rsh works for root, not testuser

Issues related to configuring your network
Post Reply
mathog
Posts: 109
Joined: 2008/07/09 23:52:06

rsh works for root, not testuser

Post by mathog » 2019/11/22 22:08:23

Cluster of machines with the master NFS serving a user's home directory to the compute nodes. Both root and testuser have ~/.rhosts files.
For root that is a separate copy on each machine in /root/.rhosts while for testuser it is ~testuser/.rhosts which is local on the master machine but NFS mounted on all the other nodes. From everything I can see rsh should work exactly the same for root and testuser. Yet it does not.

Both can do this successfully:

Code: Select all

#from master
rsh node1 'hostname'
However, when run like this:

Code: Select all

#from node1
rsh node2 'hostname'
it only works for root. For testuser it emits

Code: Select all

rcmd: socket: Permission denied
selinux is disabled, so it cannot be the problem. Nothing relevant shows up in /var/log/messages or /var/log/secure.

One difference, on the nodes where rsh does NOT work for testuser:

Code: Select all

rpm -V $(rpm -q -f /bin/rsh)
........P    /usr/bin/rcp
........P    /usr/bin/rlogin
........P    /usr/bin/rsh
on the master:

Code: Select all

rpm -V $(rpm -q -f /usr/bin/rsh)
#nothing
but (everywhere)

Code: Select all

ls -al /bin/rsh 
-rwxr-xr-x. 1 root root 15656 Oct 30  2018 /bin/rsh
Finally:

Code: Select all

getcap /bin/rsh #on master
/bin/rsh = cap_net_bind_service+ep

getcap /bin/rsh #on node1
#nothing
Which suggests some sort of install or permission problem. (Never seen getcap before.)
So as root on all nodes did:

Code: Select all

setcap cap_net_bind_service+ep /bin/rsh
setcap cap_net_bind_service+ep /bin/rcp
setcap cap_net_bind_service+ep /bin/rlogin
And everything was working again.

Any idea what could cause this problem to have appeared in the first place?
Some way to check all the installed packages for similar issues (rather than waiting around for them to bite me at some later date)?
Thanks.

mathog
Posts: 109
Joined: 2008/07/09 23:52:06

Re: rsh works for root, not testuser

Post by mathog » 2019/11/22 22:36:41

Code: Select all

#on master
getcap -r / 2>/dev/null
/usr/bin/rlogin = cap_net_bind_service+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/bin/rcp = cap_net_bind_service+ep
/usr/bin/rsh = cap_net_bind_service+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/newgidmap = cap_setgid+ep
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p

#on a node
getcap /usr/bin/rlogin
/usr/bin/rlogin = cap_net_bind_service+ep
getcap /usr/bin/ping
getcap /usr/bin/rcp
/usr/bin/rcp = cap_net_bind_service+ep
getcap /usr/bin/rsh
/usr/bin/rsh = cap_net_bind_service+ep
getcap /usr/bin/newuidmap
/usr/bin/newuidmap = cap_setuid+ep
getcap /usr/bin/newgidmap
/usr/bin/newgidmap = cap_setgid+ep
getcap /usr/sbin/arping
getcap /usr/sbin/clockdiff
So it seems ping/arping/clockdiff (from iputils), and rcp/rsh/rlogin (from rsh) were all somehow messed up.

chemal
Posts: 613
Joined: 2013/12/08 19:44:49

Re: rsh works for root, not testuser

Post by chemal » 2019/11/22 22:38:22

mathog wrote:
2019/11/22 22:08:23
Any idea what could cause this problem to have appeared in the first place?
You didn't say how the nodes were installed, but I guess not with the CentOS installer.

mathog
Posts: 109
Joined: 2008/07/09 23:52:06

Re: rsh works for root, not testuser

Post by mathog » 2019/11/22 22:58:19

chemal wrote:
2019/11/22 22:38:22
You didn't say how the nodes were installed, but I guess not with the CentOS installer.
Complicated. One machine was attached to the campus net and CentOS 7 installed on it. Then it was updated.
Then a copy was made to be distributed with systemimager/PXE boot etc. Copy to that image was (effectively)

Code: Select all

(cd /; tar -cf - . ) | rsh master 'cd /var/lib/systemimager/CentOS7-image; tar -xf - )
Then all the nodes were imaged by doing that in reverse after PXE boot of an installer.

Subsequently packages which got out of sync between the master and the compute nodes would be updated.
That was done by downloading them to $HOLDDIR and then on the master:

Code: Select all

HOLDDIR=/usr/common/tmp/yum_rpms
INSTALLSTRING="--disablerepo=\\* -y install $HOLDDIR/*"
#modified rsh, runs command on each node named in file specified by -f
/usr/common/bin/rsh  -f /usr/common/etc/machines.LINUX_INTEL64_PLAIN \
  "hostname; yum $INSTALLSTRING; echo ''"
The image is also updated in a similar manner but in a chroot bash shell.

Anyway, the capabilities which were mucked up were all broken on the image too. So it either happened on the initial install, when the image was copied to the master machine, or subsequently on upgrades for those packages. Checking all the yum log files. Nope, neither rsh nor iputils was updated since then. One of the first two then.

chemal
Posts: 613
Joined: 2013/12/08 19:44:49

Re: rsh works for root, not testuser

Post by chemal » 2019/11/22 23:04:25

By default, tar doesn't save extended attributes. That's why you lost them. Option --xattrs may be worth a try. I remember having used star once because of this.

mathog
Posts: 109
Joined: 2008/07/09 23:52:06

Re: rsh works for root, not testuser

Post by mathog » 2019/11/22 23:46:16

chemal wrote:
2019/11/22 23:04:25
By default, tar doesn't save extended attributes. That's why you lost them. Option --xattrs may be worth a try. I remember having used star once because of this.
I think you are right. Searching turned up people complaining about ping not working on imaged machines for the same reason. Why on earth would a current version of tar not enable xattrs? Anyway, apparently it does not, and here

https://stackoverflow.com/questions/424 ... -namespace

they say that what is actually needed is

Code: Select all

  --xattrs --xattrs-include=*
both on creation and extraction.

(edit)

Oh crud. The tar in the PXE environment is provided by busybox and that apparently cannot do xattr.

User avatar
jlehtone
Posts: 2432
Joined: 2007/12/11 08:17:33
Location: Finland

Re: rsh works for root, not testuser

Post by jlehtone » 2019/11/24 16:12:44

mathog wrote:
2019/11/22 22:58:19
Complicated. One machine was attached to the campus net and CentOS 7 installed on it. Then it was updated.
Then a copy was made to be distributed with systemimager/PXE boot etc.

Then all the nodes were imaged by doing that in reverse after PXE boot of an installer.
Interesting. I would (and do) use kickstart config in PXE install in order to get identical base systems.
Then use 'ansible' to set/keep configs up to date.

Not a "blind copy of everything", but a "this is what these machines must have".

Code: Select all

rsh
I can't recall the last time I've used that. 'ssh' is ubiquitous and more secure.

Post Reply

Return to “CentOS 7 - Networking Support”