无法以非 root 用户身份解析主机

无法以非 root 用户身份解析主机

我最近安装了一台运行 Centos 6.5 的 VPS 服务器以及 Web Host Manager。我目前的问题是我无法通过命令行上的 nslookup 或 ping 来解析主机名。但当我使用 root 登录时,我可以 ping 并执行 nslookups 等

当以非 root 用户身份登录时,我执行以下命令但没有得到任何结果:

user@server [~]# ping google.com
ping: unknown host google.com

user@server [~]# nslookup google.com 
;; connection timed out; trying next origin

user@server [~]# ping 74.125.230.226
ping: icmp open socket: Operation not permitted

user@server [~]# nslookup 74.125.230.226
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

然而,当我以 root 身份登录时,所有上述命令均按预期工作:

root@server [~]# ping google.com
PING google.com (74.125.230.224) 56(84) bytes of data.
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=1 ttl=52 time=198 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=2 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=3 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=4 ttl=52 time=196 ms
64 bytes from lhr08s06-in-f0.1e100.net (74.125.230.224): icmp_seq=5 ttl=52 time=198 ms

nslookup google.com
Server:         196.7.7.7
Address:        196.7.7.7#53

Non-authoritative answer:
Name:   google.com
Address: 74.125.230.233
Name:   google.com
Address: 74.125.230.238
Name:   google.com
Address: 74.125.230.227
Name:   google.com
Address: 74.125.230.229
Name:   google.com
Address: 74.125.230.225
Name:   google.com
Address: 74.125.230.228
Name:   google.com
Address: 74.125.230.232
Name:   google.com
Address: 74.125.230.224
Name:   google.com
Address: 74.125.230.226
Name:   google.com
Address: 74.125.230.231
Name:   google.com
Address: 74.125.230.230

我可以使用非 root 用户读取文件 /etc/resolv.conf 和 /etc/nsswitch.conf,

我使用 suExec 运行 Apache,mod security,se linux 设置为 permissive。

当我从网站运行某些命令时,我收到如下消息:

Curl/fopen php 给出以下消息

* , referer: http://www.domain
Hostname was NOT found in DNS cache, referer: http://www.domain
getaddrinfo(3) failed 

我对服务器设置还很陌生,我无论如何也想不出问题出在哪里。

更新:

内容/etc/resolv.conf

nameserver 196.7.7.7
nameserver 196.7.8.9

IPTABLES 输出 - iptables -nvL -t filter

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 1546  201K cP-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1533  200K acctboth   all  --  *      *       0.0.0.0/0            0.0.0.0/0
  561 94135 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    2   120 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 1:1023,2082:2083,3306,2086:2087,2095:2096,30000:32760
  689 59006 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 1:1023
    0     0 ACCEPT     tcp  --  *      *       41.76.213.0/24       0.0.0.0/0           multiport dports 5666
    0     0 ACCEPT     tcp  --  *      *       41.86.112.0/24       0.0.0.0/0           multiport dports 5666
    0     0 ACCEPT     tcp  --  *      *       197.242.159.6        0.0.0.0/0           multiport dports 1167
    0     0 ACCEPT     tcp  --  *      *       197.242.150.150      0.0.0.0/0           multiport dports 1167
    0     0 ACCEPT     tcp  --  *      *       196.33.227.219       0.0.0.0/0           multiport dports 1167
    0     0 ACCEPT     tcp  --  *      *       197.242.144.0/21     0.0.0.0/0           multiport dports 9999
    0     0 ACCEPT     tcp  --  *      *       196.33.227.0/24      0.0.0.0/0           multiport dports 9999
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  278 46670 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           ADDRTYPE match dst-type BROADCAST
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:0x17/0x02 limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:'
    2    72 LOG       !tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 3/hour burst 5 LOG flags 8 level 4 prefix `in-new:'
    3   116 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 cP-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  588  112K acctboth   all  --  *      *       0.0.0.0/0            0.0.0.0/0
  569  111K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    7   604 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner GID match 12
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:20
    3   180 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    9   640 out-bad    all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 110,143,995,80,443,21
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            197.242.155.155
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            197.242.144.144
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp flags:0x17/0x02 LOG flags 8 level 4 prefix `out-new:'
    8   568 LOG       !tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 8 level 4 prefix `out-new:'
    9   640 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain acctboth (2 references)
 pkts bytes target     prot opt in     out     source               destination

Chain cP-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2078
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2082
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2077
    9   492 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:26
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
    1    52 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2086
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2087
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2095
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2096
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:2083
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53

Chain out-bad (1 references)
 pkts bytes target     prot opt in     out     source               destination

答案1

规则很多,限制也相当严格。找到创建此内容的规则:

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           owner UID match 0

还要匹配您的“普通”用户 ID 或/和 apache 用户 ID,并使其适应接受传出的 UDP 流量端口 53。

例如对于用户“apache”,在上一条规则之后立即添加:

/sbin/iptables -A OUTPUT -p udp -m owner --uid-owner apache --dport 53 -j ACCEPT

答案2

嗯...我怀疑 /etc/resolv.conf 文件的权限不正确。

相关内容