[Fusionforge-general] GForge/FusionForge developer access toSVN - WebDAV or ssh/svnserve better?

Christian BAYLE christian at bayle.eu
Mon Mar 9 21:59:57 CET 2009


Matt Kleffner a écrit :
> Thanks, this is quite useful. Here's the result of the above usage (I
> see /etc/nsswitch.conf and /etc/nss-pgsql.conf being opened, among
> other nss files):
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/libc.so.6", O_RDONLY)        = 3
> open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
> open("/etc/nsswitch.conf", O_RDONLY)    = 3
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/libnss_compat.so.2", O_RDONLY) = 3
> open("/lib/libnsl.so.1", O_RDONLY)      = 3
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/libnss_nis.so.2", O_RDONLY)  = 3
> open("/lib/libnss_files.so.2", O_RDONLY) = 3
> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/libnss_pgsql.so.2", O_RDONLY) = 3
> open("/lib/libpthread.so.0", O_RDONLY)  = 3
> open("/usr/lib/libpq.so.5", O_RDONLY)   = 3
> open("/usr/lib/libssl.so.0.9.8", O_RDONLY) = 3
> open("/usr/lib/libcrypto.so.0.9.8", O_RDONLY) = 3
> open("/usr/lib/libkrb5.so.3", O_RDONLY) = 3
> open("/lib/libcom_err.so.2", O_RDONLY)  = 3
> open("/usr/lib/libgssapi_krb5.so.2", O_RDONLY) = 3
> open("/lib/libcrypt.so.1", O_RDONLY)    = 3
> open("/usr/lib/libldap_r-2.4.so.2", O_RDONLY) = 3
> open("/lib/libdl.so.2", O_RDONLY)       = 3
> open("/usr/lib/libz.so.1", O_RDONLY)    = 3
> open("/usr/lib/libk5crypto.so.3", O_RDONLY) = 3
> open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
> open("/lib/libkeyutils.so.1", O_RDONLY) = 3
> open("/lib/libresolv.so.2", O_RDONLY)   = 3
> open("/usr/lib/liblber-2.4.so.2", O_RDONLY) = 3
> open("/usr/lib/libsasl2.so.2", O_RDONLY) = 3
> open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3
> open("/usr/lib/libtasn1.so.3", O_RDONLY) = 3
> open("/usr/lib/libgpg-error.so.0", O_RDONLY) = 3
> open("/usr/lib/libgcrypt.so.11", O_RDONLY) = 3
> open("/etc/nss-pgsql.conf", O_RDONLY)   = 3
> open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/libnss_winbind.so.2", O_RDONLY) = 3
>
> The problem is probably more related to the empty nss_* tables in the
> database or no database connection... the only error-like messages
> I've seen in /var/log/postgresql/postgresql-8.3-main.log are messages
> like
>
> could not receive data from client: Connection reset by peer
> incomplete startup packet
>
> If I try an ssh login with the admin account no new lines show up in
> the postgresql log, only an invalid user in auth.log ..
>
>   
>> It means you can have in a first phase of  login a try thru pam_pgsql
>> and a second thru pam_unix and nss libs
>> pam has the ability to let you choose the mechanism depending on the
>> program ,
>> sshd is particulary using /etc/pam.d/sshd config file
>>
>>     
>
> I have removed the sshd entries so that only pam_unix and nss is used.
>
>   
>> Sure this can't work as far as nss_passwd is not correctly filed
>> This is done by
>> gforge/common/include/system/<$sys_account_manager_type>.class.php
>> sys_account_manager_type is defined in gforge.conf the default being UNIX
>> it should be pqsql if you use gforge-shell-postgresql
>> nss_shadow is a view
>>     
>
> My gforge.conf already has sys_account_manager_type=pgsql.
>
> ls /usr/share/gforge/common/include/system/ shows
> LDAP.class.php  NSSPGSQL.class.php  pgsql.class.php  UNIX.class.php
>
> What is the difference in purpose between the NSSPGSQL class and the
> pgsql class with respect to shell authentication? In other words, is
> there a related usage where sys_account_manager_type is set to
> NSSPGSQL?
>
>   
NSSPGSQL was used when you make views instead of table for nss_groups
and nss_usergroups, but this is CPU consuming
a better solution would probably be to use triggers instead of coding
user/group like it's done in pgsql.
> What calls (for example) psql.class.php? Is this done regularly via
> cron job, or does the admin explicitly run it via the gforge
> interface? Based on the settings I am aware of, it seems the nss_*
> tables should be filled on my installation.
>
>   
Its called when you add/remove user to a project, add a user, create a
project, not in cron as far as i remember.
> In the gforge interface, the user settings for admin shows "No Unix
> account (N)" without an edit box to enable such an account. Does an
> enable/disable edit box  show up if shell access is properly
> configured?
>
>   
This is probably old things from sourceforge code, the original code was
done to work with different servers, for  cvs an shell account,
when you put cvs ans ssh on the same box, no shell account means
restricted shell for cvs, thi is still quite confusing, if you add the
fact that some implementation use different group for cvs an ssh, others
the same, we should look at this to make it a bit cleaner.
>> take care that only users member of a project get unix account
>>     
>
> Are you saying that if a gforge user isn't a member of a project, it
> is a security hazard to give them shell access?
>
>   
I mean that a user that is not member of a project hasn't got an account.
>> It seems it's a problem in some case because the
>> connectionstring = hostaddr=127.0.0.1 user=$db_user_nss
>> password=$db_password dbname=$db_name
>> desync the passwd
>> You can just remove host and pass
>> onnectionstring = user=$db_user_nss dbname=$db_name
>>
>> I don't know exactly why this happens, maybe some usual problem with
>> postgresql not listening by default on socket
>>     
>
> I currently have:
> connectionstring = port=5432 user=gforge_nss dbname=gforge
>
> The port argument was already there. Port 5432 is open according to
> nmap - can problems occur if the (correct) port number is placed in
> the connection string?
>
>   
I think that when you use port the connection isn't considered as local
and that pg_hba.conf has to use an ip. You may just get a permission
denied because of this.

You may have a look at http://www.postgresql.org/docs/8.1/static/libpq.html

Without either a host name or host address, libpq will connect using a
local Unix-domain socket; or on machines without Unix-domain sockets, it
will attempt to connect to localhost.

really the fisrt thing is to try to make a postresql connection using
psql -U gforge_nss gforge, if you get any query about passwd here is
your problem and you may dig in pg_hba.conf

see
http://www.postgresql.org/docs/8.1/interactive/client-authentication.html
local isn't the same thing than host with localhost.

>> You may try the lenny install CD in a virtual machine l that should
>> properly config  a gforge
>> as far as you have a properly configured dhcp server without doing anything
>>     
>
> Hmmm... I fired up a virtual machine, installed Lenny with only the
> "standard system" (or whatever it is called) task. After this I
> installed gforge (and the svn plugin), which depends on
> gforge-shell-postgresql . I let gforge overwrite all configuration
> files of other packages. The variable sys_account_manager_type was set
> to pgsql by default, and nsswitch.conf and nss-pgsql.conf were set up
> properly, except for the presence of the password argument in the
> connectionstring. As before, nss_passwd is empty and strace getent
> passwd admin 2>&1| grep open does not show any nss files being opened
> (this is a "regression" compared to my first install):
>
>   
as far as I remember until you don't make a user member of a project you
will get
> open("/etc/ld.so.cache", O_RDONLY)      = 3
> open("/lib/i686/cmov/libc.so.6", O_RDONLY)        = 3
> open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
>
> I'm clearly missing something elementary about enabling shell
> accounts/svn access from a fresh lenny installation. Any
> comments/insight about creating a functional lenny gforge install with
> svn, shell access, and a web interface (this part is already
> functional by default) is appreciated. I am not interested in
> getting/configuring subdomains for each project. Thank you for the
> help and information that has already been provided.
>
>  - Matt
>
>   
I tested again on a fresh  installcd install and there is something
wrong in pgsql connection setup
You got two solutions

1)
in /etc/nss-pgsql.conf and nss-pgsql-root.conf
use the simples connection string
user=gforge_nss dbname=gforge
psql -U gforge_nss gforge should give you the prompt

2)
be sure postrgesql listen to socket by having ins
/etc/postgresql/8.3/main/postgresql.conf
listen_adresses = 'localhost'
and in /etc/postgresql/8.3/main/pg_hba.conf
host gforge gforge_nss 127.0.0.1/24 trust
pgsql -U gforge_nss -h localhost gforge should give you the prompt
if you remplace trust by password the default passwd is gforge_nss
the password in the connection string is not valid

Sorry for hte desagrement, i'll commit a fix (1)

Can you get one of these 2 solutions work ?

Cheers

Christian












More information about the Fusionforge-general mailing list