服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 无法以非root用户身份parsing主机
Intereting Posts
Windows 2012中的configuration编辑器 思杰Xenserver与XEN 4.1pipe理程序与XEN XCP等? 我可以更新libc.so.6而不会中断服务器吗? 法新社/苹果计算机灌装协议又名Netatalk通过互联网访问 如何使用svnkit javaapi为visual svn服务器创build一个新用户? Exchange 2007 – 系统资源不足 Linux和Windows的服务器凭证pipe理 为每个域configuration名称服务器? QSFP28和SFP +端口的兼容性 返回Haproxy中特定URL前缀的特定/ 200状态码 木偶仪表板 – 让它显示类和添加类,组等function? 防止Windows更新/升级重置registry值 从exim4发送到gmail的电子邮件显示为已读 我应该提供压缩的PDF文件吗? 用户存储在AD中时,Windows机器是否可以通过Kerberos进行Sambavalidation?

无法以非root用户身份parsing主机

我最近安装了一台运行Centos 6.5的VPS服务器,并与Web Host Manager一起运行。 我目前的问题是,我不能通过nslookup或ping命令行parsing主机名。 但是当我用rootlogin时,我可以ping通并执行nslookups等

以非root用户身份login时,我执行以下命令并且没有得到任何结果: 

user@server [~]# ping google.com ping: unknown host google.com user@server [~]# nslookup google.com ;; connection timed out; trying next origin user@server [~]# ping 74.125.230.226 ping: icmp open socket: Operation not permitted user@server [~]# nslookup 74.125.230.226 ;; connection timed out; trying next origin ;; connection timed out; no servers could be reached

但是当我以root身份login时,上述所有命令都按预期工作: 

 root@server [~]# ping google.com PING google.com (74.125.230.224) 56(84) bytes of data. 64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=1 ttl=52 time=198 ms 64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=2 ttl=52 time=196 ms 64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=3 ttl=52 time=196 ms 64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=4 ttl=52 time=196 ms 64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=5 ttl=52 time=198 ms nslookup google.com Server: 196.7.7.7 Address: 196.7.7.7#53 Non-authoritative answer: Name: google.com Address: 74.125.230.233 Name: google.com Address: 74.125.230.238 Name: google.com Address: 74.125.230.227 Name: google.com Address: 74.125.230.229 Name: google.com Address: 74.125.230.225 Name: google.com Address: 74.125.230.228 Name: google.com Address: 74.125.230.232 Name: google.com Address: 74.125.230.224 Name: google.com Address: 74.125.230.226 Name: google.com Address: 74.125.230.231 Name: google.com Address: 74.125.230.230

我可以用非root用户读取/etc/resolv.conf和/etc/nsswitch.conf文件,

我用suExec运行Apache,mod安全,se linux被设置为宽容。

从网站运行某些命令时,我收到如下消息:

curl / fopen php给出以下消息 

 * , referer: http://www.domain Hostname was NOT found in DNS cache, referer: http://www.domain getaddrinfo(3) failed

我很早就设立了服务器,对于我来说,我无法弄清楚问题所在。

更新:

/etc/resolv.conf内容 

 nameserver 196.7.7.7 nameserver 196.7.8.9

IPTABLES OUTPUT – iptables -nvL -t filter 

 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 1546 201K cP-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 1533 200K acctboth all -- * * 0.0.0.0/0 0.0.0.0/0 561 94135 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 120 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:1023,2082:2083,3306,2086:2087,2095:2096,30000:32760 689 59006 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 1:1023 0 0 ACCEPT tcp -- * * 41.76.213.0/24 0.0.0.0/0 multiport dports 5666 0 0 ACCEPT tcp -- * * 41.86.112.0/24 0.0.0.0/0 multiport dports 5666 0 0 ACCEPT tcp -- * * 197.242.159.6 0.0.0.0/0 multiport dports 1167 0 0 ACCEPT tcp -- * * 197.242.150.150 0.0.0.0/0 multiport dports 1167 0 0 ACCEPT tcp -- * * 196.33.227.219 0.0.0.0/0 multiport dports 1167 0 0 ACCEPT tcp -- * * 197.242.144.0/21 0.0.0.0/0 multiport dports 9999 0 0 ACCEPT tcp -- * * 196.33.227.0/24 0.0.0.0/0 multiport dports 9999 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 278 46670 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:0x17/0x02 limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:' 2 72 LOG !tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:' 3 116 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 cP-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 588 112K acctboth all -- * * 0.0.0.0/0 0.0.0.0/0 569 111K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 7 604 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 12 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 3 180 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 9 640 out-bad all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 110,143,995,80,443,21 0 0 ACCEPT all -- * * 0.0.0.0/0 197.242.155.155 0 0 ACCEPT all -- * * 0.0.0.0/0 197.242.144.144 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp flags:0x17/0x02 LOG flags 8 level 4 prefix `out-new:' 8 568 LOG !tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 8 level 4 prefix `out-new:' 9 640 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain acctboth (2 references) pkts bytes target prot opt in out source destination Chain cP-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:993 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2078 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:21 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2082 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:443 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2077 9 492 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:26 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:8080 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:143 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:995 1 52 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2086 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2087 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2095 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:465 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2096 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:3306 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:2083 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53 Chain out-bad (1 references) pkts bytes target prot opt in out source destination

这是很多规则和相当严格的。 find创build这个规则: 

 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 0

还要匹配您的“普通”用户标识或/和apache用户标识,并使其适应接受传出的UDP通信端口53。

例如,对于用户“apache”,在上一个规则之后添加: 

 /sbin/iptables -A OUTPUT -p udp -m owner --uid-owner apache --dport 53 -j ACCEPT

嗯…我怀疑在/etc/resolv.conf文件上的权限不好。