Topic: Re: SME Sever-Manager fails login with Can't exec "/usr/bin/pwauth": Permission denied

[Jean-Philippe Pialasse]

please give the result of

Code: [Select]

ll /usr/bin/pwauth

rpm -q pwauth
rpm -V pwauth

then do

Code: [Select]

rpm —setugids pwauth
rpm —setperms pwauth

[waldviertler]

Code: [Select]

[root@www ~]# ll /usr/bin/pwauth
-rwsr-x---. 1 root apache 11272 12. Apr 2016  /usr/bin/pwauth
[root@www ~]#
[root@www ~]# rpm -q pwauth
pwauth-2.3.10-10.el7.sme.x86_64
[root@www ~]# rpm -V pwauth
SM5....T.    /etc/pam.d/pwauth
And after that I have done:

Code: [Select]

rpm -setugids pwauth
rpm -setperms pwauth

[waldviertler]

Still the same thing.
Have to change from root apache to root www -> then I have access.

[Jean-Philippe Pialasse]

there is an issue in your install. www and apache should be the same user
chown root:www is not the solution even if you got access back. you will have a lot more hidden issues

grep apache /etc/passwd
grep www /etc/passwd

[waldviertler]

[root@www ~]# grep apache /etc/passwd

Code: [Select]

apache:x:102:102:Apache:/var/www:/sbin/nologin[root@www ~]# grep www /etc/passwd

Code: [Select]

apache:x:102:102:Apache:/var/www:/sbin/nologin
www:x:102:102:SME Server web server:/home/e-smith:/bin/false

[Jean-Philippe Pialasse]

grep apache /etc/group

[waldviertler]

grep apache /etc/group

Code: [Select]

apache:x:102:

[Jean-Philippe Pialasse]

ok,
first thing I managed to split the two topics correctly, so we will be at ease now to focus on your issue : pwauth

this one should give the full picture:

Code: [Select]

grep 102 /etc/passwd /etc/group

[waldviertler]

Thanks!

grep 102 /etc/passwd /etc/group

Code: [Select]

/etc/passwd:apache:x:102:102:Apache:/var/www:/sbin/nologin
/etc/passwd:www:x:102:102:SME Server web server:/home/e-smith:/bin/false
/etc/group:apache:x:102:

[Jean-Philippe Pialasse]

• you are missing a group, or www group has an incorrect gid
• expected order in passwd is reversed

Code: [Select]

# grep 102 /etc/passwd /etc/shadow /etc/group
/etc/passwd:www:x:102:102:SME Server web server:/home/e-smith:/bin/false
/etc/passwd:apache:x:102:102:Apache:/var/www:/sbin/nologin
/etc/group:www:x:102:admin
/etc/group:apache:x:102:

first thing first :

Code: [Select]

grep www /etc/group

[waldviertler]

grep www /etc/group

(I changed here the real user names to user1 and so on, and the real ibay names to ibay1 and so on.)

Code: [Select]

shared:x:500:admin,ibay1,user1,user2,user3,user4,user5,ibay2,ibay3,ibay4,user6,user7,ibay5,public,user8,ibay6,ibay7,user8,sysinfo,user9,uucp,ibay8,user10,www
www:x:104:admin
test:x:5009:admin,user1,user2,user3,user4,www
faxmaster:x:5016:admin,user1,user2,www

[Jean-Philippe Pialasse]

ok quite unexpected.

www gid is defined upon installation of base rpm and is set to 102.

are you able to check files from your backup you restored to see what in the /etc/group for www?


also check if this command (which can take a while to run depending on the amount of data you have)

Code: [Select]

find / -group 104
the fix will be to restore the correct gid to www group but first need to see if any files have been incorrectly set.  this could maybe help find the issue and discover if we only need a temp fix for you or need to implement something.

please send the list to security at koozali dot org.



also this command could help see the process of restore if you used console restore

grep ^www -r /var/cache/e-smith/restore/etc/

[waldviertler]

I mailed the list.
I have problems with major updates since SME7...
I will check the /etc/group in backup as soon as possible -

grep ^www -r /var/cache/e-smith/restore/etc/

Code: [Select]

/var/cache/e-smith/restore/etc/passwd.1624659034:www:x:102:102:SME Server web server:/home/e-smith:/bin/false
/var/cache/e-smith/restore/etc/shadow.1624659034:www:!!:18803:0:99999:7:::
/var/cache/e-smith/restore/etc/group.1624659034:www:x:102:admin
/var/cache/e-smith/restore/etc/gshadow.1624659034:www:!::admin

[Jean-Philippe Pialasse]

this last grep tell me you were correct before migration. this is a copy of the migration process.

the fix

Code: [Select]


groupmod -g 102 www



a last check, you do not want to do the next step if 104 is also in use for something else than www so

Code: [Select]

grep :104: /etc/group

then to fix existing files, i saw in your sent file

Code: [Select]

find / -group 104 -not -path "/proc*" -exec chgrp -h www {} \;
just to be safe i would restart httpd-e-smith first and try to acces horde webmail.  then do a post-upgrade reboot

[waldviertler]

This is the result from check:

grep :104: /etc/group

Code: [Select]

www:x:104:admin
Is it save to apply the fix?