Thread: real and effective user ids must match

real and effective user ids must match

From
"Liustech"
Date:
My postgres can not start up,  I get this error message:
 
postmaster successfully started
/usr/bin/postmaster: real and effective user ids must match
 
and
 
Sep 12 14:18:26 TWeb su(pam_unix)[6683]: session opened for user postgres by (uid=0)
Sep 12 14:18:26 TWeb su(pam_unix)[6683]: session closed for user postgres
Sep 12 14:18:29 TWeb su(pam_unix)[6702]: session opened for user postgres by (uid=0)
Sep 12 14:18:29 TWeb su(pam_unix)[6702]: session closed for user postgres
Sep 12 14:18:30 TWeb postgresql: Starting postgresql service:  failed
what is happen and how to fix it?
 
regards
David

Re: real and effective user ids must match

From
Michael Fuhr
Date:
On Tue, Sep 12, 2006 at 02:26:11PM +0800, Liustech wrote:
> My postgres can not start up,  I get this error message:
>
> postmaster successfully started
> /usr/bin/postmaster: real and effective user ids must match

How are you starting the postmaster?  The error suggests that the
postmaster or the program that runs the postmaster is setuid.  For
security reasons PostgreSQL refuses to run that way.

--
Michael Fuhr

Re: real and effective user ids must match

From
Tom Lane
Date:
Michael Fuhr <mike@fuhr.org> writes:
> On Tue, Sep 12, 2006 at 02:26:11PM +0800, Liustech wrote:
>> My postgres can not start up,  I get this error message:
>>
>> postmaster successfully started
>> /usr/bin/postmaster: real and effective user ids must match

> How are you starting the postmaster?  The error suggests that the
> postmaster or the program that runs the postmaster is setuid.

Another possibility is that he's doing

    su postgres -c "postmaster ..."

where it should be

    su - postgres -c "postmaster ..."

I'm not certain this would produce exactly the described failure,
but it's something to check.

            regards, tom lane

Re: real and effective user ids must match

From
Michael Fuhr
Date:
On Thu, Sep 14, 2006 at 11:13:43PM +0800, david.lao@sharpasia.com.mo wrote:
> I starting my postgres with standard startup script /etc/rc.d/init.d/postgressql

I didn't notice anything wrong with the script you posted.  What
happens if you run the "su" command that starts the postmaster
directly from the command line?  That is, the "su" on line 151
(you'll have to set the PGDATA environment variable or replace it
with the path to your data directory):

su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p /usr/bin/postmaster start

What's the output of the following command?

ls -l /bin/sh /usr/bin/pg_ctl /usr/bin/postmaster /usr/bin/postgres

--
Michael Fuhr

Re: real and effective user ids must match

From
Michael Fuhr
Date:
On Fri, Sep 15, 2006 at 09:20:28AM +0800, david.lao@sharpasia.com.mo wrote:
> this is the command output
>
> lrwxrwxrwx   1 root     root            4 Apr  3  2003 /bin/sh -> bash
> -rwxr-xr-x   1 root     root         9468 Sep  5  2002 /usr/bin/pg_ctl
> -rwxr-xr-x   1 root     root      3074760 Sep  5  2002 /usr/bin/postgres
> lrwxrwxrwx   1 root     root            8 Oct 29  2005 /usr/bin/postmaster -> postgres

What version of PostgreSQL are you running?  If those dates are
correct then I'd guess 7.2.x or earlier.

What about the output of the su command?

--
Michael Fuhr

Re: real and effective user ids must match

From
Michael Fuhr
Date:
On Fri, Sep 15, 2006 at 09:49:42AM +0800, david.lao@sharpasia.com.mo wrote:
> I am running postgresql 7.2.2-1.

If you're going to run 7.2 then you should run the latest version,
7.2.8, because earlier versions have serious data-loss bugs.  But
since 7.2 is no longer supported, I'd recommend upgrading to a
modern version like 8.1.4 as soon as possible.

As for getting the postmaster running, what's the output of the su
command that I've requested a couple of times?  When did this problem
start?  What has changed since the last time the postmaster started
successfully?

--
Michael Fuhr

Re: real and effective user ids must match

From
Michael Fuhr
Date:
On Fri, Sep 15, 2006 at 11:13:06AM +0800, david.lao@sharpasia.com.mo wrote:
> Thanks, I will try to upgrade new viersion, the ouput of <su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p
/usr/bin/postmasterstart> is 
> <
> postmaster successfully started
> /usr/bin/postmaster: real and effective user ids must match

The postmaster still thinks it's running setuid; this error appears
to be coming from backend/main/main.c (excerpt from the 7.2.2 source
code):

  if (getuid() != geteuid())
  {
      fprintf(stderr, gettext("%s: real and effective user ids must match\n"),
              argv[0]);
      exit(1);
  }

Can you start the postmaster without using pg_ctl?  Please post the
output of the following commands (make sure PGDATA is set for the
second one):

su -l postgres -s /bin/sh -c id
su -l postgres -s /bin/sh -c "/usr/bin/postmaster -D $PGDATA"

What OS are you running?

> the problem start after I restart the postgres service, there are nothing
> change in postmaster since last time.

When was the last time you successfully started the postmaster the
same way you're trying now?  How long had you been running PostgreSQL
without any problems?  If it used to work then something has changed.

--
Michael Fuhr

Re: real and effective user ids must match

From
Michael Fuhr
Date:
On Fri, Sep 15, 2006 at 11:56:18AM +0800, david.lao@sharpasia.com.mo wrote:
> su -l postgres -s /bin/sh -c id output:
> uid=0(root) gid=26 euid=26(postgres) groups=26

I don't have a Linux box to test but that output isn't what I'd
expect, and it's not what I get with the equivalent commands on
Solaris and FreeBSD.  The above output shows that the real uid and
effective uid are different, which is what the postmaster is
complaining about.  I'd expect them to be the same: both postgres.
Can anybody else with a Linux box test the above command?

Do you have sudo?  If so then what does "sudo -u postgres id" show?
If uid and euid are the same (both postgres) then you might be able
to start the postmaster with sudo instead of su.

> >When was the last time you successfully started the postmaster the
> >same way you're trying now?  How long had you been running PostgreSQL
> >without any problems?  If it used to work then something has changed.
>
> I am running Redhat 8, it is same way to start the postgres
> "/etc/rc.d/init.d/postgresql start", I running postgre about
> 2 years ago, maybe it is the hacker do it, because before I
> found one unknown user and delect it, and then I restart the
> service with error.

What do you mean by "the hacker"?  Do you know or suspect that
you've been hacked?  If so then I'd recommend that you reinstall
your system from trustworthy media, make sure you have current
security patches, and close any configuration holes that might have
let an intruder in.

--
Michael Fuhr

Re: real and effective user ids must match

From
Jeff Frost
Date:
On Thu, 14 Sep 2006, Michael Fuhr wrote:

> On Fri, Sep 15, 2006 at 11:56:18AM +0800, david.lao@sharpasia.com.mo wrote:
>
> I don't have a Linux box to test but that output isn't what I'd
> expect, and it's not what I get with the equivalent commands on
> Solaris and FreeBSD.  The above output shows that the real uid and
> effective uid are different, which is what the postmaster is
> complaining about.  I'd expect them to be the same: both postgres.
> Can anybody else with a Linux box test the above command?

On my FC4 machine running 2.6.16-1.2111_FC4:

uid=26(postgres) gid=26(postgres) groups=26(postgres) context=user_u:system_r:unconfined_t

--
Jeff Frost, Owner     <jeff@frostconsultingllc.com>
Frost Consulting, LLC     http://www.frostconsultingllc.com/
Phone: 650-780-7908    FAX: 650-649-1954

Re: real and effective user ids must match

From
Michael Fuhr
Date:
On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
> On Thu, 14 Sep 2006, Michael Fuhr wrote:
> >Can anybody else with a Linux box test the above command?
>
> On my FC4 machine running 2.6.16-1.2111_FC4:
>
> uid=26(postgres) gid=26(postgres) groups=26(postgres)
> context=user_u:system_r:unconfined_t

That's what I'd expect.  David's box appears to be behaving oddly,
which could be signs of tampering if he has indeed been hacked.  If
that's happened then commands like "ls" and "ps" can't be trusted.

Can anybody think of a way for David to be seeing the behavior he's
seeing that doesn't involve a tampered-with system?

--
Michael Fuhr

Re: real and effective user ids must match

From
Jeff Frost
Date:
On Fri, 15 Sep 2006, Michael Fuhr wrote:

> On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
>> On Thu, 14 Sep 2006, Michael Fuhr wrote:
>>> Can anybody else with a Linux box test the above command?
>>
>> On my FC4 machine running 2.6.16-1.2111_FC4:
>>
>> uid=26(postgres) gid=26(postgres) groups=26(postgres)
>> context=user_u:system_r:unconfined_t
>
> That's what I'd expect.  David's box appears to be behaving oddly,
> which could be signs of tampering if he has indeed been hacked.  If
> that's happened then commands like "ls" and "ps" can't be trusted.
>
> Can anybody think of a way for David to be seeing the behavior he's
> seeing that doesn't involve a tampered-with system?

It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run
them to see if there is a problem.  Might also be worthwhile to run the ps and
ls from the install CD to see if there are any suprising results.

--
Jeff Frost, Owner     <jeff@frostconsultingllc.com>
Frost Consulting, LLC     http://www.frostconsultingllc.com/
Phone: 650-780-7908    FAX: 650-649-1954

Re: real and effective user ids must match

From
Jeff Frost
Date:
Did you get a copy of chkrootkit and/or rkhunter and run them on this machine?
If so, let us know if it find a rootkit.  If so, that's your problem.  I think
you may have to ask on one of the linux system administration lists.

Which linux distribution and version did you indicate this is again?

On Sat, 16 Sep 2006, david.lao@sharpasia.com.mo wrote:

>
> is there any way to correct this problem? please help.
>
> On Fri, 15 Sep 2006, Michael Fuhr wrote:
>
>> On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
>>> On Thu, 14 Sep 2006, Michael Fuhr wrote:
>>>> Can anybody else with a Linux box test the above command?
>>>
>>> On my FC4 machine running 2.6.16-1.2111_FC4:
>>>
>>> uid=26(postgres) gid=26(postgres) groups=26(postgres)
>>> context=user_u:system_r:unconfined_t
>>
>> That's what I'd expect.  David's box appears to be behaving oddly,
>> which could be signs of tampering if he has indeed been hacked.  If
>> that's happened then commands like "ls" and "ps" can't be trusted.
>>
>> Can anybody think of a way for David to be seeing the behavior he's
>> seeing that doesn't involve a tampered-with system?
>
> It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run
> them to see if there is a problem.  Might also be worthwhile to run the ps and
> ls from the install CD to see if there are any suprising results.
>
>

--
Jeff Frost, Owner     <jeff@frostconsultingllc.com>
Frost Consulting, LLC     http://www.frostconsultingllc.com/
Phone: 650-780-7908    FAX: 650-649-1954

Re: real and effective user ids must match

From
david.lao@sharpasia.com.mo
Date:
this is the command output

lrwxrwxrwx   1 root     root            4 Apr  3  2003 /bin/sh -> bash
-rwxr-xr-x   1 root     root         9468 Sep  5  2002 /usr/bin/pg_ctl
-rwxr-xr-x   1 root     root      3074760 Sep  5  2002 /usr/bin/postgres
lrwxrwxrwx   1 root     root            8 Oct 29  2005 /usr/bin/postmaster -> postgres

Best,
David


------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

On Thu, Sep 14, 2006 at 11:13:43PM +0800, david.lao@sharpasia.com.mo wrote:
> I starting my postgres with standard startup script /etc/rc.d/init.d/postgressql

I didn't notice anything wrong with the script you posted.  What
happens if you run the "su" command that starts the postmaster
directly from the command line?  That is, the "su" on line 151
(you'll have to set the PGDATA environment variable or replace it
with the path to your data directory):

su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p /usr/bin/postmaster start

What's the output of the following command?

ls -l /bin/sh /usr/bin/pg_ctl /usr/bin/postmaster /usr/bin/postgres

--
Michael Fuhr



Re: real and effective user ids must match

From
david.lao@sharpasia.com.mo
Date:
Hi,

I am running postgresql 7.2.2-1.

Best,
David

On Fri, Sep 15, 2006 at 09:20:28AM +0800, david.lao@sharpasia.com.mo wrote:
> this is the command output
>
> lrwxrwxrwx   1 root     root            4 Apr  3  2003 /bin/sh -> bash
> -rwxr-xr-x   1 root     root         9468 Sep  5  2002 /usr/bin/pg_ctl
> -rwxr-xr-x   1 root     root      3074760 Sep  5  2002 /usr/bin/postgres
> lrwxrwxrwx   1 root     root            8 Oct 29  2005 /usr/bin/postmaster -> postgres

What version of PostgreSQL are you running?  If those dates are
correct then I'd guess 7.2.x or earlier.

What about the output of the su command?

--
Michael Fuhr



Re: real and effective user ids must match

From
david.lao@sharpasia.com.mo
Date:
Hi,

Thanks, I will try to upgrade new viersion, the ouput of <su -l postgres -s /bin/sh -c "/usr/bin/pg_ctl -D $PGDATA -p
/usr/bin/postmasterstart> is 
<
postmaster successfully started
/usr/bin/postmaster: real and effective user ids must match
>

the problem start after I restart the postgres service, there are nothing change in postmaster since last time.

Best,
David

On Fri, Sep 15, 2006 at 09:49:42AM +0800, david.lao@sharpasia.com.mo wrote:
> I am running postgresql 7.2.2-1.

If you're going to run 7.2 then you should run the latest version,
7.2.8, because earlier versions have serious data-loss bugs.  But
since 7.2 is no longer supported, I'd recommend upgrading to a
modern version like 8.1.4 as soon as possible.

As for getting the postmaster running, what's the output of the su
command that I've requested a couple of times?  When did this problem
start?  What has changed since the last time the postmaster started
successfully?

--
Michael Fuhr



Re: real and effective user ids must match

From
david.lao@sharpasia.com.mo
Date:
Hi,

su -l postgres -s /bin/sh -c id output:
uid=0(root) gid=26 euid=26(postgres) groups=26

su -l postgres -s /bin/sh -c "/usr/bin/postmaster -D $PGDATA" output
/usr/bin/postmaster: real and effective user ids must match

I am running Redhat 8, it is same way to start the postgres "/etc/rc.d/init.d/postgresql start",


>When was the last time you successfully started the postmaster the
>same way you're trying now?  How long had you been running PostgreSQL
>without any problems?  If it used to work then something has changed.

I am running Redhat 8, it is same way to start the postgres "/etc/rc.d/init.d/postgresql start", I running postgre
about2 years ago, maybe it is the hacker do it, because before I found one unknown user and delect it, and then I
restartthe service with error. 

David



Re: real and effective user ids must match

From
david.lao@sharpasia.com.mo
Date:
>Do you have sudo?  If so then what does "sudo -u postgres id" show?
>If uid and euid are the same (both postgres) then you might be able
>to start the postmaster with sudo instead of su.

"sudo -u postgres id" show
uid=0(root) gid=26 euid=26(postgres) groups=26


>What do you mean by "the hacker"?  Do you know or suspect that
>you've been hacked?  If so then I'd recommend that you reinstall
>your system from trustworthy media, make sure you have current
>security patches, and close any configuration holes that might have
>let an intruder in.

Yes, I have been hacked, because I found a new unknown a/c in my system. and in log file get this message:
Sep  3 22:55:00 TWeb su(pam_unix)[24299]: session opened for user root by (uid=0)
Sep  3 22:55:17 TWeb su(pam_unix)[24299]: session closed for user root

David


Re: real and effective user ids must match

From
david.lao@sharpasia.com.mo
Date:
is there any way to correct this problem? please help.

On Fri, 15 Sep 2006, Michael Fuhr wrote:

> On Thu, Sep 14, 2006 at 10:24:29PM -0700, Jeff Frost wrote:
>> On Thu, 14 Sep 2006, Michael Fuhr wrote:
>>> Can anybody else with a Linux box test the above command?
>>
>> On my FC4 machine running 2.6.16-1.2111_FC4:
>>
>> uid=26(postgres) gid=26(postgres) groups=26(postgres)
>> context=user_u:system_r:unconfined_t
>
> That's what I'd expect.  David's box appears to be behaving oddly,
> which could be signs of tampering if he has indeed been hacked.  If
> that's happened then commands like "ls" and "ps" can't be trusted.
>
> Can anybody think of a way for David to be seeing the behavior he's
> seeing that doesn't involve a tampered-with system?

It's probably worthwhile to get a copy of chkrootkit and/or rkhunter and run
them to see if there is a problem.  Might also be worthwhile to run the ps and
ls from the install CD to see if there are any suprising results.

--
Jeff Frost, Owner     <jeff@frostconsultingllc.com>
Frost Consulting, LLC     http://www.frostconsultingllc.com/
Phone: 650-780-7908    FAX: 650-649-1954



Re: real and effective user ids must match

From
Michael Fuhr
Date:
On Mon, Sep 18, 2006 at 02:09:34AM +0800, david.lao@sharpasia.com.mo wrote:
> it find SHV4 and SHV5 rootkit, is there any way to easy and fast move
> db to new system, I am using Redhat 8.0

If the new system has the same major release of PostgreSQL as the
infected system then you could copy the $PGDATA directory from the
infected system to the new one.  Be careful how you communicate
between the two systems or you could end up infecting the new system.

--
Michael Fuhr