we can
groupadd somegroup
useradd -g somegroup user1
after useradd, we can find related /etc/subuid and /etc/subgid both with following format:
user1:165536:65536
The question is that for those subgid, those ids not include somegroup id (maybe 1001, it is far less than 165536).
Does anyone know what's that means? I googled a lot. still not quite understand.
Related
Given the following sample/simple snmpd.conf (Net-SNMP 5.7.2 on RHEL 7.4)
rwcommunity private 192.168.56.101
trapsess -Ci --clientaddr=192.168.56.128 -v 2c -c private 192.168.56.101:162
when starting a SNMP Daemon
snmpd -f -Lo -D -C -c data/snmpd_test.conf udp:192.168.56.128:161
We obtain ''Start Up'' InformRequest with IP source 192.56.168.1 instead of ...128 (WireShark snapshot below)
It is not surprising as the -D option allows us to output the debug information saying that
trace: netsnmp_config_process_memory_list(): read_config.c, 696:
read_config:mem: processing memory: clientaddr 192.168.56.128
trace: run_config_handler(): read_config.c, 562:
9:read_config:parser: clientaddr handler not registered for this time
Web sources however say:
snmp.conf
...This value is also used by snmpd when generating notifications.
snmpd.conf
trapsess [SNMPCMD_ARGS] HOST
provides a more generic mechanism for defining notification destinations.
SNMPCMD_ARGS should be the command-line options required for an equivalent
snmptrap (or snmpinform) command to send the desired notification
I read also some old threads like this one
However this option is working well with snmptrap
snmptrap -D -Lo -Ci --clientaddr=192.168.56.128 -M+path_to_my_mibs -v 2c -c private 192.168.56.101:162 "" .1.3.6.1.4.1.a.b.c.d.e.f.0 i 0
This option is also working when placed in snmp.conf ( mind there is no 'd' here ) and then it applies to snmpset and snmpget (and maybe other)
So my question is: Is it a documentation error, a bug, a misuse of the Net-SNMP stack ?
After a long struggle I may have an answer and I write a short note as I just found a trick
It seems that clientaddr is not parsed correctly wherever in the snmpd.conf
(I tried not also inside the trapsess line)
But it seems to be a valid option in the command line of snmpd
like it was a valid option in the snmptrap command line. So I assumed it could be the same parsing mechanism for both.
a condition also is that the IP addres must be valid one
which means that
snmpd -f -Lo -D -C -c data/snmpd_test.conf --clientaddr=192.168.56.128 udp:192.168.56.128:161
seems to fully solve my problem.
I will perform more tests and if accurate format this answer a little bit better but it seems a good hint.
Here I have a file called uid_demo.c, which displays the real userid and the effective userid.
#include <stdio.h>
int main() {
printf("real uid: %d\n", getuid());
printf("effective uid: %d\n", geteuid());
}
And I ran the following commands:
gcc -o uid_demo uid_demo.c
sudo chown root:root ./uid_demo
sudo chmod u+s ./uid_demo
ls -l uid_demo
Output:
-rwsrwxr-x 1 root root 8712 Jun 29 15:09 uid_demo
When I run the program, it should display my real userid (1000) and the effective userid of 0 (root), as the owner of the file is root and the setuid permission is turned on. However, it displays the following:
real uid: 1000
effective uid: 1000
Any help? Thanks in advance.
You are probably running the program on a filesystem that is mounted wit the nosuid flag, thus your setuid bit is not respected.
Move your code to another location on the filesystem that does not have this, or disable the nosuid flag in the mount options for the current filesystem.
The nosuid flag is a security feature.
Okay, hopefully I can explain this correctly as I have no idea what's causing this or how to resolve this.
For some reason bash commands (on a CentOS 6.x server) are displaying more information than "normally" and that causes issues with certain scripts. I have no clue if there is a name for this, but hopefully someone knows a solution for this.
First example.
Correct / good server:
[root#goodserver ~]# vzctl enter 3567
entered into CT 3567
[root#example /]#
(this is the correct behaviour)
Incorrect / bad server:
[root#badserver /]# vzctl enter 3127
Entering CT
entered into CT 3127
Open /dev/pts/0
[root#example /]#
With the "bad" server it will display more information as usual, like:
Entering CT
Open /dev/pts/0
It's like it parsing extra information on what it's doing.
Ofcourse the above is purely something cosmetic, however with several bash scripts we use, these issues are really issues.
A part of the script we use, uses the following command (there are more, but this is mainly a example of what's wrong):
DOMAIN=`vzctl exec $VEID 'hostname -d'`
The result of the above information is parsed in /etc/named.conf.
On the GOOD server it would be added in the named.conf like this:
zone "example.com" {
type master;
file "example.com";
allow-transfer {
200.190.100.10;
200.190.101.10;
common-allow-transfer;
};
};
The above is correct.
On the BAD server it would be added in the named.conf like this:
zone "Executing command: hostname -d
example.com" {
type master;
file "Executing command: hostname -d
example.com";
allow-transfer {
200.190.100.10;
200.190.101.10;
common-allow-transfer;
};
};
So it's add stuff of the action it does, in this example "Executing command: hostname -d"
Another example here when I run the command on a good server and on the bad server.
Bad server:
[root#bad-server /]# DOMAIN=`vzctl exec 3333 'hostname -d'`
[root#bad-server /]# echo $DOMAIN
Executing command: hostname -d example.com
Good server:
[root#good-server ~]# DOMAIN=`vzctl exec 4444 'hostname -d'`
[root#good-server ~]# echo $DOMAIN
example.com
My knowledge is limited, but I have tried several things checking rsyslog and the grub.conf, but nothing seems out of the ordinary.
I have no clue why it's displaying the extra information.
Probably it's something simple / stupid, but I have been trying to solve this for hours now and I really have no clue...
So any help is really appreciated.
Added information:
Both servers use: kernel.printk = 7 4 1 7
(I don't know if that's useful)
Well (thanks to Aaron for pointing me in the right direction) I finally found the little culprit which was causing all the issues I experienced with this script (which worked for every other server, so no need to change that obviously).
The issues were caused by the VERBOSE leven set in vz.conf (located in /etc/vz/ directory). There is an option in there called "VERBOSE" and in my case it was set to 3.
According to OpenVZ's website it does the following:
Increments logging level up from the default. Can be used multiple times.
Default value is set to the value of VERBOSE parameter in the global
configuration file vz.conf(5), or to 0 if not set by VERBOSE parameter.
After I changed VERBOSE=3 to VERBOSE=0 my script worked fine once again (as it did for every other server). :-)
So a big shoutout to Aaron for pointing me in the right direction. The answer is easy when you know where to look!
Sorry to say, but I am kinda disappointed by ndim's reaction. This is the 2nd time he was very unhelpful and rude in his response after that. He clearly didn't read the issue I posted correctly. Oh well.
I would make sure to properly parse the output of the command. In this case, we are only interested in lines of the form
entered into CT 12345
One way of doing this would be to pipe everything through sed and having sed print only the number when the line looks as above (untested, and I always forget which braces/brackets/parens need a backslash in front of them):
whateverthecommand | sed -n 's/^entered into CT ([0-9]{1,})$/\1/p'
I want to search Active Directory for inactive users that have no login for x days/months. I've got such a ldapsearch query:
ldapsearch -h domain.test -p 389 -D "cn=login,ou=test,dc=domain,dc=test" -w "passwd" -s sub -b "ou=Test,dc=domain,dc=test" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"
It gives me the list of all inactive users in domain.test with all attributes.
I would like to add a filter for searching users that have no login for x days/months, and it would be great if the result was the list of sAMAccountNames (inactive user and lastLogonTimestamp >e.g. 3months).
I'm aware that LastLogonTimestamp is not the real time of last user logon, but in this case it's not so important.
EDIT: now I only need to know if there is a way to show attribute like "lastLogonTimestamp" in the output of above ldapsearch query?
ANSWER: Attribute lastLogonTimestamp was not set for each object in the output of above ldapsearch query. I haven't noticed that. So grep displayed it:
ldapsearch -h domain.test -p 389 -D "cn=login,ou=test,dc=domain,dc=test" -w "passwd" -s sub -b "ou=Test,dc=domain,dc=test" "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" | grep -i lastlogontimestamp
EDIT:
I though that it will be ok to compare lastlogontimestamps - it isn't because lastlogontimestamp values are not comparable. The only way is to convert to date format first, and then compare to get users that lastlogon was eg. before 01/06/2017. And here's the question: how to convert windows lastlogontimestamp to date in bash?
Please let me know if it's the correct way to do it.
Any advice very appreciated.
My apache user generate one file :
# ls -lsa /tmp/reference_file.csv
76 -rwxrwxrwx 1 apache apache 69921 Aug 16 14:14 /tmp/reference_file.csv
the user and the group belong to apache, but when i am trying to change it :
su -l apache -s /bin/bash
-bash-3.00$ whoami
apache
-bash-3.00$ chown explorer:btunix /tmp/reference_file.csv
chown: changing ownership of `/tmp/reference_file.csv': Operation not permitted
I tried to another folder, but the result was the same, I ve also checked attribut :
# lsattr /tmp/reference_file.csv
------------- /tmp/reference_file.csv
there is no immutable attribut
How can I do ?
Thanks
There are criteria associated with chown. Only super-user can chown files willy-nilly. Whether you can give away a file that you own depends on your UNIX flavor and how associated kernel configuration parameters (like K_CHOWN_MAY_GIVE_AWAY, for argument's sake) may have been, well, configured. This is the most GENERALLY correct answer.