Thread: real and effective user ids must match
My postgres can not start up, I get this error message:
postmaster successfully started
/usr/bin/postmaster: real and effective user ids must match
/usr/bin/postmaster: real and effective user ids must match
and
Sep 12 14:18:26 TWeb su(pam_unix)[6683]: session opened for user postgres by (uid=0)
Sep 12 14:18:26 TWeb su(pam_unix)[6683]: session closed for user postgres
Sep 12 14:18:29 TWeb su(pam_unix)[6702]: session opened for user postgres by (uid=0)
Sep 12 14:18:29 TWeb su(pam_unix)[6702]: session closed for user postgres
Sep 12 14:18:30 TWeb postgresql: Starting postgresql service: failed
Sep 12 14:18:26 TWeb su(pam_unix)[6683]: session closed for user postgres
Sep 12 14:18:29 TWeb su(pam_unix)[6702]: session opened for user postgres by (uid=0)
Sep 12 14:18:29 TWeb su(pam_unix)[6702]: session closed for user postgres
Sep 12 14:18:30 TWeb postgresql: Starting postgresql service: failed
what is happen and how to fix it?
regards
David
On Tue, Sep 12, 2006 at 02:26:11PM +0800, Liustech wrote: > My postgres can not start up, I get this error message: > > postmaster successfully started > /usr/bin/postmaster: real and effective user ids must match How are you starting the postmaster? The error suggests that the postmaster or the program that runs the postmaster is setuid. For security reasons PostgreSQL refuses to run that way. -- Michael Fuhr
Michael Fuhr <mike@fuhr.org> writes: > On Tue, Sep 12, 2006 at 02:26:11PM +0800, Liustech wrote: >> My postgres can not start up, I get this error message: >> >> postmaster successfully started >> /usr/bin/postmaster: real and effective user ids must match > How are you starting the postmaster? The error suggests that the > postmaster or the program that runs the postmaster is setuid. Another possibility is that he's doing su postgres -c "postmaster ..." where it should be su - postgres -c "postmaster ..." I'm not certain this would produce exactly the described failure, but it's something to check. regards, tom lane
On Thu, Sep 14, 2006 at 11:13:43PM +0800, david.lao@sharpasia.com.mo wrote: > I starting my postgres with standard startup script /etc/rc.d/init.d/postgressql I didn't notice anything wrong with the script you posted. What happens if you run the "su" command that starts the postmaster directly from the command line? That is, the "su" on line 151 (you'll have to set the PGDATA environment variable or replace it with the path to your data directory): su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p /usr/bin/postmaster start What's the output of the following command? ls -l /bin/sh /usr/bin/pg_ctl /usr/bin/postmaster /usr/bin/postgres -- Michael Fuhr
On Fri, Sep 15, 2006 at 09:20:28AM +0800, david.lao@sharpasia.com.mo wrote: > this is the command output > > lrwxrwxrwx 1 root root 4 Apr 3 2003 /bin/sh -> bash > -rwxr-xr-x 1 root root 9468 Sep 5 2002 /usr/bin/pg_ctl > -rwxr-xr-x 1 root root 3074760 Sep 5 2002 /usr/bin/postgres > lrwxrwxrwx 1 root root 8 Oct 29 2005 /usr/bin/postmaster -> postgres What version of PostgreSQL are you running? If those dates are correct then I'd guess 7.2.x or earlier. What about the output of the su command? -- Michael Fuhr
On Fri, Sep 15, 2006 at 09:49:42AM +0800, david.lao@sharpasia.com.mo wrote: > I am running postgresql 7.2.2-1. If you're going to run 7.2 then you should run the latest version, 7.2.8, because earlier versions have serious data-loss bugs. But since 7.2 is no longer supported, I'd recommend upgrading to a modern version like 8.1.4 as soon as possible. As for getting the postmaster running, what's the output of the su command that I've requested a couple of times? When did this problem start? What has changed since the last time the postmaster started successfully? -- Michael Fuhr
On Fri, Sep 15, 2006 at 11:13:06AM +0800, david.lao@sharpasia.com.mo wrote: > Thanks, I will try to upgrade new viersion, the ouput of <su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p /usr/bin/postmasterstart> is > < > postmaster successfully started > /usr/bin/postmaster: real and effective user ids must match The postmaster still thinks it's running setuid; this error appears to be coming from backend/main/main.c (excerpt from the 7.2.2 source code): if (getuid() != geteuid()) { fprintf(stderr, gettext("%s: real and effective user ids must match\n"), argv[0]); exit(1); } Can you start the postmaster without using pg_ctl? Please post the output of the following commands (make sure PGDATA is set for the second one): su -l postgres -s /bin/sh -c id su -l postgres -s /bin/sh -c "/usr/bin/postmaster -D $PGDATA" What OS are you running? > the problem start after I restart the postgres service, there are nothing > change in postmaster since last time. When was the last time you successfully started the postmaster the same way you're trying now? How long had you been running PostgreSQL without any problems? If it used to work then something has changed. -- Michael Fuhr
On Fri, Sep 15, 2006 at 11:56:18AM +0800, david.lao@sharpasia.com.mo wrote: > su -l postgres -s /bin/sh -c id output: > uid=0(root) gid=26 euid=26(postgres) groups=26 I don't have a Linux box to test but that output isn't what I'd expect, and it's not what I get with the equivalent commands on Solaris and FreeBSD. The above output shows that the real uid and effective uid are different, which is what the postmaster is complaining about. I'd expect them to be the same: both postgres. Can anybody else with a Linux box test the above command? Do you have sudo? If so then what does "sudo -u postgres id" show? If uid and euid are the same (both postgres) then you might be able to start the postmaster with sudo instead of su. > >When was the last time you successfully started the postmaster the > >same way you're trying now? How long had you been running PostgreSQL > >without any problems? If it used to work then something has changed. > > I am running Redhat 8, it is same way to start the postgres > "/etc/rc.d/init.d/postgresql start", I running postgre about > 2 years ago, maybe it is the hacker do it, because before I > found one unknown user and delect it, and then I restart the > service with error. What do you mean by "the hacker"? Do you know or suspect that you've been hacked? If so then I'd recommend that you reinstall your system from trustworthy media, make sure you have current security patches, and close any configuration holes that might have let an intruder in. -- Michael Fuhr
On Thu, 14 Sep 2006, Michael Fuhr wrote: > On Fri, Sep 15, 2006 at 11:56:18AM +0800, david.lao@sharpasia.com.mo wrote: > > I don't have a Linux box to test but that output isn't what I'd > expect, and it's not what I get with the equivalent commands on > Solaris and FreeBSD. The above output shows that the real uid and > effective uid are different, which is what the postmaster is > complaining about. I'd expect them to be the same: both postgres. > Can anybody else with a Linux box test the above command? On my FC4 machine running 2.6.16-1.2111_FC4: uid=26(postgres) gid=26(postgres) groups=26(postgres) context=user_u:system_r:unconfined_t -- Jeff Frost, Owner <jeff@frostconsultingllc.com> Frost Consulting, LLC http://www.frostconsultingllc.com/ Phone: 650-780-7908 FAX: 650-649-1954
On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote: > On Thu, 14 Sep 2006, Michael Fuhr wrote: > >Can anybody else with a Linux box test the above command? > > On my FC4 machine running 2.6.16-1.2111_FC4: > > uid=26(postgres) gid=26(postgres) groups=26(postgres) > context=user_u:system_r:unconfined_t That's what I'd expect. David's box appears to be behaving oddly, which could be signs of tampering if he has indeed been hacked. If that's happened then commands like "ls" and "ps" can't be trusted. Can anybody think of a way for David to be seeing the behavior he's seeing that doesn't involve a tampered-with system? -- Michael Fuhr
On Fri, 15 Sep 2006, Michael Fuhr wrote: > On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote: >> On Thu, 14 Sep 2006, Michael Fuhr wrote: >>> Can anybody else with a Linux box test the above command? >> >> On my FC4 machine running 2.6.16-1.2111_FC4: >> >> uid=26(postgres) gid=26(postgres) groups=26(postgres) >> context=user_u:system_r:unconfined_t > > That's what I'd expect. David's box appears to be behaving oddly, > which could be signs of tampering if he has indeed been hacked. If > that's happened then commands like "ls" and "ps" can't be trusted. > > Can anybody think of a way for David to be seeing the behavior he's > seeing that doesn't involve a tampered-with system? It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run them to see if there is a problem. Might also be worthwhile to run the ps and ls from the install CD to see if there are any suprising results. -- Jeff Frost, Owner <jeff@frostconsultingllc.com> Frost Consulting, LLC http://www.frostconsultingllc.com/ Phone: 650-780-7908 FAX: 650-649-1954
Did you get a copy of chkrootkit and/or rkhunter and run them on this machine? If so, let us know if it find a rootkit. If so, that's your problem. I think you may have to ask on one of the linux system administration lists. Which linux distribution and version did you indicate this is again? On Sat, 16 Sep 2006, david.lao@sharpasia.com.mo wrote: > > is there any way to correct this problem? please help. > > On Fri, 15 Sep 2006, Michael Fuhr wrote: > >> On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote: >>> On Thu, 14 Sep 2006, Michael Fuhr wrote: >>>> Can anybody else with a Linux box test the above command? >>> >>> On my FC4 machine running 2.6.16-1.2111_FC4: >>> >>> uid=26(postgres) gid=26(postgres) groups=26(postgres) >>> context=user_u:system_r:unconfined_t >> >> That's what I'd expect. David's box appears to be behaving oddly, >> which could be signs of tampering if he has indeed been hacked. If >> that's happened then commands like "ls" and "ps" can't be trusted. >> >> Can anybody think of a way for David to be seeing the behavior he's >> seeing that doesn't involve a tampered-with system? > > It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run > them to see if there is a problem. Might also be worthwhile to run the ps and > ls from the install CD to see if there are any suprising results. > > -- Jeff Frost, Owner <jeff@frostconsultingllc.com> Frost Consulting, LLC http://www.frostconsultingllc.com/ Phone: 650-780-7908 FAX: 650-649-1954
this is the command output lrwxrwxrwx 1 root root 4 Apr 3 2003 /bin/sh -> bash -rwxr-xr-x 1 root root 9468 Sep 5 2002 /usr/bin/pg_ctl -rwxr-xr-x 1 root root 3074760 Sep 5 2002 /usr/bin/postgres lrwxrwxrwx 1 root root 8 Oct 29 2005 /usr/bin/postmaster -> postgres Best, David ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ On Thu, Sep 14, 2006 at 11:13:43PM +0800, david.lao@sharpasia.com.mo wrote: > I starting my postgres with standard startup script /etc/rc.d/init.d/postgressql I didn't notice anything wrong with the script you posted. What happens if you run the "su" command that starts the postmaster directly from the command line? That is, the "su" on line 151 (you'll have to set the PGDATA environment variable or replace it with the path to your data directory): su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p /usr/bin/postmaster start What's the output of the following command? ls -l /bin/sh /usr/bin/pg_ctl /usr/bin/postmaster /usr/bin/postgres -- Michael Fuhr
Hi, I am running postgresql 7.2.2-1. Best, David On Fri, Sep 15, 2006 at 09:20:28AM +0800, david.lao@sharpasia.com.mo wrote: > this is the command output > > lrwxrwxrwx 1 root root 4 Apr 3 2003 /bin/sh -> bash > -rwxr-xr-x 1 root root 9468 Sep 5 2002 /usr/bin/pg_ctl > -rwxr-xr-x 1 root root 3074760 Sep 5 2002 /usr/bin/postgres > lrwxrwxrwx 1 root root 8 Oct 29 2005 /usr/bin/postmaster -> postgres What version of PostgreSQL are you running? If those dates are correct then I'd guess 7.2.x or earlier. What about the output of the su command? -- Michael Fuhr
Hi, Thanks, I will try to upgrade new viersion, the ouput of <su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p /usr/bin/postmasterstart> is < postmaster successfully started /usr/bin/postmaster: real and effective user ids must match > the problem start after I restart the postgres service, there are nothing change in postmaster since last time. Best, David On Fri, Sep 15, 2006 at 09:49:42AM +0800, david.lao@sharpasia.com.mo wrote: > I am running postgresql 7.2.2-1. If you're going to run 7.2 then you should run the latest version, 7.2.8, because earlier versions have serious data-loss bugs. But since 7.2 is no longer supported, I'd recommend upgrading to a modern version like 8.1.4 as soon as possible. As for getting the postmaster running, what's the output of the su command that I've requested a couple of times? When did this problem start? What has changed since the last time the postmaster started successfully? -- Michael Fuhr
Hi, su -l postgres -s /bin/sh -c id output: uid=0(root) gid=26 euid=26(postgres) groups=26 su -l postgres -s /bin/sh -c "/usr/bin/postmaster -D $PGDATA" output /usr/bin/postmaster: real and effective user ids must match I am running Redhat 8, it is same way to start the postgres "/etc/rc.d/init.d/postgresql start", >When was the last time you successfully started the postmaster the >same way you're trying now? How long had you been running PostgreSQL >without any problems? If it used to work then something has changed. I am running Redhat 8, it is same way to start the postgres "/etc/rc.d/init.d/postgresql start", I running postgre about2 years ago, maybe it is the hacker do it, because before I found one unknown user and delect it, and then I restartthe service with error. David
>Do you have sudo? If so then what does "sudo -u postgres id" show? >If uid and euid are the same (both postgres) then you might be able >to start the postmaster with sudo instead of su. "sudo -u postgres id" show uid=0(root) gid=26 euid=26(postgres) groups=26 >What do you mean by "the hacker"? Do you know or suspect that >you've been hacked? If so then I'd recommend that you reinstall >your system from trustworthy media, make sure you have current >security patches, and close any configuration holes that might have >let an intruder in. Yes, I have been hacked, because I found a new unknown a/c in my system. and in log file get this message: Sep 3 22:55:00 TWeb su(pam_unix)[24299]: session opened for user root by (uid=0) Sep 3 22:55:17 TWeb su(pam_unix)[24299]: session closed for user root David
is there any way to correct this problem? please help. On Fri, 15 Sep 2006, Michael Fuhr wrote: > On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote: >> On Thu, 14 Sep 2006, Michael Fuhr wrote: >>> Can anybody else with a Linux box test the above command? >> >> On my FC4 machine running 2.6.16-1.2111_FC4: >> >> uid=26(postgres) gid=26(postgres) groups=26(postgres) >> context=user_u:system_r:unconfined_t > > That's what I'd expect. David's box appears to be behaving oddly, > which could be signs of tampering if he has indeed been hacked. If > that's happened then commands like "ls" and "ps" can't be trusted. > > Can anybody think of a way for David to be seeing the behavior he's > seeing that doesn't involve a tampered-with system? It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run them to see if there is a problem. Might also be worthwhile to run the ps and ls from the install CD to see if there are any suprising results. -- Jeff Frost, Owner <jeff@frostconsultingllc.com> Frost Consulting, LLC http://www.frostconsultingllc.com/ Phone: 650-780-7908 FAX: 650-649-1954
On Mon, Sep 18, 2006 at 02:09:34AM +0800, david.lao@sharpasia.com.mo wrote: > it find SHV4 and SHV5 rootkit, is there any way to easy and fast move > db to new system, I am using Redhat 8.0 If the new system has the same major release of PostgreSQL as the infected system then you could copy the $PGDATA directory from the infected system to the new one. Be careful how you communicate between the two systems or you could end up infecting the new system. -- Michael Fuhr