OCTADE |
mail  files  register  groups  login |
Pages:12 |
<v0gsqn$3r63q$1@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=446&group=rocksolid.nodes.help#446
copy link Newsgroups: rocksolid.nodes.helpHello!
I've used
select msgid from articles;
to get the msgids and issued nocems.
That worked according to the log.
Although, the amount of message-IDs in the DB was smaller than the
amount of messages on the web.
From where do those articles come?
--
kind regards
Marco
Send spam to 1714156711muell@cartoonies.org
<e89c9f6680c1371e55c2b69ce767ce71$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=447&group=rocksolid.nodes.help#447
copy link Newsgroups: rocksolid.nodes.helpOn Fri, 26 Apr 2024 20:46:46 +0200, Marco Moock wrote:
> Hello!
>
> I've used
> select msgid from articles;
> to get the msgids and issued nocems.
> That worked according to the log.
>
> Although, the amount of message-IDs in the DB was smaller than the
> amount of messages on the web.
>
> From where do those articles come?
Do you mean that the count of articles you get by searching by msgid using
sqlite3 from command line is smaller than the count of articles you get by
searching using RSLight interface?
If you take a msgid you find using RSLight and search for it using sqlite3,
does it find it?
I sent the suggestion to your email request about searching the db for
articles, but I'm not a developer of sqlite3, so I can't say if it has any
issues. Are you saying the issue is with RSLight? If so, we can try to work
on that.
<v0ipub$bo9k$1@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=448&group=rocksolid.nodes.help#448
copy link Newsgroups: rocksolid.nodes.helpOn 26.04.2024 um 13:32 Uhr Retro Guy wrote:
> Do you mean that the count of articles you get by searching by msgid
> using sqlite3 from command line is smaller than the count of articles
> you get by searching using RSLight interface?
Those articles are shown in the overview, but don't exist anymore if I
try to open them.
https://pi-dach.dorfdsl.de/rocksolid/thread.php?group=de.rec.sport.misc
> If you take a msgid you find using RSLight and search for it using
> sqlite3, does it find it?
If I select all (select * from articles;), I don't get any datasets in
the sqlite DB after issuing Nocems for the articles listed in that db.
That would be reasonable because that group was only used for spam in
the last months and I canceled that.
> I sent the suggestion to your email request about searching the db for
> articles, but I'm not a developer of sqlite3, so I can't say if it
> has any issues. Are you saying the issue is with RSLight? If so, we
> can try to work on that.
I don't think it is an sqlite bug.
For me it looks like the group message listing in rsl isn't updating in
that situation.
--
kind regards
Marco
Send spam to 1714131135muell@cartoonies.org
<320ce2e09ac1cc3cfcb5477b8b3210fb@www.rocksolidbbs.com>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=449&group=rocksolid.nodes.help#449
copy link Newsgroups: rocksolid.nodes.helpMarco Moock wrote:
> On 26.04.2024 um 13:32 Uhr Retro Guy wrote:
>> Do you mean that the count of articles you get by searching by msgid
>> using sqlite3 from command line is smaller than the count of articles
>> you get by searching using RSLight interface?
> Those articles are shown in the overview, but don't exist anymore if I
> try to open them.
> https://pi-dach.dorfdsl.de/rocksolid/thread.php?group=de.rec.sport.misc
>> If you take a msgid you find using RSLight and search for it using
>> sqlite3, does it find it?
> If I select all (select * from articles;), I don't get any datasets in
> the sqlite DB after issuing Nocems for the articles listed in that db.
> That would be reasonable because that group was only used for spam in
> the last months and I canceled that.
>> I sent the suggestion to your email request about searching the db for
>> articles, but I'm not a developer of sqlite3, so I can't say if it
>> has any issues. Are you saying the issue is with RSLight? If so, we
>> can try to work on that.
> I don't think it is an sqlite bug.
> For me it looks like the group message listing in rsl isn't updating in
> that situation.
You're probably correct. If you run the same sqlite3 search on 'articles-overview.db3', do you see the articles there?
--
Retro Guy
<e0574b7cffc0202d6f672dd7dd4e5f05@www.novabbs.org>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=450&group=rocksolid.nodes.help#450
copy link Newsgroups: rocksolid.nodes.helpRetro Guy wrote:
> Marco Moock wrote:
>> On 26.04.2024 um 13:32 Uhr Retro Guy wrote:
>>> Do you mean that the count of articles you get by searching by msgid
>>> using sqlite3 from command line is smaller than the count of articles
>>> you get by searching using RSLight interface?
>> Those articles are shown in the overview, but don't exist anymore if I
>> try to open them.
>> https://pi-dach.dorfdsl.de/rocksolid/thread.php?group=de.rec.sport.misc
>>> If you take a msgid you find using RSLight and search for it using
>>> sqlite3, does it find it?
>> If I select all (select * from articles;), I don't get any datasets in
>> the sqlite DB after issuing Nocems for the articles listed in that db.
>> That would be reasonable because that group was only used for spam in
>> the last months and I canceled that.
>>> I sent the suggestion to your email request about searching the db for
>>> articles, but I'm not a developer of sqlite3, so I can't say if it
>>> has any issues. Are you saying the issue is with RSLight? If so, we
>>> can try to work on that.
>> I don't think it is an sqlite bug.
>> For me it looks like the group message listing in rsl isn't updating in
>> that situation.
> You're probably correct. If you run the same sqlite3 search on 'articles-overview.db3', do you see the articles there?
I assume it was NoCeM that was used to delete the articles. I have not seen this result (articles still appear).
Btw, there is a tool to fix this, but of course we don't want it to happen in the first place.
To fix:
cd /var/www/html/spoolnews
php /etc/rslight/scripts/maintenance.php -import de.rec.sport.misc
--
Retro Guy
<v0j00u$bo9k$2@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=451&group=rocksolid.nodes.help#451
copy link Newsgroups: rocksolid.nodes.helpOn 27.04.2024 um 12:47 Uhr Retro Guy wrote:
> To fix:
> cd /var/www/html/spoolnews
> php /etc/rslight/scripts/maintenance.php -import de.rec.sport.misc
That worked.
Although, the article counter is still wrong.
--
kind regards
Marco
Send spam to 1714214878muell@cartoonies.org
<74d4203f6468fdcdddb37044fb07e51b@www.novabbs.org>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=452&group=rocksolid.nodes.help#452
copy link Newsgroups: rocksolid.nodes.helpMarco Moock wrote:
> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
>> To fix:
>> cd /var/www/html/spoolnews
>> php /etc/rslight/scripts/maintenance.php -import de.rec.sport.misc
> That worked.
> Although, the article counter is still wrong.
That should clear up after a couple of runs of cron.php
--
Retro Guy
<v0tmmo$35326$2@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=453&group=rocksolid.nodes.help#453
copy link Newsgroups: rocksolid.nodes.helpOn 27.04.2024 um 15:53 Uhr Marco Moock wrote:
> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
>
> > To fix:
> > cd /var/www/html/spoolnews
> > php /etc/rslight/scripts/maintenance.php -import de.rec.sport.misc
>
> That worked.
> Although, the article counter is still wrong.
Now the overview shows the old articles again, but the articles itself
don't exist.
How can that happen?
--
kind regards
Marco
Send spam to 1714226014muell@cartoonies.org
<9e7551182924bf0aca4ab9fa7e1a1da0$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=454&group=rocksolid.nodes.help#454
copy link Newsgroups: rocksolid.nodes.helpOn Wed, 1 May 2024 17:21:59 +0200, Marco Moock wrote:
> On 27.04.2024 um 15:53 Uhr Marco Moock wrote:
>
>> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
>>
>>> To fix:
>>> cd /var/www/html/spoolnews
>>> php /etc/rslight/scripts/maintenance.php -import de.rec.sport.misc
>>
>> That worked.
>> Although, the article counter is still wrong.
>
> Now the overview shows the old articles again, but the articles itself
> don't exist.
> How can that happen?
Can you check the permissions on all your .db3 files in your spool
directory? Everything should be writable by your web server user.
I have not seen this issue myself, but I do see it on your site. We may
need to add some debugging logging to spoolnews.php to see what's happening
if your permissions are ok.
<0c683433b1ea1c0516e0c21e9e68dc95$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=455&group=rocksolid.nodes.help#455
copy link Newsgroups: rocksolid.nodes.helpOn Wed, 1 May 2024 08:32:11 -0700, Retro Guy wrote:
> On Wed, 1 May 2024 17:21:59 +0200, Marco Moock wrote:
>
>> On 27.04.2024 um 15:53 Uhr Marco Moock wrote:
>>
>>> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
>>>
>>>> To fix:
>>>> cd /var/www/html/spoolnews
>>>> php /etc/rslight/scripts/maintenance.php -import de.rec.sport.misc
>>>
>>> That worked.
>>> Although, the article counter is still wrong.
>>
>> Now the overview shows the old articles again, but the articles itself
>> don't exist.
>> How can that happen?
>
> Can you check the permissions on all your .db3 files in your spool
> directory? Everything should be writable by your web server user.
>
> I have not seen this issue myself, but I do see it on your site. We may
> need to add some debugging logging to spoolnews.php to see what's happening
> if your permissions are ok.
If permissions are ok, could you check the databases directly with sqlite3?
I'm just using a group and number here as an example:
cd /var/spool/rslight
$ sqlite3
sqlite> .open articles-overview.db3
sqlite> select msgid from overview where newsgroup="alt.fan.usenet" and
number=542;
<pPmcnW9gJrkyVUr4nZ2dnZfqn_idnZ2d@earthlink.com>
sqlite> .open alt.fan.usenet-articles.db3
sqlite> select msgid from articles where number=542;
<pPmcnW9gJrkyVUr4nZ2dnZfqn_idnZ2d@earthlink.com>
sqlite> .quit
The same message-id should appear for both queries.
<v0tv4t$39sdv$1@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=456&group=rocksolid.nodes.help#456
copy link Newsgroups: rocksolid.nodes.helpOn 01.05.2024 um 08:32 Uhr Retro Guy wrote:
> On Wed, 1 May 2024 17:21:59 +0200, Marco Moock wrote:
>
> > On 27.04.2024 um 15:53 Uhr Marco Moock wrote:
> >
> >> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
> >>
> >>> To fix:
> >>> cd /var/www/html/spoolnews
> >>> php /etc/rslight/scripts/maintenance.php -import
> >>> de.rec.sport.misc
> >>
> >> That worked.
> >> Although, the article counter is still wrong.
> >
> > Now the overview shows the old articles again, but the articles
> > itself don't exist.
> > How can that happen?
>
> Can you check the permissions on all your .db3 files in your spool
> directory? Everything should be writable by your web server user.
I think the issue is that I ran the php script to fix it as root.
-rw-r--r-- 1 root root 53248 30. Apr 21:01 de.rec.sport.misc-articles.db3
-rw-r--r-- 1 root root 53248 30. Apr 21:03 de.soc.wirtschaft-articles.db3
I've now changed that.
> I have not seen this issue myself, but I do see it on your site. We
> may need to add some debugging logging to spoolnews.php to see what's
> happening if your permissions are ok.
Another thing I noticed:
-rw-r--r-- 1 www-data www-data 12288 29. Mär 18:32 '(SELECT (CASE WHEN (9995=7959) THEN '\''de.etc.fahrzeug.auto'\'' ELSE (SELECT 7959 UNION SELECT 8193) END))-data.db3'
Is that ok?
--
kind regards
Marco
Send spam to 1714545131muell@cartoonies.org
<9d885566ed21da3a88197f6d84ae7d64$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=457&group=rocksolid.nodes.help#457
copy link Newsgroups: rocksolid.nodes.helpOn Wed, 1 May 2024 19:46:04 +0200, Marco Moock wrote:
> On 01.05.2024 um 08:32 Uhr Retro Guy wrote:
>
>> On Wed, 1 May 2024 17:21:59 +0200, Marco Moock wrote:
>>
>>> On 27.04.2024 um 15:53 Uhr Marco Moock wrote:
>>>
>>>> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
>>>>
>>>>> To fix:
>>>>> cd /var/www/html/spoolnews
>>>>> php /etc/rslight/scripts/maintenance.php -import
>>>>> de.rec.sport.misc
>>>>
>>>> That worked.
>>>> Although, the article counter is still wrong.
>>>
>>> Now the overview shows the old articles again, but the articles
>>> itself don't exist.
>>> How can that happen?
>>
>> Can you check the permissions on all your .db3 files in your spool
>> directory? Everything should be writable by your web server user.
>
> I think the issue is that I ran the php script to fix it as root.
> -rw-r--r-- 1 root root 53248 30. Apr 21:01 de.rec.sport.misc-articles.db3
> -rw-r--r-- 1 root root 53248 30. Apr 21:03 de.soc.wirtschaft-articles.db3
>
> I've now changed that.
Ok, I was hoping it might be as simple as that. Let's hope that fixes it.
I did just add some additional logging to catch that in the future (haven't
pushed a commit yet)
>
>> I have not seen this issue myself, but I do see it on your site. We
>> may need to add some debugging logging to spoolnews.php to see what's
>> happening if your permissions are ok.
>
> Another thing I noticed:
>
> -rw-r--r-- 1 www-data www-data 12288 29. Mär 18:32 '(SELECT (CASE WHEN (9995=7959) THEN '\''de.etc.fahrzeug.auto'\'' ELSE (SELECT 7959 UNION SELECT 8193) END))-data.db3'
>
> Is that ok?
It's harmless, but not good. I get that also, but much much less than in
earlier versions. It's a matter of me (the code) checking that the group is
real before creating the file.
It is caused by someone trying to hack your site, but their sql statements
can not be processed by sqlite as everything is cleaned first, but still
need to fix it writing the filename.
You can expect to see plenty of hack attempts as your site becomes more
well known. No sql injection attempt has ever been successful on my sites,
but we still see some of the attempts with these filenames. I will continue
to try to reduce this further.
<4464da8bef610dac30dbbfc4feb8f654$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=458&group=rocksolid.nodes.help#458
copy link Newsgroups: rocksolid.nodes.helpOn Wed, 1 May 2024 11:17:21 -0700, Retro Guy wrote:
> On Wed, 1 May 2024 19:46:04 +0200, Marco Moock wrote:
>
>> On 01.05.2024 um 08:32 Uhr Retro Guy wrote:
>>
>>> On Wed, 1 May 2024 17:21:59 +0200, Marco Moock wrote:
>>>
>>>> On 27.04.2024 um 15:53 Uhr Marco Moock wrote:
>>>>
>>>>> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
>>>>>
>>>>>> To fix:
>>>>>> cd /var/www/html/spoolnews
>>>>>> php /etc/rslight/scripts/maintenance.php -import
>>>>>> de.rec.sport.misc
>>>>>
>>>>> That worked.
>>>>> Although, the article counter is still wrong.
>>>>
>>>> Now the overview shows the old articles again, but the articles
>>>> itself don't exist.
>>>> How can that happen?
>>>
>>> Can you check the permissions on all your .db3 files in your spool
>>> directory? Everything should be writable by your web server user.
>>
>> I think the issue is that I ran the php script to fix it as root.
>> -rw-r--r-- 1 root root 53248 30. Apr 21:01 de.rec.sport.misc-articles.db3
>> -rw-r--r-- 1 root root 53248 30. Apr 21:03 de.soc.wirtschaft-articles.db3
>>
>> I've now changed that.
>
> Ok, I was hoping it might be as simple as that. Let's hope that fixes it.
>
> I did just add some additional logging to catch that in the future (haven't
> pushed a commit yet)
Also, any articles spooled while the files were not writable will still
have their data in the overview, but the article won't exist.
You will need to run maintenance -import again for any group affected.
What that command does is removes every article for the group from overview
and history, then rewrites all articles that actually do exist in your
<group>-artlces.db3 file back into overview and history.
This can also be used to copy a <group>-articles.db3 database from another
site, or a backup.
<v0u2rr$3ai6i$1@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=459&group=rocksolid.nodes.help#459
copy link Newsgroups: rocksolid.nodes.helpOn 01.05.2024 um 11:21 Uhr Retro Guy wrote:
> Also, any articles spooled while the files were not writable will
> still have their data in the overview, but the article won't exist.
>
> You will need to run maintenance -import again for any group affected.
As which user?
--
kind regards
Marco
Send spam to 1714555297muell@cartoonies.org
<v0u31i$3ai6i$2@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=460&group=rocksolid.nodes.help#460
copy link Newsgroups: rocksolid.nodes.helpOn 01.05.2024 um 11:17 Uhr Retro Guy wrote:
> On Wed, 1 May 2024 19:46:04 +0200, Marco Moock wrote:
>
> > On 01.05.2024 um 08:32 Uhr Retro Guy wrote:
> >
> >> On Wed, 1 May 2024 17:21:59 +0200, Marco Moock wrote:
> >>
> >>> On 27.04.2024 um 15:53 Uhr Marco Moock wrote:
> >>>
> >>>> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
> >>>>
> >>>>> To fix:
> >>>>> cd /var/www/html/spoolnews
> >>>>> php /etc/rslight/scripts/maintenance.php -import
> >>>>> de.rec.sport.misc
> >>>>
> >>>> That worked.
> >>>> Although, the article counter is still wrong.
> >>>
> >>> Now the overview shows the old articles again, but the articles
> >>> itself don't exist.
> >>> How can that happen?
> >>
> >> Can you check the permissions on all your .db3 files in your spool
> >> directory? Everything should be writable by your web server user.
> >
> > I think the issue is that I ran the php script to fix it as root.
> > -rw-r--r-- 1 root root 53248 30. Apr 21:01
> > de.rec.sport.misc-articles.db3 -rw-r--r-- 1 root root
> > 53248 30. Apr 21:03 de.soc.wirtschaft-articles.db3
> >
> > I've now changed that.
>
> Ok, I was hoping it might be as simple as that. Let's hope that fixes
> it.
Currently, the articles are still listed.
> >> I have not seen this issue myself, but I do see it on your site. We
> >> may need to add some debugging logging to spoolnews.php to see
> >> what's happening if your permissions are ok.
> >
> > Another thing I noticed:
> >
> > -rw-r--r-- 1 www-data www-data 12288 29. Mär 18:32 '(SELECT
> > (CASE WHEN (9995=7959) THEN '\''de.etc.fahrzeug.auto'\'' ELSE
> > (SELECT 7959 UNION SELECT 8193) END))-data.db3'
> >
> > Is that ok?
>
> It's harmless, but not good. I get that also, but much much less than
> in earlier versions. It's a matter of me (the code) checking that the
> group is real before creating the file.
Why should website visitors be able to create that in any way?
The allowed groups are listed in a static file.
That can also be used to flood the disk/file system.
> It is caused by someone trying to hack your site, but their sql
> statements can not be processed by sqlite as everything is cleaned
> first, but still need to fix it writing the filename.
Can you give more details why a file has to be written there with input
from a website visitor?
That sounds very dangerous to me.
> You can expect to see plenty of hack attempts as your site becomes
> more well known. No sql injection attempt has ever been successful on
> my sites, but we still see some of the attempts with these filenames.
> I will continue to try to reduce this further.
Thanks for doing so.
I think it must be designed as "security by design".
--
kind regards
Marco
Send spam to 1714555041muell@cartoonies.org
<fdeb712097f93a743f7756ab699f3cba$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=461&group=rocksolid.nodes.help#461
copy link Newsgroups: rocksolid.nodes.helpOn Wed, 1 May 2024 20:49:29 +0200, Marco Moock wrote:
> On 01.05.2024 um 11:21 Uhr Retro Guy wrote:
>
>> Also, any articles spooled while the files were not writable will
>> still have their data in the overview, but the article won't exist.
>>
>> You will need to run maintenance -import again for any group affected.
>
> As which user?
Run as your web server user. I'm guessing www-data
cd /var/www/html/spoolnews
php /etc/rslight/scripts/maintenance.php -help
<v0u4kq$3ai6i$3@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=462&group=rocksolid.nodes.help#462
copy link Newsgroups: rocksolid.nodes.helpOn 01.05.2024 um 11:56 Uhr Retro Guy wrote:
> On Wed, 1 May 2024 20:49:29 +0200, Marco Moock wrote:
>
> > On 01.05.2024 um 11:21 Uhr Retro Guy wrote:
> >
> >> Also, any articles spooled while the files were not writable will
> >> still have their data in the overview, but the article won't exist.
> >>
> >> You will need to run maintenance -import again for any group
> >> affected.
> >
> > As which user?
>
> Run as your web server user. I'm guessing www-data
>
> cd /var/www/html/spoolnews
> php /etc/rslight/scripts/maintenance.php -help
That tries to call config.inc.php and doesn't have the right to read
that. Should I change the permission?
root@pi-dach:~# sudo -u www-data php /etc/rslight/scripts/maintenance.php -import de.soc.wirtschaft
PHP Warning: include(config.inc.php): Failed to open stream: Permission denied in /etc/rslight/scripts/maintenance.php on line 20
PHP Warning: include(): Failed opening 'config.inc.php' for inclusion (include_path='.:/usr/share/php') in /etc/rslight/scripts/maintenance.php on line 20
PHP Warning: Undefined variable $file_newsportal in /etc/rslight/scripts/maintenance.php on line 21
PHP Fatal error: Uncaught ValueError: Path cannot be empty in /etc/rslight/scripts/maintenance.php:21
Stack trace:
#0 {main}
thrown in /etc/rslight/scripts/maintenance.php on line 21
--
kind regards
Marco
Send spam to 1714557376muell@cartoonies.org
<v0u4oc$3ai6i$4@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=463&group=rocksolid.nodes.help#463
copy link Newsgroups: rocksolid.nodes.helpOn 01.05.2024 um 20:52 Uhr Marco Moock wrote:
> Why should website visitors be able to create that in any way?
> The allowed groups are listed in a static file.
> That can also be used to flood the disk/file system.
I've now used find to delete most of the junk, but not all.
If that is finally fixed, I would like to start with a new spooldir to
be sure all junk is gone.
--
kind regards
Marco
Send spam to 1714589553muell@cartoonies.org
<78d766a8bf88741b5f16b0babbdfda82$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=464&group=rocksolid.nodes.help#464
copy link Newsgroups: rocksolid.nodes.helpOn Wed, 1 May 2024 21:19:54 +0200, Marco Moock wrote:
> On 01.05.2024 um 11:56 Uhr Retro Guy wrote:
>
>> On Wed, 1 May 2024 20:49:29 +0200, Marco Moock wrote:
>>
>>> On 01.05.2024 um 11:21 Uhr Retro Guy wrote:
>>>
>>>> Also, any articles spooled while the files were not writable will
>>>> still have their data in the overview, but the article won't exist.
>>>>
>>>> You will need to run maintenance -import again for any group
>>>> affected.
>>>
>>> As which user?
>>
>> Run as your web server user. I'm guessing www-data
>>
>> cd /var/www/html/spoolnews
>> php /etc/rslight/scripts/maintenance.php -help
>
> That tries to call config.inc.php and doesn't have the right to read
> that. Should I change the permission?
>
> root@pi-dach:~# sudo -u www-data php /etc/rslight/scripts/maintenance.php -import de.soc.wirtschaft
> PHP Warning: include(config.inc.php): Failed to open stream: Permission denied in /etc/rslight/scripts/maintenance.php on line 20
> PHP Warning: include(): Failed opening 'config.inc.php' for inclusion (include_path='.:/usr/share/php') in /etc/rslight/scripts/maintenance.php on line 20
> PHP Warning: Undefined variable $file_newsportal in /etc/rslight/scripts/maintenance.php on line 21
> PHP Fatal error: Uncaught ValueError: Path cannot be empty in /etc/rslight/scripts/maintenance.php:21
> Stack trace:
> #0 {main}
> thrown in /etc/rslight/scripts/maintenance.php on line 21
Everything in the spooldir recursively should be read/write by web server
user.
<b1cb2c7a8b6b8c5d191adb750bcd140b$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=465&group=rocksolid.nodes.help#465
copy link Newsgroups: rocksolid.nodes.helpOn Wed, 1 May 2024 20:52:33 +0200, Marco Moock wrote:
> On 01.05.2024 um 11:17 Uhr Retro Guy wrote:
>
>> On Wed, 1 May 2024 19:46:04 +0200, Marco Moock wrote:
>>
>>> On 01.05.2024 um 08:32 Uhr Retro Guy wrote:
>>>
>>>> On Wed, 1 May 2024 17:21:59 +0200, Marco Moock wrote:
>>>>
>>>>> On 27.04.2024 um 15:53 Uhr Marco Moock wrote:
>>>>>
>>>>>> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
>>>>>>
>>>>>>> To fix:
>>>>>>> cd /var/www/html/spoolnews
>>>>>>> php /etc/rslight/scripts/maintenance.php -import
>>>>>>> de.rec.sport.misc
>>>>>>
>>>>>> That worked.
>>>>>> Although, the article counter is still wrong.
>>>>>
>>>>> Now the overview shows the old articles again, but the articles
>>>>> itself don't exist.
>>>>> How can that happen?
>>>>
>>>> Can you check the permissions on all your .db3 files in your spool
>>>> directory? Everything should be writable by your web server user.
>>>
>>> I think the issue is that I ran the php script to fix it as root.
>>> -rw-r--r-- 1 root root 53248 30. Apr 21:01
>>> de.rec.sport.misc-articles.db3 -rw-r--r-- 1 root root
>>> 53248 30. Apr 21:03 de.soc.wirtschaft-articles.db3
>>>
>>> I've now changed that.
>>
>> Ok, I was hoping it might be as simple as that. Let's hope that fixes
>> it.
>
> Currently, the articles are still listed.
>
>>>> I have not seen this issue myself, but I do see it on your site. We
>>>> may need to add some debugging logging to spoolnews.php to see
>>>> what's happening if your permissions are ok.
>>>
>>> Another thing I noticed:
>>>
>>> -rw-r--r-- 1 www-data www-data 12288 29. Mär 18:32 '(SELECT
>>> (CASE WHEN (9995=7959) THEN '\''de.etc.fahrzeug.auto'\'' ELSE
>>> (SELECT 7959 UNION SELECT 8193) END))-data.db3'
>>>
>>> Is that ok?
>>
>> It's harmless, but not good. I get that also, but much much less than
>> in earlier versions. It's a matter of me (the code) checking that the
>> group is real before creating the file.
>
> Why should website visitors be able to create that in any way?
> The allowed groups are listed in a static file.
> That can also be used to flood the disk/file system.
Yes, I agree with you. This is a known bug that is not completely handled
yet. I've addressed this bug in the past, and reduced it probably 90%, but
it still exists.
>
>> It is caused by someone trying to hack your site, but their sql
>> statements can not be processed by sqlite as everything is cleaned
>> first, but still need to fix it writing the filename.
>
> Can you give more details why a file has to be written there with input
> from a website visitor?
> That sounds very dangerous to me.
It's a matter of searching for an article using a feature to display and
article, search for content, etc. A modified url can set a GET request that
then goes looking for data, and when trying to read an article database
that does not exist, it gets created.
There are times we might want that to happen, but not in this circumstance.
I will address this bug more heavily very soon.
One thing to note also is that there is no data at all in the sqlite
databases that can't be requested to be shown on screen via visiting with a
browser. No user data is stored in these databases.
<v0vnc5$3ovd3$1@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=466&group=rocksolid.nodes.help#466
copy link Newsgroups: rocksolid.nodes.helpAm 02.05.2024 schrieb Retro Guy <retroguy@novabbs.com>:
> On Wed, 1 May 2024 21:19:54 +0200, Marco Moock wrote:
> > root@pi-dach:~# sudo -u www-data php
> > /etc/rslight/scripts/maintenance.php -import de.soc.wirtschaft PHP
> > Warning: include(config.inc.php): Failed to open stream:
> > Permission denied in /etc/rslight/scripts/maintenance.php on line
> > 20 PHP Warning: include(): Failed opening 'config.inc.php' for
> > inclusion (include_path='.:/usr/share/php') in
> > /etc/rslight/scripts/maintenance.php on line 20 PHP Warning:
> > Undefined variable $file_newsportal in
> > /etc/rslight/scripts/maintenance.php on line 21 PHP Fatal error:
> > Uncaught ValueError: Path cannot be empty in
> > /etc/rslight/scripts/maintenance.php:21 Stack trace: #0 {main}
> > thrown in /etc/rslight/scripts/maintenance.php on line 21
>
> Everything in the spooldir recursively should be read/write by web
> server user.
Where should that file be?
Are the permissions properly set by the install/upgrade script?
<43649357df70ab0edf0feca5dbdc0231@www.novabbs.org>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=467&group=rocksolid.nodes.help#467
copy link Newsgroups: rocksolid.nodes.helpMarco Moock wrote:
> Am 02.05.2024 schrieb Retro Guy <retroguy@novabbs.com>:
>> On Wed, 1 May 2024 21:19:54 +0200, Marco Moock wrote:
>> > root@pi-dach:~# sudo -u www-data php
>> > /etc/rslight/scripts/maintenance.php -import de.soc.wirtschaft PHP
>> > Warning: include(config.inc.php): Failed to open stream:
>> > Permission denied in /etc/rslight/scripts/maintenance.php on line
>> > 20 PHP Warning: include(): Failed opening 'config.inc.php' for
>> > inclusion (include_path='.:/usr/share/php') in
>> > /etc/rslight/scripts/maintenance.php on line 20 PHP Warning:
>> > Undefined variable $file_newsportal in
>> > /etc/rslight/scripts/maintenance.php on line 21 PHP Fatal error:
>> > Uncaught ValueError: Path cannot be empty in
>> > /etc/rslight/scripts/maintenance.php:21 Stack trace: #0 {main}
>> > thrown in /etc/rslight/scripts/maintenance.php on line 21
>>
>> Everything in the spooldir recursively should be read/write by web
>> server user.
> Where should that file be?
> Are the permissions properly set by the install/upgrade script?
Oh, sorry, config.inc.php is in /var/www/html/(rocksolid|spoolnews|etc.)
Everything in /var/www/html recursively should be readable by the web server user.
I just did an install yesterday to a clean VM and all permissions were fine using debian-install.sh
--
Retro Guy
<fe214ff559977e32bab02a0edf22df9a$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=468&group=rocksolid.nodes.help#468
copy link Newsgroups: rocksolid.nodes.helpOn Thu, 2 May 2024 02:01:41 -0700, Retro Guy wrote:
> On Wed, 1 May 2024 20:52:33 +0200, Marco Moock wrote:
>
>> On 01.05.2024 um 11:17 Uhr Retro Guy wrote:
>>
>>> On Wed, 1 May 2024 19:46:04 +0200, Marco Moock wrote:
>>>
>>>> On 01.05.2024 um 08:32 Uhr Retro Guy wrote:
>>>>
>>>>> On Wed, 1 May 2024 17:21:59 +0200, Marco Moock wrote:
>>>>>
>>>>>> On 27.04.2024 um 15:53 Uhr Marco Moock wrote:
>>>>>>
>>>>>>> On 27.04.2024 um 12:47 Uhr Retro Guy wrote:
>>>>>>>
>>>>>>>> To fix:
>>>>>>>> cd /var/www/html/spoolnews
>>>>>>>> php /etc/rslight/scripts/maintenance.php -import
>>>>>>>> de.rec.sport.misc
>>>>>>>
>>>>>>> That worked.
>>>>>>> Although, the article counter is still wrong.
>>>>>>
>>>>>> Now the overview shows the old articles again, but the articles
>>>>>> itself don't exist.
>>>>>> How can that happen?
>>>>>
>>>>> Can you check the permissions on all your .db3 files in your spool
>>>>> directory? Everything should be writable by your web server user.
>>>>
>>>> I think the issue is that I ran the php script to fix it as root.
>>>> -rw-r--r-- 1 root root 53248 30. Apr 21:01
>>>> de.rec.sport.misc-articles.db3 -rw-r--r-- 1 root root
>>>> 53248 30. Apr 21:03 de.soc.wirtschaft-articles.db3
>>>>
>>>> I've now changed that.
>>>
>>> Ok, I was hoping it might be as simple as that. Let's hope that fixes
>>> it.
>>
>> Currently, the articles are still listed.
>>
>>>>> I have not seen this issue myself, but I do see it on your site. We
>>>>> may need to add some debugging logging to spoolnews.php to see
>>>>> what's happening if your permissions are ok.
>>>>
>>>> Another thing I noticed:
>>>>
>>>> -rw-r--r-- 1 www-data www-data 12288 29. Mär 18:32 '(SELECT
>>>> (CASE WHEN (9995=7959) THEN '\''de.etc.fahrzeug.auto'\'' ELSE
>>>> (SELECT 7959 UNION SELECT 8193) END))-data.db3'
>>>>
>>>> Is that ok?
>>>
>>> It's harmless, but not good. I get that also, but much much less than
>>> in earlier versions. It's a matter of me (the code) checking that the
>>> group is real before creating the file.
>>
>> Why should website visitors be able to create that in any way?
>> The allowed groups are listed in a static file.
>> That can also be used to flood the disk/file system.
>
> Yes, I agree with you. This is a known bug that is not completely handled
> yet. I've addressed this bug in the past, and reduced it probably 90%, but
> it still exists.
>
>>
>>> It is caused by someone trying to hack your site, but their sql
>>> statements can not be processed by sqlite as everything is cleaned
>>> first, but still need to fix it writing the filename.
>>
>> Can you give more details why a file has to be written there with input
>> from a website visitor?
>> That sounds very dangerous to me.
>
> It's a matter of searching for an article using a feature to display and
> article, search for content, etc. A modified url can set a GET request that
> then goes looking for data, and when trying to read an article database
> that does not exist, it gets created.
>
> There are times we might want that to happen, but not in this circumstance.
> I will address this bug more heavily very soon.
>
> One thing to note also is that there is no data at all in the sqlite
> databases that can't be requested to be shown on screen via visiting with a
> browser. No user data is stored in these databases.
Latest commit (2612ebe5e9fc1124c271a4e422d9a2a8aa56d1cc) has a fix for this
hopefully. I'm running it now on my sites and logging the tests.
<v10o9d$10ft$1@dont-email.me>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=469&group=rocksolid.nodes.help#469
copy link Newsgroups: rocksolid.nodes.helpOn 02.05.2024 um 10:07 Uhr Retro Guy wrote:
> Everything in /var/www/html recursively should be readable by the web
> server user.
That is now the case.
root@pi-dach:~# find /var/www/html -name "config.inc.php"
/var/www/html/rocksolid/config.inc.php
/var/www/html/common/config.inc.php
/var/www/html/spoolnews/config.inc.php
root@pi-dach:~# find /var/www/html -name "config.inc.php" -exec ls -la {} \;
-rw-r--r-- 1 www-data www-data 7044 18. Apr 12:45 /var/www/html/rocksolid/config.inc.php
-rw-r--r-- 1 www-data www-data 545 18. Apr 12:46 /var/www/html/common/config.inc.php
lrwxrwxrwx 1 www-data www-data 27 18. Apr 12:45 /var/www/html/spoolnews/config.inc.php -> ../rocksolid/config.inc.php
root@pi-dach:~#
Although, the script won't run.
root@pi-dach:~# sudo -u www-data php /etc/rslight/scripts/maintenance.php -import de.soc.wirtschaft
PHP Warning: include(config.inc.php): Failed to open stream: Permission denied in /etc/rslight/scripts/maintenance.php on line 20
PHP Warning: include(): Failed opening 'config.inc.php' for inclusion (include_path='.:/usr/share/php') in /etc/rslight/scripts/maintenance.php on line 20
PHP Warning: Undefined variable $file_newsportal in /etc/rslight/scripts/maintenance.php on line 21
PHP Fatal error: Uncaught ValueError: Path cannot be empty in /etc/rslight/scripts/maintenance.php:21
Stack trace:
#0 {main}
thrown in /etc/rslight/scripts/maintenance.php on line 21
root@pi-dach:~#
Running cat as www-data works fine.
--
kind regards
Marco
Send spam to 1714637228muell@cartoonies.org
<da693d979729d39da607649e72ad2cf6$1@invalid.invalid>
copy midhttps://news.octade.net/rocksolid/article-flat.php?id=470&group=rocksolid.nodes.help#470
copy link Newsgroups: rocksolid.nodes.helpOn Thu, 2 May 2024 21:07:24 +0200, Marco Moock wrote:
> On 02.05.2024 um 10:07 Uhr Retro Guy wrote:
>
>> Everything in /var/www/html recursively should be readable by the web
>> server user.
>
> That is now the case.
>
> root@pi-dach:~# find /var/www/html -name "config.inc.php"
> /var/www/html/rocksolid/config.inc.php
> /var/www/html/common/config.inc.php
> /var/www/html/spoolnews/config.inc.php
> root@pi-dach:~# find /var/www/html -name "config.inc.php" -exec ls -la {} \;
> -rw-r--r-- 1 www-data www-data 7044 18. Apr 12:45 /var/www/html/rocksolid/config.inc.php
> -rw-r--r-- 1 www-data www-data 545 18. Apr 12:46 /var/www/html/common/config.inc.php
> lrwxrwxrwx 1 www-data www-data 27 18. Apr 12:45 /var/www/html/spoolnews/config.inc.php -> ../rocksolid/config.inc.php
> root@pi-dach:~#
>
> Although, the script won't run.
>
> root@pi-dach:~# sudo -u www-data php /etc/rslight/scripts/maintenance.php -import de.soc.wirtschaft
> PHP Warning: include(config.inc.php): Failed to open stream: Permission denied in /etc/rslight/scripts/maintenance.php on line 20
> PHP Warning: include(): Failed opening 'config.inc.php' for inclusion (include_path='.:/usr/share/php') in /etc/rslight/scripts/maintenance.php on line 20
> PHP Warning: Undefined variable $file_newsportal in /etc/rslight/scripts/maintenance.php on line 21
> PHP Fatal error: Uncaught ValueError: Path cannot be empty in /etc/rslight/scripts/maintenance.php:21
> Stack trace:
> #0 {main}
> thrown in /etc/rslight/scripts/maintenance.php on line 21
> root@pi-dach:~#
>
> Running cat as www-data works fine.
Are you running from the spoolnews dir?
>> Run as your web server user. I'm guessing www-data
>>
>> cd /var/www/html/spoolnews
>> php /etc/rslight/scripts/maintenance.php -help
If you are, make sure there is a config.inc.php in that dir that is a
symlink to the one in /var/www/html/rocksolid
Pages:12 |