From: "Mr. Daniel Browne" <dbrowne@(email surpressed)>
Subject: Login/Logout hook scripts on Linux
   Date: Wed, 20 Mar 2013 16:19:57 -0400

Hi Greg,

No matter what I try I simply cannot get any of the rush -online/-offline commands to execute when included in the linux /etc/gdm/PostLogin/Default or /etc/gdm/PostSession/Default scripts. They will work fine if the script is executed manually from the shell but when the scripts are run behind the scenes by the gnome login window. My other commands in the scripts seem to work fine. Is there an environment variable or some other element needed that /usr/local/rush/bin/rush might not be getting?

-Dan


----------
Dan "Doc" Browne
System Administrator
Evil Eye Pictures

dbrowne@(email surpressed)
Office: (415) 777-0666 x105

On 03/20/13 13:19, Mr. Daniel Browne wrote:
> [posted to rush.general]
> 
> Hi Greg,
> 
> No matter what I try I simply cannot get any of the rush =
> -online/-offline commands to execute when included in the linux =
> /etc/gdm/PostLogin/Default or /etc/gdm/PostSession/Default scripts.

	What's the error output say from the command?
	Paste the output here.

	If you're not sure where the error output goes when the scripts run,
	redirect the output to a log file, e.g.

rush -offline >> /tmp/test.log 2>&1

	..then logout/in to inspect the log to see what the errors are.


> They =
> will work fine if the script is executed manually from the shell but =
> when the scripts are run behind the scenes by the gnome login window. My =
> other commands in the scripts seem to work fine. Is there an environment =
> variable or some other element needed that /usr/local/rush/bin/rush =
> might not be getting?

	Other than the PATH, no, can't think of any.
	And you can avoid that with an absolute path to the command..

-- 
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/

Tel: (Tel# suppressed)ext.23
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)

ah ha; the error is rush: 'rush -offline': bing: can't open port lock file '/usr/local/rush/var/nextport': Permission denied

On Mar 20, 2013, at 1:35 PM, Greg Ercolano wrote:

[posted to rush.general]

On 03/20/13 13:19, Mr. Daniel Browne wrote:
> [posted to rush.general]
> 
> Hi Greg,
> 
> No matter what I try I simply cannot get any of the rush =
> -online/-offline commands to execute when included in the linux =
> /etc/gdm/PostLogin/Default or /etc/gdm/PostSession/Default scripts.

	What's the error output say from the command?
	Paste the output here.

	If you're not sure where the error output goes when the scripts run,
	redirect the output to a log file, e.g.

rush -offline >> /tmp/test.log 2>&1

	..then logout/in to inspect the log to see what the errors are.


> They =
> will work fine if the script is executed manually from the shell but =
> when the scripts are run behind the scenes by the gnome login window. My =
> other commands in the scripts seem to work fine. Is there an environment =
> variable or some other element needed that /usr/local/rush/bin/rush =
> might not be getting?

	Other than the PATH, no, can't think of any.
	And you can avoid that with an absolute path to the command..

-- 
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/

Tel: (Tel# suppressed)ext.23
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)


----------
Dan "Doc" Browne
System Administrator
Evil Eye Pictures

dbrowne@(email surpressed)
Office: (415) 777-0666 x105

On 03/20/13 13:50, Mr. Daniel Browne wrote:
> [posted to rush.general]
> 
> ah ha; the error is rush: 'rush -offline': bing: can't open port lock =
> file '/usr/local/rush/var/nextport': Permission denied

    Hmm, that would mean /usr/local/rush/bin/rush has lost its setuid permissions.
    To fix that, run this as root on that machine:

chown 0.0 /usr/local/rush/bin/{rush,rushd}
chmod 4755 /usr/local/rush/bin/{rush,rushd}

    ..and on any other machine where the perms aren't rwsr-xr-x for the rush + rushd
    binaries.



-- 
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/

Tel: (Tel# suppressed)ext.23
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)

On 03/20/13 14:28, Greg Ercolano wrote:
> [posted to rush.general]
> 
> On 03/20/13 13:50, Mr. Daniel Browne wrote:
>> [posted to rush.general]
>>
>> ah ha; the error is rush: 'rush -offline': bing: can't open port lock =
>> file '/usr/local/rush/var/nextport': Permission denied
> 
>     Hmm, that would mean /usr/local/rush/bin/rush has lost its setuid permissions.
>     To fix that, run this as root on that machine:
> 
> chown 0.0 /usr/local/rush/bin/{rush,rushd}
> chmod 4755 /usr/local/rush/bin/{rush,rushd}

    I'm concerned if those perms were changed, others might be broken as well.

    Is it possible someone might have executed a runaway chown/chmod command
    that hit the entire /usr/local/rush directory?

    Under unix, many of the rush files and dirs need very specific permissions
    to operate securely, and a few /must/ be set to operate at all.

    To operate at all, the rush + rushd binaries /must/ be 4755 root/root
    or root/wheel:

$ ls -la /usr/local/rush/bin/{rush,rushd}
-rwsr-xr-x 1 root root 1234568 Feb  6 21:00 /usr/local/rush/bin/rush
-rwsr-xr-x 1 root root 1618864 Feb  6 21:00 /usr/local/rush/bin/rushd
^^^^^^^^^^   ^^^^^^^^^
  |           |
  |           Should root/root (linux) or root/wheel (mac)
  |
  The 's' is important

    For these setuid programs to be secure, the parent dirs should really
    be 755 and root/root as well, eg:

$ ls -lad /usr/local/rush /usr/local/rush/bin
drwxr-xr-x 11 root root 4096 Feb  6 21:00 /usr/local/rush
drwxr-xr-x  3 root root 4096 Feb  6 21:00 /usr/local/rush/bin
^^^^^^^^^^    ^^^^^^^^^

    For security, the entire rush/etc and rush/var directory hierarchy
    should be owned by root and either 755 (for scripts and the dir itself)
    or 644 (for non-executable files).

    Under normal circumstances, no files in rush/etc or rush/var
    should be writable to anyone other than root.

    When you extract the tar file with the 'p' flag, the perms should
    be correct, and the install script enforces the above perms on the
    rush binaries.


-- 
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/

Tel: (Tel# suppressed)ext.23
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)

The SUID bits are set on the file, but I think that something is overriding/blocking the behavior when it runs from GDM.


On Mar 20, 2013, at 2:28 PM, Greg Ercolano wrote:

[posted to rush.general]

On 03/20/13 13:50, Mr. Daniel Browne wrote:
> [posted to rush.general]
> 
> ah ha; the error is rush: 'rush -offline': bing: can't open port lock =
> file '/usr/local/rush/var/nextport': Permission denied

   Hmm, that would mean /usr/local/rush/bin/rush has lost its setuid permissions.
   To fix that, run this as root on that machine:

chown 0.0 /usr/local/rush/bin/{rush,rushd}
chmod 4755 /usr/local/rush/bin/{rush,rushd}

   ..and on any other machine where the perms aren't rwsr-xr-x for the rush + rushd
   binaries.



-- 
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/

Tel: (Tel# suppressed)ext.23
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)


----------
Dan "Doc" Browne
System Administrator
Evil Eye Pictures

dbrowne@(email surpressed)
Office: (415) 777-0666 x105

On 03/20/13 15:01, Mr. Daniel Browne wrote:
> The SUID bits are set on the file, but I think that something is =
> overriding/blocking the behavior when it runs from GDM.

	Hmm, shouldn't be.
	I'm assuming the commands work from the terminal as the user, right?

	Is there anything in the /var/log/messages or dmesg
	indicating a problem from the kernel?

	Otherwise, paste the output of:

ls -lad /usr /usr/local /usr/local/rush
ls -lad /usr/local/rush/bin /usr/local/rush/bin/{rush,rushd}

	We need to make sure all the parent dirs are 755 root/root,
	as the OS might not like setuid binaries lying around in dirs
	that are writable to other than root.

-- 
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/

Tel: (Tel# suppressed)ext.23
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)

Yes, the commands work in the user's terminal. There are no errors recorded in either log. Here's the LS output:

dbrowne[bing] ~ (43)% ls -lad /usr /usr/local /usr/local/rush
drwxr-xr-x. 15 root root 4096 Oct  9  2011 /usr
drwxr-xr-x. 21 root root 4096 Mar 13 16:00 /usr/local
drwxr-xr-x. 11 root root 4096 Nov 23  2009 /usr/local/rush

dbrowne[bing] ~ (44)% ls -lad /usr/local/rush/bin /usr/local/rush/bin/{rush,rushd}
drwxr-xr-x. 2 root root    4096 Nov 23  2009 /usr/local/rush/bin
-rwsr-xr-x. 1 root root  949384 Nov 23  2009 /usr/local/rush/bin/rush
-rwsr-xr-x. 1 root root 1272168 Nov 23  2009 /usr/local/rush/bin/rushd



On Mar 20, 2013, at 3:11 PM, Greg Ercolano wrote:

ls -lad /usr/local/rush/bin /usr/local/rush/bin/{rush,rushd}

----------
Dan "Doc" Browne
System Administrator
Evil Eye Pictures

dbrowne@(email surpressed)
Office: (415) 777-0666 x105

On 03/20/13 15:30, Mr. Daniel Browne wrote:
> Yes, the commands work in the user's terminal. There are no errors =
> recorded in either log. Here's the LS output:

	The 'ls' output looked fine.

	We talked by phone and found the problem:  selinux was "on".

	Turning it off solved the problem.


-- 
Greg Ercolano, erco@(email surpressed)
Seriss Corporation
Rush Render Queue, http://seriss.com/rush/

Tel: (Tel# suppressed)ext.23
Fax: (Tel# suppressed)
Cel: (Tel# suppressed)