Date: Sat, 19 May 2012 23:36:21 GMT From: evgeni <es131245@ya.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: i386/168155: authorization error Message-ID: <201205192336.q4JNaLbP058413@red.freebsd.org> Resent-Message-ID: <201205192340.q4JNe1aO072430@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 168155
>Category: i386
>Synopsis: authorization error
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat May 19 23:40:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: evgeni
>Release: 9.0
>Organization:
home gateway + server
>Environment:
FreeBSD es-server 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:15:25 UTC 2012 root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
Installed freebsd 9.0 i386
Configured system as writen in "attached instruction notes"
Installed mariadb-server mariadb-client nginx php5 + extentions from ports
reboot
Then ive coundnt come in by ssh user acount
Password:
Last login: Sun May 20 03:10:06 2012 from 192.168.2.2
Welcome to Y-eS Server!
Cannot open "/lib/libedit.so.7"Connection to 192.168.2.1 closed.
cant start maria mysql server too
# /usr/local/etc/rc.d/mysql-server start
Starting mysql.
Cannot open "/lib/libncurses.so.8"/usr/local/etc/rc.d/mysql-server: WARNING: failed to start mysq
>How-To-Repeat:
mine instruction is in attached files
>Fix:
Patch attached with submission follows:
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>Инструкция по установке Сервера FreeBSD</title>
<style type="text/css">
pre
{background-color:gray;
#border-radius:5px;
box-shadow:inset 0 0 5px black;
border:thin solid black;
font-family:monotype;
padding:5px;}
</style>
<head>
<body>
Настройка рута
<pre>
setenv PAGER more
alias ll ls -lhAoG
set prompt = "%{\033[31m%}%B%n%b%{\033[37m%}%B@%b%{\033[34m%}%B%M%b%{\033[37m%}%B:%b%{\033[32m%}%B%/%b%{\033[37m%}%B%#%b "
</pre>
Настройка хостс
::1 localhost localhost.my.domain
127.0.0.1 localhost localhost.my.domain
10.192.34.5 localhost localhost.my.domain
192.168.1.1 localhost localhost.my.domain
192.168.2.1 localhost localhost.my.domain
<h1>Инструкция по установке Сервера FreeBSD</h1>
<h2>1. Резервное копирование информации</h2>
<ol>
<li>Файловой Системы и файлов настройки.</li>
<li>HTTP</li>
<li>Файлообменика</li>
<li>SQL</li>
</ol>
<h3>2. Установка Системы</h3>
<p>Устанавливаем минимальную систему</p>
<h3>3. Настройка Системы</h3>
<ol>
<li>Убираем паузу загрузки <b>/boot/default/loader.conf</b>
<pre>
autoboot_delay="2"
beastie_disable="YES"
</pre></li>
<li>Добавляем пользователя (обязательно wheel). <b>AddUser</b></li>
<li>Ограничиваем вход <b>/etc/tty</b>
<pre>
console none unknown off secure
ttyv0 "/usr/libexec/getty Pc" xterm on insecure
ttyv1 "/usr/libexec/getty Pc" xterm off secure
ttyv2 "/usr/libexec/getty Pc" xterm off secure
ttyv3 "/usr/libexec/getty Pc" xterm off secure
ttyv4 "/usr/libexec/getty Pc" xterm off secure
ttyv5 "/usr/libexec/getty Pc" xterm off secure
ttyv6 "/usr/libexec/getty Pc" xterm off secure
ttyv7 "/usr/libexec/getty Pc" xterm off secure
ttyv8 "/usr/local/bin/xdm -nodaemon" xterm off secure
ttyu0 "/usr/libexec/getty std.9600" dialup off secure
ttyu1 "/usr/libexec/getty std.9600" dialup off secure
ttyu2 "/usr/libexec/getty std.9600" dialup off secure
ttyu3 "/usr/libexec/getty std.9600" dialup off secure
dcons "/usr/libexec/getty std.9600" vt100 off secure
</pre></li>
<li>Устанавливаем Дату и Время <b>date</b></li>
<li>Корректируем приветствие <b>/etc/motd</b>
<pre>
Welcome to Y-eS!
</pre>
</li>
<li><b>/etc/fstab</b> Монтирование и создаем точки
<pre>
/dev/ada0p2 / ufs rw 1 1
/dev/ada0p3 none swap sw 0 0
/dev/ad5s1a /mnt ufs rw 1 2
/dev/ad6s1a /usr/local/http/sites/source.y-es.ru ufs rw 1 2
</pre>
</li>
<li><b>/etc/resolv.conf</b> DNS локальной сети
<pre>
nameserver 192.168.248.21
</pre>
</li>
<li><b>ipfw</b> Firewall & NAT
<pre>
ipfw -q -f flush
ipfw -q add pass all from any to any via lo0
ipfw -q nat 1 config if ale0
ipfw -q nat 2 config if re0
ipfw -q add pass icmp from 10.192.34.5 to 10.192.32.1 icmptype 0,8 out xmit ale0
ipfw -q add pass icmp from 10.192.34.5 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 icmptype 0,8 out xmit ale0
ipfw -q add pass icmp from 192.168.2.1 to 192.168.2.2 icmptype 0,8 out xmit rl0
ipfw -q add pass icmp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 192.168.2.2 icmptype 0 xmit rl0
ipfw -q add pass icmp from 192.168.1.1 to 192.168.1.0/24 icmptype 0,8 out xmit re0
ipfw -q add pass icmp from 10.192.32.1 to 10.192.34.5 icmptype 0,8 in recv ale0
ipfw -q add pass icmp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 10.192.34.5 icmptype 8 in recv ale0
ipfw -q add nat 1 icmp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 10.192.34.5 icmptype 0 in recv ale0
ipfw -q add nat 1 icmp from 192.168.2.2 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 icmptype 8 recv rl0
ipfw -q add pass icmp from 192.168.2.2 to 192.168.2.1 icmptype 0,8 in recv rl0
ipfw -q add pass icmp from 192.168.1.0/24 to 192.168.1.1 icmptype 0,8 in recv re0
ipfw -q add pass udp from 10.192.34.5 to 192.168.248.21 53 out xmit ale0
ipfw -q add pass udp from 192.168.248.21 53 to 192.168.2.2 xmit rl0
ipfw -q add pass udp from 192.168.248.21 53 to 192.168.1.0/24 xmit re0
ipfw -q add nat 1 udp from 192.168.248.21 53 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 udp from 192.168.2.2 to 192.168.248.21 53 recv rl0
ipfw -q add nat 1 udp from 192.168.1.0/24 to 192.168.248.21 53 recv re0
ipfw -q add pass tcp from 10.192.34.5 80,443,1024 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 out xmit ale0
ipfw -q add pass tcp from 10.192.34.5 to 192.168.100.2,192.168.100.18,192.168.103.218 80,443 out xmit ale0
ipfw -q add pass tcp from 10.192.34.5 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 out xmit ale0
ipfw -q add pass tcp from 10.192.34.5 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 out xmit ale0
ipfw -q add pass tcp from 192.168.2.1 1024 to 192.168.2.2 out xmit rl0
ipfw -q add pass tcp from 192.168.100.2,192.168.100.18,192.168.103.218 80,443 to 192.168.2.2 out xmit rl0
ipfw -q add pass tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 to 192.168.2.2 xmit rl0
ipfw -q add pass tcp from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 to 192.168.2.2 xmit rl0
ipfw -q add pass tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 to 192.168.1.0/24 xmit re0
ipfw -q add pass tcp from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 to 192.168.1.0/24 xmit re0
ipfw -q add pass tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 10.192.34.5 80,443,1024 in recv ale0
ipfw -q add pass tcp from 192.168.2.2 to 192.168.2.1 1024 in recv rl0
ipfw -q add nat 1 tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 tcp from 192.168.100.2,192.168.100.18,192.168.103.218 80,443 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 tcp from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 tcp from 192.168.2.2 to 192.168.100.2,192.168.100.18,192.168.103.218 80,443 recv rl0
ipfw -q add nat 1 tcp from 192.168.2.2 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 recv rl0
ipfw -q add nat 1 tcp from 192.168.2.2 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 recv rl0
ipfw -q add nat 1 tcp from 192.168.1.0/24 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 recv re0
ipfw -q add nat 1 tcp from 192.168.1.0/24 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 recv re0
ipfw -q add deny all from any to any
</pre>
</li>
<li><b>cron</b> Устанавливаем скрипты и настраиваем cron<br />
<b>/etc/scripts/Daily.sh</b>
<pre>
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
export PATH
HOME=/root
export HOME
StartTime=`date +%s`
echo -e `date`"\n"`id`
echo es`date +"%d"` | pw mod user es -h 0
if [ $? -eq 0 ];then echo 'User Password: Changed'; else echo 'User Password: Error';fi
echo root'"$Symbol"`date +"%d"` | pw mod user root -h 0
if [ $? -eq 0 ];then echo 'Root Password: Changed'; else echo 'Root Password: Error';fi
echo -e 'Done in '$((`date +"%s"` - $StartTime))' seconds'"\n"
exit
</pre>
<b>/etc/scripts/Weekly.sh</b>
<pre>
#!/bin/sh
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
export PATH
HOME=/root
export HOME
StartTime=`date +"%s"`
echo -e `date`"\n"`id`
if [ "`df | grep /mnt`" ]; then echo 'Mount: Was Mounted';
else
count=1
while [ $count -le 5 ]
do
mount /dev/ad6s1a /mnt
if [ $? -eq 0 ]
then
echo "Mount: Done in $count try"
break
else
count=$(($count+1))
sleep 3
if [ $count -eq 6 ]; then echo 'Mount: Time Out, Abourting!'; exit; fi
fi
done
fi
dd if=/dev/ad4 of=/mnt/mbr.`date +"%Y-%m-%d"` bs=512 count=1
dump -0aLf - / | gzip -9 > /mnt/dump.root.`date +"%Y-%m-%d"`.gz
dump -0aLf - /usr | gzip -9 > /mnt/dump.usr.`date +"%Y-%m-%d"`.gz
dump -0aLf - /var | gzip -9 > /mnt/dump.var.`date +"%Y-%m-%d"`.gz
if [ "`df | grep /dev/ad5s1a`" ]; then dump -0aLf - /usr/local/http/source.y-es.ru | gzip -9 > /mnt/dump.source.`date +"%Y-%m-%d"`.gz; fi
mysqldump --user='MySQL-Dump' --password='Es1312456131!MySQL-Dump' --all-databases | gzip -9 > /mnt/dump.sql.`date +"%Y-%m-%d"`.gz
chmod 600 /mnt/dump.*.`date +"%Y-%m-%d"`.gz /mnt/mbr.`date +"%Y-%m-%d"`
ls -lhAoG /mnt/mbr.`date +"%Y-%m-%d"` /mnt/dump.*.`date +"%Y-%m-%d"`.gz
count=1
while [ $count -le 5 ]
do
umount /mnt
if [ $? -eq 0 ]
then
echo "Umount: Done in $count try"
break
else
count=$(($count+1))
sleep 3
if [ $count -eq 6 ];then echo 'Umount: Time Out';fi
fi
done
echo -e 'Done in '$((`date +"%s"` - $StartTime))' seconds'"\n"
exit
</pre>
<b>Логи</b>
<pre>
<span style="font-weight:900;"><span style="color:red;">es</span><span style="color:white;">@</span><span style="color:blue;">y-es</span><span style="color:white;">:</span><span style="color:green;">/usr/home/es</span><span style="color:white;">#</span></span>touch /var/log/log.Daily.sh /var/log/log.Weekly.sh
<span style="font-weight:900;"><span style="color:red;">es</span><span style="color:white;">@</span><span style="color:blue;">y-es</span><span style="color:white;">:</span><span style="color:green;">/usr/home/es</span><span style="color:white;">#</span></span>chmod 600 /var/log/log.Daily.sh /var/log/log.Weekly.sh
</pre>
<b>crontab</b>
<pre>
1,31 * * * * /bin/sh /root/cron/reqular.sh >> /var/log/log.cron.reqular 2>&1
0 0 * * * /bin/sh /root/cron/daily.sh >> /var/log/log.cron.daily 2>&1
10 0 * * 1 /bin/sh /root/cron/weekly.sh >> /var/log/log.cron.weekly 2>&1
30 1 28 * * /bin/sh /root/cron/monthly.sh >> /var/log/log.cron.monthly 2>&1
</pre>
</li>
<li><b>/etc/ssh/sshd</b> Удаленный доступ
<pre>
VersionAddendum v1.0
Port 1024
Protocol 2
PermitRootLogin no
MaxAuthTries 3
MaxSessions 3
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers es
</pre></li>
<li><b>/etc/rc.conf</b> Основные настройки
<pre>
hostname="es-server"
dumpdev="NO"
update_motd="NO"
defaultrouter="10.192.32.1"
ifconfig_ale0="inet 10.192.34.5 netmask 255.255.252.0"
ifconfig_rl0="inet 192.168.2.1 netmask 255.255.255.252"
ifconfig_re0="inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"
sshd_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/root/firewall"
#kern_securelevel_enable="YES"
#kern_securelevel="3"
mysql_enable="YES"
nginx_enable="YES"
php_fpm_enable="YES"
</pre>
</li>
<li><b>/etc/sysctl.conf</b> Ограничиваем пользователей
<pre>
security.bsd.see_other_uids=0
</pre>
</li>
<li><b>permitions</b> Ограничиваем Доступ к важным системным файлам
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>chmod -R 700 /root
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>chmod 600 /etc/rc.conf \
/etc/sysctl.conf \
/etc/ttys \
/etc/motd \
/etc/resolv.conf \
/etc/fstab \
/etc/hosts \
/etc/crontab
</pre>
</li>
<li><b>reboot</b> Перезагружаем</li>
</ol>
<h3>4. Установка Серверов</h3>
<ol>
<li>MySQL
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/databases/mysql55-server/ && make && make install
</pre>
</li>
<li>PHP
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/www/spawn-fcgi/ && make && make install
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/www/php5/ && make && make install (+fpm)
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/www/php5-extensions/ && make && make install (+fileinfo,mysql,mbstring,iconv-sqlite3)
</pre>
</li>
<li>
NGINX
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/www/nginx/ && make && make install
</pre>
</li>
</ol>
<h3>5. Настройка Серверов</h3>
<h4>1. NGINX</h4>
<ol>
<li>Логи
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>touch /var/log/log.nginx.access=localhost \
/var/log/log.nginx.access=www.y-es.ru \
/var/log/log.nginx.access=wgm.y-es.ru \
/var/log/log.nginx.error \
/var/log/log.nginx.error=localhost \
/var/log/log.nginx.error=www.y-es.ru \
/var/log/log.nginx.error=wgm.y-es.ru
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>chmod 600 /var/log/log.nginx.access=localhost \
/var/log/log.nginx.access=www.y-es.ru \
/var/log/log.nginx.access=wgm.y-es.ru \
/var/log/log.nginx.error \
/var/log/log.nginx.error=localhost \
/var/log/log.nginx.error=www.y-es.ru \
/var/log/log.nginx.error=wgm.y-es.ru
</pre>
</li>
<li><b>/usr/local/etc/nginx/nginx.conf</b>
<pre>
user www www;
worker_processes 1;
error_log /var/log/log.nginx.error;
events {worker_connections 1024;}
http
{include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/log.nginx.access main;
sendfile on;
keepalive_timeout 0;
server
{listen 10.192.34.5:80;
server_name localhost 192.168.1.1 192.168.2.1 10.192.34.5 188.134.16.64;
charset utf-8;
access_log /var/log/log.nginx.access=localhost main;
error_log /var/log/log.nginx.error=localhost;
error_page 403 404 500 502 503 504 /index.html;
if ($host = 'y-es.ru'){rewrite ^/(.*)$ http://www.y-es.ru/ permanent;}
location /
{root /usr/local/http/localhost;
index index.html;}}
server
{listen 10.192.34.5:80;
server_name www.y-es.ru;
access_log /var/log/log.nginx.access=www.y-es.ru main;
error_log /var/log/log.nginx.error=www.y-es.ru;
error_page 403 404 500 502 503 504 /error.html;
location /
{root /usr/local/http/www.y-es.ru;
index index.html;}
location ~ \.php$ {deny all;}
location ~ \.html$
{fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME /usr/local/http/www.y-es.ru/index.php;
include fastcgi_params;}}
server
{listen 10.192.34.5:80;
server_name wgm.y-es.ru;
access_log /var/log/log.nginx.access=wgm.y-es.ru main;
error_log /var/log/log.nginx.error=wgm.y-es.ru;
error_page 404 500 502 503 504 /index.html;
location /
{root /usr/local/http/wgm.y-es.ru;
index index.html;}
location ~ \.php$ {deny all;}
location ~ \.html$
{fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME /usr/local/http/wgm.y-es.ru/data/data.php;
include fastcgi_params;}}}
</pre>
</li>
<li>php-fpm</li>
</ol>
php-fpm
security.limit_extensions =
php.ini
date.timezone = "Europe/Moscow"
date.default_latitude = 59.57
date.default_longitude = 30.19
</body>
</html>
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201205192336.q4JNaLbP058413>