546db7dd7078fc65c81668f3a3f   "/bin/sh -c 'apk update &&     apk add nano &&     apk add certbot &&     mkdir -p /var/lib/letsencrypt &&     mkdir -p /var/lib/letsencrypt/.well-known &&     chgrp www-data /var/lib/letsencrypt &&     chmod g+s /var/lib/letsencrypt &&     mkdir -p /etc/nginx/snippets &&     touch /etc/nginx/snippets/letsencrypt.conf &&     echo 'location ^~/.well-known/acme-challenge/ {'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'allow all;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'root /var/lib/letsencrypt/;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'default_type \"text/plain\";'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'try_files $uri =404;'>> /etc/nginx/snippets/letsencrypt.conf && \techo '}'>> /etc/nginx/snippets/letsencrypt.conf && \tcertbot certonly --agree-tos --email matangi.dev@gmail.com --webroot -w /var/lib/letsencrypt/ -d matangi.dev && \techo \"server{\">>/etc/nginx/conf.d/nginx.conf && \techo \"listen 443 ssl http2;\">>/etc/nginx/conf.d/nginx.conf && \techo \"server_name matangi.dev;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate /etc/letsencrypt/live/matangi.dev/fullchain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate_key /etc/letsencrypt/live/matangi.dev/privkey.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_trusted_certificate /etc/letsencrypt/live/matangi.dev/chain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/letsencrypt.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/ssl.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"}\">>/etc/nginx/conf.d/nginx.conf'"                                           16 hours ago   Exited (1) 16 hours ago                                                     wonderful_cannon  927cbfdc44453caf84c5a11ab0e377bb3ca499734ae0678156bff0bc6085adf3   sha256:7b244af55dd9e48841d311ea7eff7178bb92a546db7dd7078fc65c81668f3a3f   "/bin/sh -c 'apk update &&     apk add nano &&     apk add certbot &&     mkdir -p /var/lib/letsencrypt &&     mkdir -p /var/lib/letsencrypt/.well-known &&     chgrp www-data /var/lib/letsencrypt &&     chmod g+s /var/lib/letsencrypt &&     mkdir -p /etc/nginx/snippets &&     touch /etc/nginx/snippets/letsencrypt.conf &&     echo 'location ^~/.well-known/acme-challenge/ {'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'allow all;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'root /var/lib/letsencrypt/;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'default_type \"text/plain\";'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'try_files $uri =404;'>> /etc/nginx/snippets/letsencrypt.conf && \techo '}'>> /etc/nginx/snippets/letsencrypt.conf && \tcertbot certonly --agree-tos --email matangi.dev@gmail.com --webroot -w /var/lib/letsencrypt/ -d matangi.dev && \techo \"server{\">>/etc/nginx/conf.d/nginx.conf && \techo \"listen 443 ssl http2;\">>/etc/nginx/conf.d/nginx.conf && \techo \"server_name matangi.dev;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate /etc/letsencrypt/live/matangi.dev/fullchain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate_key /etc/letsencrypt/live/matangi.dev/privkey.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_trusted_certificate /etc/letsencrypt/live/matangi.dev/chain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/letsencrypt.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/ssl.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"}\">>/etc/nginx/conf.d/nginx.conf'"                                           16 hours ago   Exited (1) 16 hours ago                                                     dreamy_visvesvaraya

It's very strange as the command that seem to have been run correspond to my script used for my frontend container. However on my frontend the logs is not disabled. Also the names of these containers is weird, i dont know where it comes from and the time they were launched correspond to when i was away from the computer.

And when i run docker history :

docker history 96000f229929  IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT  96000f229929   15 hours ago    /bin/sh -c #(nop) COPY dir:44183f63c2c69de79…   3.64MB      6aafbb279483   15 hours ago    /bin/sh -c #(nop) COPY file:b2066221881a32f4…   1.35kB      26f95d8bb7a1   6 days ago      /bin/sh -c rm /etc/nginx/conf.d/default.conf    0B          6f715d38cfe0   22 months ago   /bin/sh -c #(nop)  CMD ["nginx" "-g" "daemon…   0B          <missing>      22 months ago   /bin/sh -c #(nop)  STOPSIGNAL SIGTERM           0B          <missing>      22 months ago   /bin/sh -c #(nop)  EXPOSE 80                    0B          <missing>      22 months ago   /bin/sh -c #(nop)  ENTRYPOINT ["/docker-entr…   0B          <missing>      22 months ago   /bin/sh -c #(nop) COPY file:0fd5fca330dcd6a7…   1.04kB      <missing>      22 months ago   /bin/sh -c #(nop) COPY file:1d0a4127e78a26c1…   1.96kB      <missing>      22 months ago   /bin/sh -c #(nop) COPY file:e7e183879c35719c…   1.2kB       <missing>      22 months ago   /bin/sh -c set -x     && addgroup -g 101 -S …   16.5MB      <missing>      22 months ago   /bin/sh -c #(nop)  ENV PKG_RELEASE=1            0B          <missing>      22 months ago   /bin/sh -c #(nop)  ENV NJS_VERSION=0.4.3        0B          <missing>      22 months ago   /bin/sh -c #(nop)  ENV NGINX_VERSION=1.19.2     0B          <missing>      22 months ago   /bin/sh -c #(nop)  LABEL maintainer=NGINX Do…   0B          <missing>      2 years ago     /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B          <missing>      2 years ago     /bin/sh -c #(nop) ADD file:c92c248239f8c7b9b…   5.57MB     docker history 7b244af55dd9  IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT  7b244af55dd9   16 hours ago    /bin/sh -c #(nop) COPY dir:44183f63c2c69de79…   3.64MB      d45311aa8d76   16 hours ago    /bin/sh -c #(nop) COPY file:c7b35d3a6931488a…   1.27kB      26f95d8bb7a1   6 days ago      /bin/sh -c rm /etc/nginx/conf.d/default.conf    0B          6f715d38cfe0   22 months ago   /bin/sh -c #(nop)  CMD ["nginx" "-g" "daemon…   0B          <missing>      22 months ago   /bin/sh -c #(nop)  STOPSIGNAL SIGTERM           0B          <missing>      22 months ago   /bin/sh -c #(nop)  EXPOSE 80                    0B          <missing>      22 months ago   /bin/sh -c #(nop)  ENTRYPOINT ["/docker-entr…   0B          <missing>      22 months ago   /bin/sh -c #(nop) COPY file:0fd5fca330dcd6a7…   1.04kB      <missing>      22 months ago   /bin/sh -c #(nop) COPY file:1d0a4127e78a26c1…   1.96kB      <missing>      22 months ago   /bin/sh -c #(nop) COPY file:e7e183879c35719c…   1.2kB       <missing>      22 months ago   /bin/sh -c set -x     && addgroup -g 101 -S …   16.5MB      <missing>      22 months ago   /bin/sh -c #(nop)  ENV PKG_RELEASE=1            0B          <missing>      22 months ago   /bin/sh -c #(nop)  ENV NJS_VERSION=0.4.3        0B          <missing>      22 months ago   /bin/sh -c #(nop)  ENV NGINX_VERSION=1.19.2     0B          <missing>      22 months ago   /bin/sh -c #(nop)  LABEL maintainer=NGINX Do…   0B          <missing>      2 years ago     /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B          <missing>      2 years ago     /bin/sh -c #(nop) ADD file:c92c248239f8c7b9b…   5.57MB

Do you have any suggestions on how to check who accessed the server at the time the containers were launched?

New containers appeared less than an hour ago and i was in front of my computer, so it's not someone who used my computer and my deploy script with other container names...i guess someone was able to take control of the server.

I have checked the logs in /var/log in particular auth.log but i see many connection attemps but mainly failed ones. in particular around the time the containers were launched.

When i run sudo cat /var/log/auth.log | grep Accepted, i only have lines

devserver sshd[606302]: Accepted publickey for user from ip port 62203 ssh2: RSA SHA256:blob

Where user i my user defined with a ssh key access only.

I have ufw configured for firewall

I didnt deactivate root login with ssh key and i didnt deactivate root login with password. However i would like to be able to find traces of these logins if they happened...

How can i investigate to see where is my security fault?

How to check either of variable exist in the gitlab rules?

Posted: 20 Jun 2022 08:17 AM PDT

I have a gitlab rule condition like below.

'$ACTION && $REGION && $ROLE_ARN && $PACKAGEURL && $ACTION == "new" && $CLOUD_PLATFORM == "aws" && $ROLE_ARN != "" && $PACKAGEURL != "" && $REGION != ""'

Want to modify it a bit so that, it should check either the existence of PACKAGEURL or BUILDRPMREQUIRED above.

Tried keeping as below.

'$ACTION && $REGION && $ROLE_ARN && ($PACKAGEURL || $BUILDRPMREQUIRED) && $ACTION == "new" && $CLOUD_PLATFORM == "aws" && $ROLE_ARN != "" && ($PACKAGEURL != "" || $BUILDRPMREQUIRED @= "") && $REGION != ""'

but logic is not correct, because it is working if none of the two variables($PACKAGEURL , $BUILDRPMREQUIRED) passed also.

PAM module configuration, ssh failure in Debian

Posted: 20 Jun 2022 08:01 AM PDT

I want to set passwort policies for users on a Debian VM, like minlen and special char required for the password.

In my Debian VM I get an error and can´t log in again via SSH to that machine.

OS Version: Debian Bullseye 11

Kernel Version: Linux 5.10.0-9-amd64 x86_64

Modifying the config file /etc/pam.d/common-password starting at the line:

# here are the per-package modules (the "Primary" block)  password        [success=1 default=ignore]      pam_unix.so obscure yescrypt

and inserting something like shown in (https://www.networkworld.com/article/2726217/how-to-enforce-password-complexity-on-linux.html):

minlen=8 dcredit=1 ucredit=1 lcredit=1 ocredit=1

Without any changes at that file I can enter the machine without any problems e.g. Public Key is uploaded correctly, SSH Port is open, SSH and SSHD services are active.

Again when I try to remote connect via SSH:

ssh -v USER@IP

I get in the last lines this error:

debug1: Next authentication method: password  USER@IP's password:    debug1: Authentications that can continue: publickey,password    Permission denied, please try again.

How Is Executable Found Without Leading Path Despite Its Location Not in Search Path?

Posted: 20 Jun 2022 09:27 AM PDT

This is a question to help me understand the reason for a perceived inconsistency between documented and actual behaviors when calling an executable through sudo. When the secure_path option is enabled (default on my system), the search path behave as expected. But when it is disabled, something strange happens: an executable in /usr/local/bin can be reached without a fully qualified path name despite its location not being in the search path.

System Information

The following software is currently installed on my system:

## Yeah... still haven't migrated to Alma  [me@localhost ~]$ cat /etc/centos-release  CentOS Linux release 8.5.2111    [me@localhost ~]$ bash --version | head -1  GNU bash, version 4.4.20(1)-release (x86_64-redhat-linux-gnu)    [me@localhost ~]$ sudo --version  Sudo version 1.8.29  Sudoers policy plugin version 1.8.29  Sudoers file grammar version 46  Sudoers I/O plugin version 1.8.29

PAM does not set or update the value of the PATH variable on my system:

[me@localhost ~]$ grep --recursive 'pam_env\.so' /etc/pam.d  /etc/pam.d/fingerprint-auth:auth        required      pam_env.so  /etc/pam.d/smartcard-auth:auth        required      pam_env.so  /etc/pam.d/su:auth        required    pam_env.so  /etc/pam.d/password-auth:auth        required      pam_env.so  /etc/pam.d/system-auth:auth        required      pam_env.so    [me@localhost ~]$ sudo cat /etc/security/pam_env.conf ~/.pam_environment | grep PATH  cat: /home/me/.pam_environment: No such file or directory  # be useful to be set: NNTPSERVER, LESS, PATH, PAGER, MANPAGER .....  #PATH       DEFAULT=${HOME}/bin:/usr/local/bin:/bin\

My /etc/sudoers file sets a secure_path value for all sudoers:

[me@localhost ~]$ sudo grep secure_path /etc/sudoers  Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

Replication Procedure

To replicate, I first create a dummy script and install it in /usr/local/bin:

[me@localhost ~]$ cat > dummy <<EOF  #!/usr/bin/bash  echo 'Found!'  EOF    [me@localhost ~]$ sudo install --owner=root --group=root --mode=755 dummy /usr/local/bin

I verify that the search path works as expected when not using sudo:

## The /usr/local/bin location is part of my search path  [me@localhost ~]$ echo $PATH  /home/me/.local/bin:/home/me/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin    ## This is expected  [me@localhost ~]$ dummy  Found!

And using sudo, no surprise here either:

## Sudo's secure_path value  [me@localhost ~]$ sudo --user=other env | grep PATH  PATH=/usr/bin:/bin:/usr/sbin:/sbin    ## This is expected  [me@localhost ~]$ sudo --user=other which dummy  which: no dummy in (/sbin:/bin:/usr/sbin:/usr/bin)    ## This too, of course  [me@localhost ~]$ sudo --user=other dummy  sudo: dummy: command not found    ## Indeed, a fully qualified path name is required  [me@localhost ~]$ sudo --user=other /usr/local/bin/dummy  Found!

Then, I disable secure_path (careful here! use of visudo is advised), either by commenting the line out in /etc/sudoers or by creating a file /etc/sudoers.d/local with the following lines:

# Disable secure_path if set  Defaults !secure_path

This should prevent sudo, when called with the --preserve-env switch, from overriding the PATH environment variable with the value of secure_path. And it works as expected.

However, when not using the --preserve-env switch, and not prompting a full login sequence with the --login switch (thereby not sourcing any of Bash's startup files), and with no assignment to PATH in any of PAM environment files, something strange happens:

## Not sure where this PATH is from  [me@localhost ~]$ sudo --user=other env | grep PATH  PATH=/usr/bin:/bin:/usr/sbin:/sbin    ## Regardless, this is expected  [me@localhost ~]$ sudo --user=other which dummy  which: no dummy in (/usr/bin:/bin:/usr/sbin:/sbin)    ## But wait! What?!?  [me@localhost ~]$ sudo --user=other dummy  Found!

So, how is it that which dummy complains of dummy not in search path while a straight call to dummy finds it?

Relevant Documentation

Following are references to various bits of information that I found relevant while researching this question.

Sudo documentation says this about the secure_path option:

Path used for every command run from sudo. If you don't trust the people running sudo to have a sane PATH environment variable you may want to use this. Another use is if you want to have the "root path" be separate from the "user path". Users in the group specified by the exempt_group option are not affected by secure_path. This option is not set by default.

This page of Bash documentation on gnu.org (https://www.gnu.org/software/bash/manual/html_node/Bash-Startup-Files.html) explains when the various startup files are sourced. In my demonstration above, none of these files should be sourced since I'm neither spawning new shells nor calling sudo with the --login switch.

As per pam_env documentation in man pages, only the /etc/environment, the /etc/security/pam_env.conf and ~/.pam_environment should be processed by the pam_env module by default, unless non-default file names are specified. This is not the case on my system and none of these files set or update the value of PATH.

This ServerFault answer (Where does the bash PATH on CentOS 7 get /usr/local/bin from?) explains Bash's default values for the PATH variable. Even though it was answered for Bash on CentOS 7, the answer is still relevant to the Bash version packaged with CentOS 8. As per the accepted answer, the bash source config-top.h has this:

/* The default value of the PATH variable. */  #ifndef DEFAULT_PATH_VALUE  #define DEFAULT_PATH_VALUE \    "/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin:."
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)