ownership change on /dev & more -- seems fishy

I saw this exact same issue as reported in the forum at: http://www.virtualmin.com/node/18519 occur on my VPS. It is a Solus VPS running CentOS 5.6 x64

I have recently switched Apache config to Worker MPM, and the issue is: /dev ownership changed to root:domainuser where domainuser is the first user in httpd.conf's virtual servers list, and also the first account created on the box.

apachectl graceful returned error: apachectl: Configuration syntax error, will not run "graceful": Warning: DocumentRoot [/home/domainuser/public_html] does not exist Syntax error on line 1015 of /etc/httpd/conf/httpd.conf: can't get fastcgi file info: /home/domainuser/fcgi-bin/php5.fcgi(/home/domainuser/fcgi-bin/php5.fcgi), errno: 13

That user now also shows in these these hidden diskcheck files and quota symlinks: lrwxrwxrwx 1 root domainuser 39 Jul 1 11:38 aquota.group -> /proc/vz/vzaquota/000000d5/aquota.group lrwxrwxrwx 1 root domainuser 38 Jul 1 11:38 aquota.user -> /proc/vz/vzaquota/000000d5/aquota.user -rw-r--r-- 1 root domainuser 0 Jul 1 11:38 .autofsck -rw-r--r-- 1 root domainuser 0 Jun 29 22:40 .autorelabel

Looking in /dev: drwxr-xr-x 7 root root 1900 Jul 1 11:38 . drwxr-xr-x 22 root root 4096 Jul 11 20:18 .. crw------- 1 root root 5, 1 Jul 1 11:38 console lrwxrwxrwx 1 root domainuser 11 Jul 1 11:38 core -> /proc/kcore lrwxrwxrwx 1 root root 13 Jul 1 11:38 fd -> /proc/self/fd crw-rw-rw- 1 root root 1, 7 Apr 13 2006 full prw------- 1 root domainuser 0 Jul 1 11:38 initctl crw-r----- 1 root kmem 1, 2 Apr 13 2006 kmem crw------- 1 root root 1, 11 Apr 13 2006 kmsg srw-rw-rw- 1 root domainuser 0 Jul 1 11:38 log brw-r----- 1 root disk 7, 0 Jul 1 11:38 loop0 brw-r----- 1 root disk 7, 1 Jul 1 11:38 loop1 brw-r----- 1 root disk 7, 2 Jul 1 11:38 loop2 brw-r----- 1 root disk 7, 3 Jul 1 11:38 loop3 brw-r----- 1 root disk 7, 4 Jul 1 11:38 loop4 brw-r----- 1 root disk 7, 5 Jul 1 11:38 loop5 brw-r----- 1 root disk 7, 6 Jul 1 11:38 loop6 brw-r----- 1 root disk 7, 7 Jul 1 11:38 loop7 lrwxrwxrwx 1 root domainuser 13 Jul 1 11:38 MAKEDEV -> /sbin/MAKEDEV drwxr-xr-x 2 root domainuser 40 Jul 1 11:38 mapper brw------- 1 root domainuser 9, 0 Jul 1 11:38 md0 crw-r----- 1 root kmem 1, 1 Apr 13 2006 mem drwxr-xr-x 2 root root 60 Jul 1 11:38 net crw-rw-rw- 1 root root 1, 3 Jul 1 11:38 null crw-rw---- 1 root lp 99, 0 Jul 1 11:38 parport0 crw-rw---- 1 root lp 99, 1 Jul 1 11:38 parport1 crw-rw---- 1 root lp 99, 2 Jul 1 11:38 parport2 crw-rw---- 1 root lp 99, 3 Jul 1 11:38 parport3 crw-r----- 1 root kmem 1, 4 Apr 13 2006 port crw------- 1 root root 108, 0 Jul 1 11:38 ppp crw-rw-rw- 1 root root 5, 2 Jul 12 20:28 ptmx drwxr-xr-x 2 root root 0 Jul 1 11:38 pts crw-rw-rw- 1 root tty 2, 176 Apr 13 2006 ptya0 crw-rw-rw- 1 root tty 2, 177 Apr 13 2006 ptya1 crw-rw-rw- 1 root tty 2, 178 Apr 13 2006 ptya2 crw-rw-rw- 1 root tty 2, 179 Apr 13 2006 ptya3 crw-rw-rw- 1 root tty 2, 180 Apr 13 2006 ptya4 crw-rw-rw- 1 root tty 2, 181 Apr 13 2006 ptya5 crw-rw-rw- 1 root tty 2, 182 Apr 13 2006 ptya6 crw-rw-rw- 1 root tty 2, 183 Apr 13 2006 ptya7 crw-rw-rw- 1 root tty 2, 184 Apr 13 2006 ptya8 crw-rw-rw- 1 root tty 2, 185 Apr 13 2006 ptya9 crw-rw-rw- 1 root tty 2, 186 Apr 13 2006 ptyaa crw-rw-rw- 1 root tty 2, 187 Apr 13 2006 ptyab crw-rw-rw- 1 root tty 2, 188 Apr 13 2006 ptyac crw-rw-rw- 1 root tty 2, 189 Apr 13 2006 ptyad crw-rw-rw- 1 root tty 2, 190 Apr 13 2006 ptyae crw-rw-rw- 1 root tty 2, 191 Apr 13 2006 ptyaf crw-rw-rw- 1 root tty 2, 0 Apr 13 2006 ptyp0 crw-rw-rw- 1 root tty 2, 1 Apr 13 2006 ptyp1 crw-rw-rw- 1 root tty 2, 2 Apr 13 2006 ptyp2 crw-rw-rw- 1 root tty 2, 3 Apr 13 2006 ptyp3 crw-rw-rw- 1 root tty 2, 4 Apr 13 2006 ptyp4 crw-rw-rw- 1 root tty 2, 5 Apr 13 2006 ptyp5 crw-rw-rw- 1 root tty 2, 6 Apr 13 2006 ptyp6 crw-rw-rw- 1 root tty 2, 7 Apr 13 2006 ptyp7 lrwxrwxrwx 1 root root 4 Jul 1 11:38 ram -> ram1 brw-r----- 1 root disk 1, 0 Apr 13 2006 ram0 brw-r----- 1 root disk 1, 1 Apr 13 2006 ram1 lrwxrwxrwx 1 root root 4 Jul 1 11:38 ramdisk -> ram0 crw-r--r-- 1 root root 1, 8 Apr 13 2006 random drwxr-xr-x 2 root domainuser 40 Jul 3 09:18 shm brw-r--r-- 1 root domainuser 0, 213 Jul 1 11:38 simfs lrwxrwxrwx 1 root root 15 Jul 1 11:38 stderr -> /proc/self/fd/2 lrwxrwxrwx 1 root root 15 Jul 1 11:38 stdin -> /proc/self/fd/0 lrwxrwxrwx 1 root root 15 Jul 1 11:38 stdout -> /proc/self/fd/1 crw-rw-rw- 1 root root 5, 0 Jul 10 20:19 tty crw-rw-rw- 1 root tty 3, 176 Apr 13 2006 ttya0 crw-rw-rw- 1 root tty 3, 177 Apr 13 2006 ttya1 crw-rw-rw- 1 root tty 3, 178 Apr 13 2006 ttya2 crw-rw-rw- 1 root tty 3, 179 Apr 13 2006 ttya3 crw-rw-rw- 1 root tty 3, 180 Apr 13 2006 ttya4 crw-rw-rw- 1 root tty 3, 181 Apr 13 2006 ttya5 crw-rw-rw- 1 root tty 3, 182 Apr 13 2006 ttya6 crw-rw-rw- 1 root tty 3, 183 Apr 13 2006 ttya7 crw-rw-rw- 1 root tty 3, 184 Apr 13 2006 ttya8 crw-rw-rw- 1 root tty 3, 185 Apr 13 2006 ttya9 crw-rw-rw- 1 root tty 3, 186 Apr 13 2006 ttyaa crw-rw-rw- 1 root tty 3, 187 Apr 13 2006 ttyab crw-rw-rw- 1 root tty 3, 188 Apr 13 2006 ttyac crw-rw-rw- 1 root tty 3, 189 Apr 13 2006 ttyad crw-rw-rw- 1 root tty 3, 190 Apr 13 2006 ttyae crw-rw-rw- 1 root tty 3, 191 Apr 13 2006 ttyaf crw-rw-rw- 1 root tty 3, 0 Apr 13 2006 ttyp0 crw-rw-rw- 1 root tty 3, 1 Apr 13 2006 ttyp1 crw-rw-rw- 1 root tty 3, 2 Apr 13 2006 ttyp2 crw-rw-rw- 1 root tty 3, 3 Apr 13 2006 ttyp3 crw-rw-rw- 1 root tty 3, 4 Apr 13 2006 ttyp4 crw-rw-rw- 1 root tty 3, 5 Apr 13 2006 ttyp5 crw-rw-rw- 1 root tty 3, 6 Apr 13 2006 ttyp6 crw-rw-rw- 1 root tty 3, 7 Apr 13 2006 ttyp7 drwxr-xr-x 2 root domainuser 60 Jul 1 11:38 .udev crw-r--r-- 1 root root 1, 9 Apr 13 2006 urandom lrwxrwxrwx 1 root domainuser 4 Jul 1 11:38 X0R -> null crw-rw-rw- 1 root root 1, 5 Jul 1 11:38 zero

This must have occurred some time today, as I used apachectl graceful to restart apache a few times yesterday.

This may be a bug, I will sit on it for awhile and see if it occurs again. Could be a bug in Worker MPM? Or an issue with Solus OpenVZ? I don't know...

Status: 
Active

Comments

One possible cause is a UID clash between domainuser and the proper owner of those files in /dev .

Try running the command id -a domainuser to get the UID of the user, and then looking in /etc/passwd in the 3rd field to see if there is some other user with the same UID.

Hm, I may be mistaken, but should the second name in the ownership data not be the group that owns the file? So, "domainuser" would be a group in this case and not a username?

For comparison: in Ubuntu, the files in /dev are all owned by user "root", but by different groups like "root" (root exists both as a user and group in Ubuntu), "tty", "dialout", "disk", "cdrom", "video", "floppy", ...

So to find out what this "domainuser"'s ID is, one would have to check /etc/group.

Of course it could be the same name as a Virtualmin domain user, since by default a group with the same name as the administration user is created for them.

Another hint regarding that: to get the numerical IDs of the file owners, you can use ls -ln /dev. Might make it easier to check for dupes in the groups file.

uid=500(domainuser) gid=500(domainuser) groups=500(domainuser)

/etc/group domainuser::500:apache

no other groups share that group id

/etc/passwd domainuser:x:500:500:Domain User Full Name:/home/domainuser:/bin/sh

(500)domainuser is the first user in apache group

no other users or groups share 500 uid or gid

Here are other /dev with group domainuser

root domainuser log

root domainuser core -> /proc/kcore

root domainuser MAKEDEV -> /sbin/MAKEDEV

root domainuser mapper

root domainuser md0

root domainuser shm

root domainuser simfs

root domainuser X0R -> null

root domainuser .udev

so it looks like there's confusion and the group for /dev/shm etc. should be apache, not domainuser

do you think Apache Worker MPM is causing that?

I will delete that virtual host (it's not a live site) and see if the next group in line starts showing up in /dev

fyi

after deleting account domainuser, the uid & gid still exist, so now group ownership of all of the above has changed to 500

Still not sure if this is proper, but I don't want /dev to get owned by group 500 again or it may cause issues.

stability of the server has been good, no issues... but this is still puzzling me.

Hmm, can you try rebooting the server? The /dev directory usually gets auto-populated on boot and as far as I know it's not "real" files, maybe doing so fixes the ownership issue.

I will reboot early AM so that I only upset the users on the other side of the world.

the VPS reboots quicker than my old dedicated 2U.

On reboot, gid 500 gets ownership of /dev & many of /dev's underlings.

in /

drwxr-xr-x 7 root 500 1900 Jul 14 14:38 dev

-rw-r--r-- 1 root 500 0 Jul 14 14:38 .autofsck

-rw-r--r-- 1 root 500 0 Jun 29 22:40 .autorelabel

in /dev

lrwxrwxrwx 1 root 500 11 Jul 14 14:38 core -> /proc/kcore

prw------- 1 root 500 0 Jul 14 14:38 initctl

srw-rw-rw- 1 root 500 0 Jul 14 14:38 log

lrwxrwxrwx 1 root 500 13 Jul 14 14:38 MAKEDEV -> /sbin/MAKEDEV

drwxr-xr-x 2 root 500 40 Jul 14 14:38 mapper

brw------- 1 root 500 9, 0 Jul 14 14:38 md0

drwxr-xr-x 2 root 500 40 Jul 14 14:38 shm

brw-r--r-- 1 root 500 0, 60 Jul 14 14:38 simfs

drwxr-xr-x 2 root 500 60 Jul 14 14:38 .udev

lrwxrwxrwx 1 root 500 4 Jul 14 14:38 X0R -> null

This looks somewhat odd indeed, though it might even be normal for the virtualization software in use. I'm afraid my experience with SolusVM and CentOS are limited (i.e. non-existent :) ).

My only further hint at the moment would be, if you by chance have access to a "fresh" Solus VPS with CentOS, to check out the ownership of /dev as it should be, and compare it to yours.