Welcome, Guest
Please Login or Register.    Lost Password?

Installation on hardened server falls at first hurdle
(1 viewing) (1) Guest
Go to bottomPage: 1
TOPIC: Installation on hardened server falls at first hurdle
#521
Installation on hardened server falls at first hurdle 13 Years ago Karma: 0
When I try to install GG I get a message:

GO-Global UX v2.1.2 Installer, (C) 2000-2003 GraphOn Corporation, All Rights Reserved.

This software includes portions of the freely available:
UnZipSFX 5.40 of 28 November 1998, by Info-ZIP (Zip-Bugs@lists.wku.edu).
/bin/sh: line 1: /tmp/unzip10946.0/setup: Permission denied
Install script failed.

That's as far as I get.

The system is a hardened Fedora Core 2 but that is essentially the same as RH9 so I downloaded the RH9 package. The compiler is gcc-3.3.3-7.

Needless to say I am in root/.

It is not the permissions on /tmp since earlier on I was installing VMware which makes extensive use of /tmp. The permissions on tmp are:
drwxrwxrwt 19 root root 608 Nov 18 19:18 tmp

and on files and directories created today are:
drwxr-xr-x 3 root root 80 Nov 18 16:49 vmware-config0
drwxr-xr-x 3 root root 104 Nov 18 16:53 vmware-config1

... and from the /tmp/vmware-config0:

/tmp/vmware-config0:
total 1
drwxr-xr-x 7 201 201 304 Nov 18 16:49 vmmon-only

/tmp/vmware-config0/vmmon-only:
total 20
drwxr-xr-x 2 201 201 184 Jun 11 01:31 autoconf
.. etc

/tmp/vmware-config0/vmmon-only/autoconf:
total 20
-rw-r--r-- 1 201 201 178 Jun 11 01:31 epoll.c
.. etc

which shows that VMware is able to write to the /tmp directory satisfactorily.

Any ideas what I should do?

TIA
Loggy
Fresh Boarder
Posts: 9
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#530
Supported platforms 13 Years ago Karma: 0
Given the 0 replies to my post the other day, I thought I should add a comment. I noticed on another thread the following comment from Graphon Salesperson Erikt, although since my problem relates to a permissions issue, I don't think it is because of Fedora:

From a GraphOn standpoint, Fedora is not a supported platform nor am I aware of anyone using GO-Global on Fedora. While the installation may work on certain other 'flavors" of Linux, we simply can't support every Linux OS. Perhaps somebody on this Forum has had success and can share their experience.

At this time, GO-Global is supported on Red Hat 7-9 (x86), Red Hat Enterprise 3 (x86), Sun Solaris 2.6+, HP-UX 11.x and IBM AIX 4.3.x. A forthcoming release (December '04) will also provide support for Red Hat Enterprise 3 on AMD64 and SUSE 9.x (x86).


From which I see that it is unlikely that Fedora Core anything will be included. However I would humbly suggest that offering support to the legacy RH 7-9 systems which are themselves not being supported by RedHat places the potential GG user in a quandry: do you have a supported operating system and risk problems with GG or do you regress to an unsupported operating system? I know which way most people would go - get the basics supported so that updates can be yummed in and try to hack GG.

Apart from my permissions problem, (and a definition of the flags to the binary installation would be useful), is there any prospect of getting Fedora support soonest? After all this is a commercial product not being hacked on SourceForge!

Pip pip
Loggy
Fresh Boarder
Posts: 9
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#531
Naughty naughty 12 Years, 12 Months ago Karma: 0
I have found out (at least in theory) why I can't install GG on my FC2 hardened server. You are executing something from /tmp using suid. This is very much not a good procedure and therefore most sensible people mount /tmp nosuid and noexec for safety. :!:

I will have to re-edit my /etc/fstab and reboot the server to install GG, change the /etc/fstab back and reboot again - rather a pain. I will let the list know how I get on then with FC2 aspects.

Please find a better way of installing GG.
Loggy
Fresh Boarder
Posts: 9
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
#533
Re: Naughty naughty 12 Years, 11 Months ago Karma: 2
I have found out (at least in theory) why I can't install GG on my FC2 hardened server. You are executing something from /tmp using suid. This is very much not a good procedure and therefore most sensible people mount /tmp nosuid and noexec for safety. :!:

I will have to re-edit my /etc/fstab and reboot the server to install GG, change the /etc/fstab back and reboot again - rather a pain. I will let the list know how I get on then with FC2 aspects.

Please find a better way of installing GG.


This is incorrect. Our installer is not shipped as a setuid binary. It checks at runtime to ensure that it is being run as a superuser, but any user should be able to start the installer.

I suspect that the problem is that you have mounted /tmp as 'noexec'. The binary file you download self-extracts into a subdirectory of /tmp, and then tries to execute the "setup" binary that it just extracted. On your system, this fails, I assume as a result of the "hardened" nature of your system.

In your case, you could either change the mount flags for /tmp, or specify an alternate directory for the self-extraction with the '-d' option:

Code:

$ ./GOGlobaL_RHL9.bin -d /home/user/


(the self-extractor is a version of the Info-Zip "unzip" program and accepts the same command-line arguments.)

May I ask what procedure you followed to 'harden' your system? With more details, we may be able to make our installer automatically detect this condition in the future.

Thanks,
Troy
troy
Administrator
Posts: 231
graphgraph
User Offline Click here to see the profile of this user
Gender: Male Birthday: 01/14
The administrator has disabled public write access.
 
#537
Re: Installation on hardened server falls at first hurdle 12 Years, 11 Months ago Karma: 0
Thanks for the explanation, Troy. /tmp is also mounted noexec as well as nosuid, which are fairly standard procedures.

May I suggest that you at least put a better help explanation in your installation binary? Using flag --help gives no explanation of the options although there is a -d <exdir> which is a very vague hint it might be something to do with a directory, it doesn't say anything in particular. In addition, it may be useful to add to some FAQs or installation guide. The line

bin/sh: line 1: /tmp/unzip10946.0/setup: Permission denied
Install script failed.


could be caused by a multitude of things!

As far as the hardening system is concerned, it is quite bespoke and manually done so there is no set procedure but it would be worth testing the installation on something like a Bastilled box. My hardening is actually better than Bastille but quite similar.
Loggy
Fresh Boarder
Posts: 9
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
Go to topPage: 1
Moderators: troy, Andyl