qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Welchlin <andreas.welch...@comyno.com>
Subject Re: qpid broker ssl plugin - start using systemctl fails
Date Tue, 10 Jun 2014 12:16:58 GMT
Gordon, you are right with your initial assuption: the rights are not 
sufficient.

I let qpidd run with strace and it shows that the permissions are not 
sufficient when it runs as user qpidd:

stat("/home/noname/tests/x509_test/server_db/secmod.db", 0x7fff38d28e00) 
= -1 EACCES (Permission denied)
open("/home/noname/tests/x509_test/server_db/secmod.db", O_RDONLY) = -1 
EACCES (Permission denied)

Under root:

stat("/home/noname/tests/x509_test/server_db/secmod.db", 
{st_mode=S_IFREG|0644, st_size=16384, ...}) = 0
open("/home/noname/tests/x509_test/server_db/secmod.db", O_RDONLY) = 11


My fault was that the upper directory /home/noname hat no read 
permission for "group" and "other".

Now it runs with systemctl as user qpidd.

Thank you very much, Gordon!




Am 10.06.2014 13:38, schrieb Andreas Welchlin:
>
> Am 10.06.2014 11:49, schrieb Gordon Sim:
>> On 06/10/2014 10:38 AM, Andreas Welchlin wrote:
>>>
>>> Am 10.06.2014 11:37, schrieb Gordon Sim:
>>>> On 06/10/2014 10:13 AM, Andreas Welchlin wrote:
>>>>> Am 10.06.2014 10:51, schrieb Gordon Sim:
>>>>>> On 06/10/2014 09:28 AM, Andreas Welchlin wrote:
>>>>>>>
>>>>>>> Am 09.06.2014 10:38, schrieb Gordon Sim:
>>>>>>>> On 06/07/2014 09:22 PM, Andreas Welchlin wrote:
>>>>>>>>> Hi All,
>>>>>>>>>
>>>>>>>>> I started the qpidd broker on a fedora 9 using "sytemctl
start
>>>>>>>>> qpidd.service". But the initialisation of the SSL plugin
failed:
>>>>>>>>>
>>>>>>>>> [Security] error Failed to initialise SSL plugin: Failed:
NSS 
>>>>>>>>> error
>>>>>>>>> [-8015]
>>>>>>>>> (/builddir/build/BUILD/qpid-0.24/cpp/src/qpid/sys/ssl/util.cpp:100)

>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> When I start it as root from the commandline with "#

>>>>>>>>> /usr/sbin/qpidd
>>>>>>>>> --config /etc/qpid/qpidd.conf", then
>>>>>>>>> it works fine:
>>>>>>>>>
>>>>>>>>> [Security] notice Listening for SSL connections on TCP/TCP6
port
>>>>>>>>> 5674
>>>>>>>>>
>>>>
>>>> When you changed the permissions, did you do that recursively? I.e.
>>>> did you change *all* the files within the directory also?
>>>
>>> Yes, I did.
>>
>> Does `sudo -u qpidd /usr/sbin/qpidd --config /etc/qpid/qpidd.conf` 
>> work? (The only things I can think of that could be different between 
>> the case that works and the case that fails are (a) the user and (b) 
>> the actual executable run and libraries loaded).
>>
>
> It raises the same error:
>
> sudo -u qpidd /usr/local/sbin/qpidd --config /etc/qpid/qpidd.conf
> 2014-06-10 13:28:32 [Security] error Failed to initialise SSL plugin: 
> Failed: NSS error [-8015] 
> (/home/noname/install/qpid-0.28/qpid-0.28/cpp/src/qpid/sys/ssl/util.cpp:100) 
>
>
>> What versions of nss-devel and nss-tools do you have? Did you build 
>> any other version of NSS?
>
> Apper says that I have nss and nss-devel 3.16.1-1.fc19.
>
> Looking into /usr/lib and /usr/lib64 shows the following:
>
> [root@localhost usr]# ls -ltr lib/*nss*
> -rwxr-xr-x 1 root root 31680 17. Nov 2013  lib/libnss_db-2.17.so
> -rwxr-xr-x 1 root root 40000 17. Nov 2013 lib/libnss_compat-2.17.so
> -rwxr-xr-x 1 root root 22196 17. Nov 2013 lib/libnss_hesiod-2.17.so
> -rwxr-xr-x 1 root root 55080 17. Nov 2013 lib/libnss_files-2.17.so
> -rwxr-xr-x 1 root root 62816 17. Nov 2013 lib/libnss_nisplus-2.17.so
> -rwxr-xr-x 1 root root 49792 17. Nov 2013  lib/libnss_nis-2.17.so
> -rwxr-xr-x 1 root root 25704 17. Nov 2013  lib/libnss_dns-2.17.so
> lrwxrwxrwx 1 root root    21  4. Jun 16:00 lib/libnss_compat.so.2 -> 
> libnss_compat-2.17.so
> lrwxrwxrwx 1 root root    17  4. Jun 16:00 lib/libnss_db.so.2 -> 
> libnss_db-2.17.so
> lrwxrwxrwx 1 root root    18  4. Jun 16:00 lib/libnss_dns.so.2 -> 
> libnss_dns-2.17.so
> lrwxrwxrwx 1 root root    20  4. Jun 16:00 lib/libnss_files.so.2 -> 
> libnss_files-2.17.so
> lrwxrwxrwx 1 root root    21  4. Jun 16:00 lib/libnss_hesiod.so.2 -> 
> libnss_hesiod-2.17.so
> lrwxrwxrwx 1 root root    18  4. Jun 16:00 lib/libnss_nis.so.2 -> 
> libnss_nis-2.17.so
> lrwxrwxrwx 1 root root    22  4. Jun 16:00 lib/libnss_nisplus.so.2 -> 
> libnss_nisplus-2.17.so
>
>
> [root@localhost usr]# ls -ltr lib64/*nss*
> -rwxr-xr-x. 1 root root   24480 16. Feb 2013 
> lib64/libevent_openssl-2.0.so.5.1.6
> lrwxrwxrwx. 1 root root      29 27. Jun 2013 
> lib64/libevent_openssl-2.0.so.5 -> libevent_openssl-2.0.so.5.1.6
> -rwxr-xr-x  1 root root   27512 17. Nov 2013 lib64/libnss_dns-2.17.so
> -rwxr-xr-x  1 root root   65744 17. Nov 2013 lib64/libnss_nisplus-2.17.so
> -rwxr-xr-x  1 root root   56776 17. Nov 2013 lib64/libnss_nis-2.17.so
> -rwxr-xr-x  1 root root   38160 17. Nov 2013 lib64/libnss_db-2.17.so
> -rwxr-xr-x  1 root root   28264 17. Nov 2013 lib64/libnss_hesiod-2.17.so
> -rwxr-xr-x  1 root root   46552 17. Nov 2013 lib64/libnss_compat-2.17.so
> -rwxr-xr-x  1 root root   62368 17. Nov 2013 lib64/libnss_files-2.17.so
> -rwxr-xr-x  1 root root   15096  9. Dez 2013 lib64/libnss_myhostname.so.2
> lrwxrwxrwx  1 root root      21 17. Jan 15:28 lib64/libnss_compat.so.2 
> -> libnss_compat-2.17.so
> lrwxrwxrwx  1 root root      17 17. Jan 15:28 lib64/libnss_db.so.2 -> 
> libnss_db-2.17.so
> lrwxrwxrwx  1 root root      18 17. Jan 15:28 lib64/libnss_dns.so.2 -> 
> libnss_dns-2.17.so
> lrwxrwxrwx  1 root root      20 17. Jan 15:28 lib64/libnss_files.so.2 
> -> libnss_files-2.17.so
> lrwxrwxrwx  1 root root      21 17. Jan 15:28 lib64/libnss_hesiod.so.2 
> -> libnss_hesiod-2.17.so
> lrwxrwxrwx  1 root root      18 17. Jan 15:28 lib64/libnss_nis.so.2 -> 
> libnss_nis-2.17.so
> lrwxrwxrwx  1 root root      22 17. Jan 15:28 
> lib64/libnss_nisplus.so.2 -> libnss_nisplus-2.17.so
> lrwxrwxrwx  1 root root      27 17. Jan 15:29 lib64/libnss_nis.so -> 
> ../../lib64/libnss_nis.so.2
> lrwxrwxrwx  1 root root      31 17. Jan 15:29 lib64/libnss_nisplus.so 
> -> ../../lib64/libnss_nisplus.so.2
> lrwxrwxrwx  1 root root      30 17. Jan 15:29 lib64/libnss_hesiod.so 
> -> ../../lib64/libnss_hesiod.so.2
> lrwxrwxrwx  1 root root      29 17. Jan 15:29 lib64/libnss_files.so -> 
> ../../lib64/libnss_files.so.2
> lrwxrwxrwx  1 root root      27 17. Jan 15:29 lib64/libnss_dns.so -> 
> ../../lib64/libnss_dns.so.2
> lrwxrwxrwx  1 root root      26 17. Jan 15:29 lib64/libnss_db.so -> 
> ../../lib64/libnss_db.so.2
> lrwxrwxrwx  1 root root      30 17. Jan 15:29 lib64/libnss_compat.so 
> -> ../../lib64/libnss_compat.so.2
> -rwxr-xr-x  1 root root  175752 16. Feb 19:23 lib64/libkdnssd.so.4.11.5
> -rwxr-xr-x  1 root root   10976 12. Mär 11:29 lib64/libnss_wins.so.2
> -rwxr-xr-x  1 root root   19224 12. Mär 11:29 lib64/libnss_winbind.so.2
> lrwxrwxrwx  1 root root      19 24. Mär 09:35 lib64/libkdnssd.so.4 -> 
> libkdnssd.so.4.11.5
> -rwxr-xr-x  1 root root   32936 11. Apr 20:06 lib64/libnss_sss.so.2
> lrwxrwxrwx  1 root root      19 14. Apr 09:02 lib64/libnss_winbind.so 
> -> libnss_winbind.so.2
> lrwxrwxrwx  1 root root      16 14. Apr 09:02 lib64/libnss_wins.so -> 
> libnss_wins.so.2
> -rwxr-xr-x  1 root root  184312  8. Mai 17:44 lib64/libnssutil3.so
> -rwxr-xr-x  1 root root  181328  8. Mai 18:05 lib64/libnssdbm3.so
> -rw-r--r--  1 root root     899  8. Mai 18:05 lib64/libnssdbm3.chk
> -rwxr-xr-x  1 root root   11256  8. Mai 18:26 lib64/libnsssysinit.so
> -rwxr-xr-x  1 root root  171296  8. Mai 18:26 lib64/libnsspem.so
> -rwxr-xr-x  1 root root 1318904  8. Mai 18:26 lib64/libnss3.so
> lrwxrwxrwx  1 root root      38 26. Mai 16:48 lib64/libnssckbi.so -> 
> /etc/alternatives/libnssckbi.so.x86_64
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org


Mime
View raw message