i386/168155: authorization error

evgeni es131245 at ya.ru
Sat May 19 23:40:02 UTC 2012 

>Number:         168155
>Category:       i386
>Synopsis:       authorization error
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 19 23:40:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator:     evgeni
>Release:        9.0
>Organization:
home gateway + server
>Environment:
FreeBSD es-server 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan  3 07:15:25 UTC 2012     root at obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
Installed freebsd 9.0 i386
Configured system as writen in "attached instruction notes"
Installed mariadb-server mariadb-client nginx php5 + extentions from ports
reboot
Then ive coundnt come in by ssh user acount

Password:
Last login: Sun May 20 03:10:06 2012 from 192.168.2.2

	Welcome to Y-eS Server!

Cannot open "/lib/libedit.so.7"Connection to 192.168.2.1 closed.

cant start maria mysql server too

# /usr/local/etc/rc.d/mysql-server start
Starting mysql.
Cannot open "/lib/libncurses.so.8"/usr/local/etc/rc.d/mysql-server: WARNING: failed to start mysq
>How-To-Repeat:
mine instruction is in attached files
>Fix:


Patch attached with submission follows:

<html>
 <head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
  <title>Инструкция по установке Сервера FreeBSD</title>
  <style type="text/css">
  pre 
  {background-color:gray;
   #border-radius:5px;
   box-shadow:inset 0 0 5px black;
   border:thin solid black;
   font-family:monotype;
   padding:5px;}
  </style>
 <head>
 <body>
  Настройка рута
  <pre>
   setenv  PAGER   more
   alias ll        ls -lhAoG
   set prompt = "%{\033[31m%}%B%n%b%{\033[37m%}%B@%b%{\033[34m%}%B%M%b%{\033[37m%}%B:%b%{\033[32m%}%B%/%b%{\033[37m%}%B%#%b "
</pre>
  Настройка хостс
::1                     localhost localhost.my.domain
127.0.0.1               localhost localhost.my.domain
10.192.34.5             localhost localhost.my.domain
192.168.1.1             localhost localhost.my.domain
192.168.2.1             localhost localhost.my.domain
  <h1>Инструкция по установке Сервера FreeBSD</h1>
  <h2>1. Резервное копирование информации</h2>
  <ol>
   <li>Файловой Системы и файлов настройки.</li>
   <li>HTTP</li>
   <li>Файлообменика</li>
   <li>SQL</li>
  </ol>
  <h3>2. Установка Системы</h3>
<p>Устанавливаем минимальную систему</p>
<h3>3. Настройка Системы</h3>
<ol>
 <li>Убираем паузу загрузки <b>/boot/default/loader.conf</b>
<pre>
autoboot_delay="2"
beastie_disable="YES"
</pre></li>
 <li>Добавляем пользователя (обязательно wheel). <b>AddUser</b></li>
 <li>Ограничиваем вход <b>/etc/tty</b>
  <pre>
console none                            unknown off secure
ttyv0   "/usr/libexec/getty Pc"         xterm   on insecure
ttyv1   "/usr/libexec/getty Pc"         xterm   off secure
ttyv2   "/usr/libexec/getty Pc"         xterm   off secure
ttyv3   "/usr/libexec/getty Pc"         xterm   off secure
ttyv4   "/usr/libexec/getty Pc"         xterm   off secure
ttyv5   "/usr/libexec/getty Pc"         xterm   off secure
ttyv6   "/usr/libexec/getty Pc"         xterm   off secure
ttyv7   "/usr/libexec/getty Pc"         xterm   off secure
ttyv8   "/usr/local/bin/xdm -nodaemon"  xterm   off secure
ttyu0   "/usr/libexec/getty std.9600"   dialup  off secure
ttyu1   "/usr/libexec/getty std.9600"   dialup  off secure
ttyu2   "/usr/libexec/getty std.9600"   dialup  off secure
ttyu3   "/usr/libexec/getty std.9600"   dialup  off secure
dcons   "/usr/libexec/getty std.9600"   vt100   off secure

  </pre></li>
 <li>Устанавливаем Дату и Время <b>date</b></li>
 <li>Корректируем приветствие <b>/etc/motd</b>
  <pre>
   Welcome to Y-eS!
  </pre>
 </li>
 <li><b>/etc/fstab</b> Монтирование и создаем точки
  <pre>
/dev/ada0p2	/					ufs	rw	1	1
/dev/ada0p3	none					swap	sw	0	0
/dev/ad5s1a	/mnt					ufs	rw	1	2
/dev/ad6s1a	/usr/local/http/sites/source.y-es.ru	ufs	rw	1	2
  </pre>
 </li>
 <li><b>/etc/resolv.conf</b>  DNS локальной сети
  <pre>
   nameserver 192.168.248.21
  </pre>
 </li>
 <li><b>ipfw</b> Firewall & NAT
  <pre>
ipfw -q -f flush
ipfw -q add pass all from any to any via lo0
ipfw -q nat 1 config if ale0
ipfw -q nat 2 config if re0
ipfw -q add pass icmp from 10.192.34.5 to 10.192.32.1 icmptype 0,8 out xmit ale0
ipfw -q add pass icmp from 10.192.34.5 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 icmptype 0,8 out xmit ale0
ipfw -q add pass icmp from 192.168.2.1 to 192.168.2.2 icmptype 0,8 out xmit rl0
ipfw -q add pass icmp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 192.168.2.2 icmptype 0 xmit rl0
ipfw -q add pass icmp from 192.168.1.1 to 192.168.1.0/24 icmptype 0,8 out xmit re0
ipfw -q add pass icmp from 10.192.32.1 to 10.192.34.5 icmptype 0,8 in recv ale0
ipfw -q add pass icmp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 10.192.34.5 icmptype 8 in recv ale0
ipfw -q add nat 1 icmp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 10.192.34.5 icmptype 0 in recv ale0
ipfw -q add nat 1 icmp from 192.168.2.2 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 icmptype 8 recv rl0
ipfw -q add pass icmp from 192.168.2.2 to 192.168.2.1 icmptype 0,8 in recv rl0
ipfw -q add pass icmp from 192.168.1.0/24 to 192.168.1.1 icmptype 0,8 in recv re0
ipfw -q add pass udp from 10.192.34.5 to 192.168.248.21 53 out xmit ale0
ipfw -q add pass udp from 192.168.248.21 53 to 192.168.2.2 xmit rl0
ipfw -q add pass udp from 192.168.248.21 53 to 192.168.1.0/24 xmit re0
ipfw -q add nat 1 udp from 192.168.248.21 53 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 udp from 192.168.2.2 to 192.168.248.21 53 recv rl0
ipfw -q add nat 1 udp from 192.168.1.0/24 to 192.168.248.21 53 recv re0
ipfw -q add pass tcp from 10.192.34.5 80,443,1024 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 out xmit ale0
ipfw -q add pass tcp from 10.192.34.5 to 192.168.100.2,192.168.100.18,192.168.103.218 80,443 out xmit ale0
ipfw -q add pass tcp from 10.192.34.5 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 out xmit ale0
ipfw -q add pass tcp from 10.192.34.5 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 out xmit ale0
ipfw -q add pass tcp from 192.168.2.1 1024 to 192.168.2.2 out xmit rl0
ipfw -q add pass tcp from 192.168.100.2,192.168.100.18,192.168.103.218 80,443 to 192.168.2.2 out xmit rl0
ipfw -q add pass tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 to 192.168.2.2 xmit rl0
ipfw -q add pass tcp from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 to 192.168.2.2 xmit rl0
ipfw -q add pass tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 to 192.168.1.0/24 xmit re0
ipfw -q add pass tcp from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 to 192.168.1.0/24 xmit re0
ipfw -q add pass tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 to 10.192.34.5 80,443,1024 in recv ale0
ipfw -q add pass tcp from 192.168.2.2 to 192.168.2.1 1024 in recv rl0
ipfw -q add nat 1 tcp from not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 tcp from 192.168.100.2,192.168.100.18,192.168.103.218 80,443 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 tcp from 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 to 10.192.34.5 in recv ale0
ipfw -q add nat 1 tcp from 192.168.2.2 to 192.168.100.2,192.168.100.18,192.168.103.218 80,443 recv rl0
ipfw -q add nat 1 tcp from 192.168.2.2 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 recv rl0
ipfw -q add nat 1 tcp from 192.168.2.2 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 recv rl0
ipfw -q add nat 1 tcp from 192.168.1.0/24 to not 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 80,443,5190 recv re0
ipfw -q add nat 1 tcp from 192.168.1.0/24 to 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 411,1025-32000 recv re0
ipfw -q add deny all from any to any
</pre>
</li>
 <li><b>cron</b> Устанавливаем скрипты и настраиваем cron<br />
<b>/etc/scripts/Daily.sh</b>
<pre>
#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
export PATH
HOME=/root
export HOME

StartTime=`date +%s`

echo -e `date`"\n"`id`

echo es`date +"%d"` | pw mod user es -h 0
if [ $? -eq 0 ];then echo 'User Password: Changed'; else echo 'User Password: Error';fi

echo root'"$Symbol"`date +"%d"` | pw mod user root -h 0
if [ $? -eq 0 ];then echo 'Root Password: Changed'; else echo 'Root Password: Error';fi

echo -e 'Done in '$((`date +"%s"` - $StartTime))' seconds'"\n"
exit
</pre>
<b>/etc/scripts/Weekly.sh</b>
<pre>
#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
export PATH
HOME=/root
export HOME

StartTime=`date +"%s"`

echo -e `date`"\n"`id`

if [ "`df | grep /mnt`" ]; then echo 'Mount: Was Mounted';
else
 count=1
 while [ $count -le 5 ]
 do
  mount /dev/ad6s1a /mnt
  if [ $? -eq 0 ]
  then
   echo "Mount: Done in $count try"
   break
  else
   count=$(($count+1))
   sleep 3
   if [ $count -eq 6 ]; then echo 'Mount: Time Out, Abourting!'; exit; fi
  fi
 done
fi

dd if=/dev/ad4 of=/mnt/mbr.`date +"%Y-%m-%d"` bs=512 count=1
dump -0aLf - / | gzip -9 > /mnt/dump.root.`date +"%Y-%m-%d"`.gz
dump -0aLf - /usr | gzip -9 > /mnt/dump.usr.`date +"%Y-%m-%d"`.gz
dump -0aLf - /var | gzip -9 > /mnt/dump.var.`date +"%Y-%m-%d"`.gz
if [ "`df | grep /dev/ad5s1a`" ]; then dump -0aLf - /usr/local/http/source.y-es.ru | gzip -9 > /mnt/dump.source.`date +"%Y-%m-%d"`.gz; fi
mysqldump --user='MySQL-Dump' --password='Es1312456131!MySQL-Dump' --all-databases | gzip -9 > /mnt/dump.sql.`date +"%Y-%m-%d"`.gz

chmod 600 /mnt/dump.*.`date +"%Y-%m-%d"`.gz /mnt/mbr.`date +"%Y-%m-%d"` 
ls -lhAoG /mnt/mbr.`date +"%Y-%m-%d"` /mnt/dump.*.`date +"%Y-%m-%d"`.gz

count=1
while [ $count -le 5 ]
do
 umount /mnt
 if [ $? -eq 0 ]
 then
  echo "Umount: Done in $count try"
  break
 else
  count=$(($count+1))
  sleep 3
  if [ $count -eq 6 ];then echo 'Umount: Time Out';fi
 fi
done

echo -e 'Done in '$((`date +"%s"` - $StartTime))' seconds'"\n"
exit
</pre>
<b>Логи</b>
<pre>
<span style="font-weight:900;"><span style="color:red;">es</span><span style="color:white;">@</span><span style="color:blue;">y-es</span><span style="color:white;">:</span><span style="color:green;">/usr/home/es</span><span style="color:white;">#</span></span>touch /var/log/log.Daily.sh /var/log/log.Weekly.sh
<span style="font-weight:900;"><span style="color:red;">es</span><span style="color:white;">@</span><span style="color:blue;">y-es</span><span style="color:white;">:</span><span style="color:green;">/usr/home/es</span><span style="color:white;">#</span></span>chmod 600 /var/log/log.Daily.sh /var/log/log.Weekly.sh
</pre>
<b>crontab</b>
<pre>
1,31 * *  *  * /bin/sh /root/cron/reqular.sh >> /var/log/log.cron.reqular 2>&1
0    0 *  *  * /bin/sh /root/cron/daily.sh   >> /var/log/log.cron.daily   2>&1
10   0 *  *  1 /bin/sh /root/cron/weekly.sh  >> /var/log/log.cron.weekly  2>&1
30   1 28 *  * /bin/sh /root/cron/monthly.sh >> /var/log/log.cron.monthly 2>&1
</pre>
</li>
 <li><b>/etc/ssh/sshd</b> Удаленный доступ
<pre>
VersionAddendum v1.0
Port 1024
Protocol 2
PermitRootLogin no
MaxAuthTries 3
MaxSessions 3
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers es
</pre></li>
 <li><b>/etc/rc.conf</b> Основные настройки
<pre>
hostname="es-server"
dumpdev="NO"
update_motd="NO"
defaultrouter="10.192.32.1"
ifconfig_ale0="inet 10.192.34.5 netmask 255.255.252.0"
ifconfig_rl0="inet 192.168.2.1 netmask 255.255.255.252"
ifconfig_re0="inet 192.168.1.1 netmask 255.255.255.0"
gateway_enable="YES"
sshd_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/root/firewall"
#kern_securelevel_enable="YES"
#kern_securelevel="3"
mysql_enable="YES"
nginx_enable="YES"
php_fpm_enable="YES"
</pre>
</li>
 <li><b>/etc/sysctl.conf</b> Ограничиваем пользователей
<pre>
security.bsd.see_other_uids=0
</pre>
</li>
 <li><b>permitions</b> Ограничиваем Доступ к важным системным файлам
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>chmod -R 700 /root
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>chmod 600 /etc/rc.conf \
/etc/sysctl.conf \
/etc/ttys \
/etc/motd \
/etc/resolv.conf \
/etc/fstab \
/etc/hosts \
/etc/crontab
</pre>
</li>
 <li><b>reboot</b> Перезагружаем</li>
</ol>
<h3>4. Установка Серверов</h3>
<ol>
 <li>MySQL
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/databases/mysql55-server/ && make && make install
</pre>
</li>
 <li>PHP
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/www/spawn-fcgi/ && make && make install
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/www/php5/ && make && make install (+fpm)
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/www/php5-extensions/ && make && make install (+fileinfo,mysql,mbstring,iconv-sqlite3)
</pre>
</li>
 <li>
NGINX
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>cd /usr/ports/www/nginx/ && make && make install
</pre>
</li>
</ol>
<h3>5. Настройка Серверов</h3>
 <h4>1. NGINX</h4>
<ol>
 <li>Логи
<pre>
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>touch /var/log/log.nginx.access=localhost \
 /var/log/log.nginx.access=www.y-es.ru \
 /var/log/log.nginx.access=wgm.y-es.ru \
 /var/log/log.nginx.error \
 /var/log/log.nginx.error=localhost \
 /var/log/log.nginx.error=www.y-es.ru \
 /var/log/log.nginx.error=wgm.y-es.ru
<span style="color:red;font-weight:400;">es</span><span style="color:white;font-weight:600;">@</span><span style="color:blue;font-weight:400;">y-es</span><span style="color:white;font-weight:600;">:</span><span style="color:green;font-weight:400;">/usr/home/es</span><span style="color:white;font-weight:600;">#</span>chmod 600 /var/log/log.nginx.access=localhost \
 /var/log/log.nginx.access=www.y-es.ru \
 /var/log/log.nginx.access=wgm.y-es.ru \
 /var/log/log.nginx.error \
 /var/log/log.nginx.error=localhost \
 /var/log/log.nginx.error=www.y-es.ru \
 /var/log/log.nginx.error=wgm.y-es.ru
</pre>
</li>
 <li><b>/usr/local/etc/nginx/nginx.conf</b>
<pre>
user www www;
worker_processes 1;
error_log /var/log/log.nginx.error;
events {worker_connections 1024;}
http
{include mime.types;
 default_type application/octet-stream;
 log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
 access_log /var/log/log.nginx.access main;
 sendfile on;
 keepalive_timeout 0;
 server
 {listen 10.192.34.5:80;
  server_name localhost 192.168.1.1 192.168.2.1 10.192.34.5 188.134.16.64;
  charset utf-8;
  access_log  /var/log/log.nginx.access=localhost main;
  error_log /var/log/log.nginx.error=localhost;
  error_page 403 404 500 502 503 504 /index.html;
  if ($host = 'y-es.ru'){rewrite ^/(.*)$ http://www.y-es.ru/ permanent;}
  location /
  {root /usr/local/http/localhost;
   index index.html;}}
 server
 {listen 10.192.34.5:80;
  server_name www.y-es.ru;
  access_log /var/log/log.nginx.access=www.y-es.ru main;
  error_log /var/log/log.nginx.error=www.y-es.ru;
  error_page 403 404 500 502 503 504 /error.html;
  location /
  {root /usr/local/http/www.y-es.ru;
   index index.html;}
  location ~ \.php$ {deny all;}
  location ~ \.html$
  {fastcgi_pass 127.0.0.1:9000;
   fastcgi_param SCRIPT_FILENAME /usr/local/http/www.y-es.ru/index.php;
   include fastcgi_params;}}
 server
 {listen 10.192.34.5:80;
  server_name wgm.y-es.ru;
  access_log /var/log/log.nginx.access=wgm.y-es.ru main;
  error_log /var/log/log.nginx.error=wgm.y-es.ru;
  error_page 404 500 502 503 504 /index.html;
  location /
  {root /usr/local/http/wgm.y-es.ru;
   index index.html;}
  location ~ \.php$ {deny all;}
  location ~ \.html$
  {fastcgi_pass 127.0.0.1:9000;
   fastcgi_param SCRIPT_FILENAME /usr/local/http/wgm.y-es.ru/data/data.php;
   include fastcgi_params;}}}
</pre>
</li>
<li>php-fpm</li>
</ol>
php-fpm
security.limit_extensions =
php.ini
date.timezone = "Europe/Moscow"
date.default_latitude = 59.57
date.default_longitude = 30.19 
</body>
</html>


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-i386 mailing list