Last modified: 2014-06-20 14:48:49 UTC
When a user X is a member of the tool tools.X and he calls "webservice start" as his /user/ account, a lighttpd process is started that doesn't work, but clogs the tools' directories with files not (over-) writable by the /tool/ account on subsequent, correct invocations. Symptoms: | root@tools-login:~# for TOOL in $(getent passwd | sed -ne 's/^tools\.\([^:]\+\):.*/\1/p;'); do sudo -u tools.$TOOL find /data/project/$TOOL -maxdepth 1 -type f \( -name access.log -or -name error.log \) -not -writable -ls; done | 180028436 0 -rw-r--r-- 1 rluts tools.rluts 0 Apr 6 07:42 /data/project/rluts/error.log | 180093321 32 -rw-r--r-- 1 hexacore tools.hexacore 27254 Apr 16 15:59 /data/project/hexacore/access.log | 180093318 4 -rw-r--r-- 1 hexacore tools.hexacore 403 Apr 20 14:53 /data/project/hexacore/error.log | 180126284 0 -rw-r--r-- 1 ireas tools.ireas 0 Mär 5 16:28 /data/project/ireas/access.log | 180126283 4 -rw-r--r-- 1 ireas tools.ireas 49 Mär 5 16:28 /data/project/ireas/error.log | 180126720 0 -rw-r--r-- 1 yellowcard tools.yellowcard 0 Apr 19 13:16 /data/project/yellowcard/access.log | 180126719 4 -rw-r--r-- 1 yellowcard tools.yellowcard 49 Apr 19 13:16 /data/project/yellowcard/error.log | root@tools-login:~# qstat -u \* | fgrep lighttpd | fgrep -v tools. | 426120 0.27599 lighttpd-y yellowcard r 04/19/2014 13:16:11 webgrid-lighttpd@tools-webgrid 1 | 442640 0.26494 lighttpd-h hexacore r 04/20/2014 14:53:02 webgrid-lighttpd@tools-webgrid 1 | root@tools-login:~# I rectified the existing cases by: - Stopping the lighttpd jobs mentioned above, - take'ing the log files as the tool accounts, - removing /tmp/php.socket.$TOOL-0 on tools-webgrid-*, - removing /var/run/lighttpd/$TOOL.* on tools-webgrid-*, and - "webservice start" as the tool accounts for the stopped jobs. The underlying problem lies in line 4f.: | tool=$(/usr/bin/id -nu|sed -e "s/^$prefix.//") | user="$prefix.$tool" This prepends the prefix unconditionally, and in cases where there is a user account X and a tool account tools.X, subsequently webservice thinks the calling user is a tool.
This happened again for mono whose webservice I just restarted.