DR Web Licence Key Updater not working (Parallels bug)

[webfeatus]

Plesk attempts to update Dr. Web license.
denied untrusted exec of /etc/sw/keys/restart/plesk-key-handler by /usr/bin/sw-engine-cgi[sw-engine-cgi:958] uid/euid:2523/2523 gid/egid:2526/2526, parent /usr/bin/sw-engine-cgi[sw-engine-cgi:937] uid/euid:2523/2523 gid/egid:2526/2526

Review:
https://www.atomicorp.com/wiki/index.ph ... pplication
Option 1 seems to break both Plesk Standard License plus the existing issue with Dr.Web Additional Key - both return errors to Plesk.

Has anyone else experienced this problem?

UPDATE:
Maybe, just maybe, something that has been completed regarding this task over the past weeks - has been successful.
If I attempt to update Dr. Web via Plesk Additional Keys license, I receive the failure above.
But now it seems that Plesk main Licence Key update is covering the Dr. Web component.
See this output:
License key has been updated to the most recent version. Current license key number is PLSK.00899198.0009.
Additional license key for the Parallels Premium Anti-Virus (Lease) application with number PLSK.01237232.0008 has been provisioned.
Still, update Dr. Web via Additional Keys output is:
Unable to update . An error occured while processing your key. You can try to update it later.

However I fear that I am living in false hope.
(After restart antivirus service via Plesk)

Log File (/var/drweb/log/drwebd.log)
Sat Sep 4 09:21:59 2010 License key expires: 2010-09-07

BUT Plesk says:
Key number PLSK.01237232.0008
Key name drweb-unix
Next license key update Oct 2, 2010
Expiration date Oct 7, 2010

[mneese77]

Interesting info...I have been getting this error message everyday from aug 5 through sept 1....

Unable to update . An error occured while processing your key. You can try to update it later.

Didn't seem to change or discontinue any services, so I ignored this...

Then on Wed 9/1, I received this notice

License key has been updated to the most recent version. Current license key number is PLSK.0*******.0009.

Additional license key for the Parallels Plesk(TM) Gameserver (Lease) application with number PLSK.01*******.0006 has been provisioned.

I have never requested the gameserver, nor updated to include this service whatever...yet this "(lease) application" has been "provisioned"....

I don't have any idea what this is about...is it possible that your DrWeb is also unrequested, yet is showing up as "provsisioned"?

[webfeatus]

Dr.Web has definately been purchased as an addon.

The license will fail even though Plesk states that it has been updated.

This is because the ASL kernel (grsec) will not allow the addon Dr.Web license to update.

This is a Plesk Licensing validation issue. Surely there is someone else out there who has experienced this problem?

Maybe someone can explain to me why I am using security software which breaks a basic and important Plesk License Update Function because I do not understand this.

[mikeshinn]

Option 1 seems to break both Plesk Standard License plus the existing issue with Dr.Web Additional Key - both return errors to Plesk.

Have you tried re-configuring ASL to allow this software to run unprotected, as per options 2-4 of the same article you referenced:

https://www.atomicorp.com/wiki/index.ph ... pplication

[webfeatus]

Option 2: Change ASLs behavior so that this restriction only applies to untrusted users. You can do that by turning off this feature, called Trusted PAth Exectuion (TPE) so that it only applies to users in the "untrusted" group:

Code: Select all

echo 0 > /proc/sys/kernel/grsecurity/tpe_restrict_all

Keep in mind that this is considerably less secure than option 1. This means all the users on your system will be trusted unless you specifically tell ASL not to trust them. This is extremely dangerous on hosting system as its not easy to produce this listing before you add a new user or domain.

its not easy to produce this listing before you add a new user or domain

What does this mean?

NOTE: You can only do this on boot. Once the boot process reaches S99 the kernel is locked and you can not change the security settings. So you will need to set this on boot via a custom init script.

You can only do this on boot

Set "what" on boot?
Via a custom init script?

I have not tried Option 2 because I do not understand the above questions in red.

[mikeshinn]

Yes, you need to set that proc option on boot. You may also want to look the other options, its entirely possible that your Plesk application is running as an untrusted user, such as psaadm, in which case you can just remove that user from the untrusted group making that user trusted by the system.

[webfeatus]

Removed psaadmin from untrusted list in etc/group file.
restarted several services - no change
rebooted the server - no change
denied untrusted exec of /etc/sw/keys/restart/plesk-key-handler by /usr/bin/sw-engine-cgi[sw-engine-cgi:20100] uid/euid:2523/2523 gid/egid:2526/2526, parent /usr/bin/sw-engine-cgi[sw-engine-cgi:19671] uid/euid:2523/2523 gid/egid:2526/2526

I suspect that Plesk Antivirus is actually running even though /var/drweb/log/drwebd.log states:
License key expires: 2010-09-07

The issue is that if the license is updated via Plesk Additional License > Retrieve Additional Key...
Status of additional key update
Product "drweb-unix" not installed
Plus corresponding system message:
denied untrusted exec of /etc/sw/keys/restart/plesk-key-handler by /usr/bin/sw-engine-cgi[sw-engine-cgi:32270] uid/euid:2523/2523 gid/egid:2526/2526, parent /usr/bin/sw-engine-cgi[sw-engine-cgi:31738] uid/euid:2523/2523 gid/egid:2526/2526

I have no idea of how to write a "custom init script to set proc option on boot"
I have spent 2 months on this issue.
Server admin have used Parallels support to investigate.
Parallels say "we do not support grsec" and will not work on the issue any further.
My client is paying for Plesk Antivirus addon but the license has expired and cannot be updated due to this issue.
The bottom line is that I do not know if I have operational antivirus and if it will auto-update the license every month.

[mikeshinn]

I'm sorry to hear that Parallels isn't willing to help you. As it sounds like you can't configure their software to work securely, you'll need to make your system less secure so their software can run.

Thats easy enough to do, so, lets start with option 2, again from the wiki article (https://www.atomicorp.com/wiki/index.ph ... pplication)

If you want to set an ASL kernel setting, such as /proc/sys/kernel/grsecurity/tpe_restrict_all (or any other), you will need to create a custom init script such as:

/etc/init.d/asl-custom

A simple script to turn off TPE for all users:

#!/bin/bash
echo 0 > /proc/sys/kernel/grsecurity/tpe_restrict_all

Then you will need to link it depending on the runlevel your system is set as. Most systems are set to run at run level 3, you can tell by running this command as root:

grep initdefault /etc/inittab | grep -v \#

You should see something like this:

id:3:initdefault:

The second variable "3" is the run level.

Then link the init script based on your run level:

ln -s /etc/init.d/asl-custom /etc/rc3.d/S98asl-custom

Then reboot. Option 2 complete.

If that doesnt work, then just turn off TPE on the entire system. Go back to your custom script:

/etc/init.d/asl-custom

Remove this line:

echo 0 > /proc/sys/kernel/grsecurity/tpe_restrict_all

Replace it with this line:

echo 0 > /proc/sys/kernel/grsecurity/tpe

Reboot. TPE is now off.

If you still can't get their antivirus to work, then I recommend you go with another vendor that is willing to work with you. ASL, for example, comes with antivirus built in and works just fine with ASL configured in the most secure way. So if Parallels won't help you, dump their antivirus and use ours (which you already paid for), or buy from another vendor that wants your business.

[webfeatus]

RE: https://www.atomicorp.com/wiki/index.ph ... pplication
all options have failed.

To revert...

Do I simply remove this file?
/etc/init.d/asl-custom

Do I need to remove or reset anythiung as a result of this?
ln -s /etc/init.d/asl-custom /etc/rc3.d/S98asl-custom

Do I leave this?
[root@loft2234 ~]# cd rc3.d
[root@loft2234 rc3.d]# cat 'S98asl-custom' | less
#!/bin/bash
echo 0 > /proc/sys/kernel/grsecurity/tpe
[root@loft2234 rc3.d]

Then can you please tell me why this is happening and what I should do?
Because I simply do not understand.
1. Install ASL kernel
2. My Plesk antivirus stops auto-updating the licencse.
3. I spend 2 months trying to work this out.
4. ASL wiki solutions do not solve the issue.

Then you tell me that the solution is to remove existing antivirus that was working OK prior to ASL kernel install, then source and set up an alternative. I have wasted a huge amount of time and energy on this issue. I actually have a business to run and all I want is security and A/V. I am tired and frustrated by this problem. This is a basic Plesk license update scenario and I cannot believe that I am alone with this issue.

[mikeshinn]

all options have failed.

Now I'm confused, you disabled TPE and you still get the untrusted message? If you still get the untrusted message, that means you didn't disable TPE. Are you sure you setup the script to be executable? Can you please show us the output of the following command runs as root:

ls -al /etc/init.d/asl-custom
ls -al /etc/rc3.d/S98asl-custom
uname -a
cat /proc/sys/kernel/grsecurity/tpe

Then can you run whatever is unable to run securely and post the output of the startup of that program

And finally, can you post the kernel log message that shows TPE is still enabled?

Previously we asked if you wanted our professional services team to configure your system for you regarding this, but you declined. Would you like us to do this for you? If so, please let us know we'd be happy to help you, and we can have our professional services team get you all setup.

If you prefer to go it yourself, please let us know what the output of those commands are.

[webfeatus]

I have successfully followed the Wiki instructions. Thank you for updating them. Option 2 (+3) seems to be working. I no longer receive the folowing error:

denied untrusted exec of /etc/sw/keys/restart/plesk-key-handler by /usr/bin/sw-engine-cgi[sw-engine-cgi:20100] uid/euid:2523/2523 gid/egid:2526/2526, parent /usr/bin/sw-engine-cgi[sw-engine-cgi:19671] uid/euid:2523/2523 gid/egid:2526/2526

The unfortunate news is that, after all this, it appears that this is not the only reason why Dr.Web license is not updating. This is quite infuriating - especially after being told by Parallels that this was the reason. The part that is particularly infuriating is that I (yes, me) offerred the error message to Parallels in an attempt to assist with their support. They seem to have simply used my information to absolve themselves under the "we do not support grsec clause."

The above-mentioned support incident was organised by my server admin - so I was the "third party" and not directly involved in communication with Parallels.

I believe that I have an "axe to grind" with Parallels support regarding this issue. Unfortunately the only option is to personally pay for a Parallels support ticket regarding this so I (yes, me - watch out!) can get on their personal little case!

I will try this option unless you advise otherwise.

[mikeshinn]

What error does Dr web give you now?

[webfeatus]

That is the problem. I cannot actually find any errors except that the license is noted as invalid in drweb logs and Plesk update license function fails "drweb-unix is not installed" I don't know where else to look for errors.

[mikeshinn]

Nothing in /var/log/messages? I know there are folks running Dr Web on here, anyone have any experience with it?

[webfeatus]

No errors anywhere that I can find.
Except the errors that tell me I have no vaild key.
Your Dr.Web license key file /opt/drweb/drweb32.key expired -23 days ago!

I have no idea how to fix this.