Category Archives: Red Hat/CentOS

SUDO CVE-2021-3156 and how to upgrade CentOS 6

Sudo is a powerful utility built in almost all Linux distributions and we have a bad news for you – a recent privilege escalation vulnerability (CVE-2021-3156) has been discovered.

The vulnerability affects all the following sudo versions:

All legacy versions from 1.8.2 to 1.8.31p2
All stable versions from 1.9.0 to 1.9.5p1

A successful exploitation allows any unprivileged user to escalate its privileges to root on the vulnerable host. Of course, since it’s a privilege escalation vulnerability, it requires access to a local user on the vulnerable host in order to actually exploit it.

To test your host for this vulnerability just execute the next command

sudoedit -s /

In case you receive the next response

usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

your host is safe but in case you receive the something like

sudoedit: /: not a regular file

please upgrade

For CentOS 7 and CentOS 8 this is not a problem (yum -y update sudo) but if you’re using CentOS 6 then there are no way to upgrade from the official mirrors (since CentOS 6 is EOL)

You can download the rpm files from HERE (

Or directly

Then install the rpms with

rpm -U sudo-1.9.5-3.el6.x86_64.rpm
rpm -U sudo-logsrvd-1.9.5-3.el6.x86_64.rpm

Time and date on CentOS 7 Howto

NTP stands for Network Transport Protocol and it is used to keep the time on the servers synced with each other using a common reliable source to get the time.

The example below is for a basic NTP client/server setup.

NTP client

Install NTP with

yum install ntp

Then check timezone with


If you’re not satisfied with your timezone and you wish to change, first list available zones with

timedatectl list-timezones

and set your time zone with command below: (e.g. Berlin)

timedatectl set-timezone Europe/Berlin

Active the NTPD service at boot:

systemctl enable ntpd
systemctl start ntpd

To get a basic report you can use commands ntpstat or date

And to get some information about the time synchronization process

ntpq -p

All of your NTP configurations is available in /etc/ntp.conf file.

To be able to use your server as a NTP server for local network, please be sure you have a line

restrict mask nomodify notrap

where is a local network you want to sync with your NTP server.

You can get the public NTP servers specific to your region from

PostgreSQL on CentOS 7 – Howto

In this post I’ll try to show you how to install PostgreSQL 9.6 on CentOS 7.3 which is the current versions of PostgreSQL and CentOS.

The default PostgreSQL version on CentOS 7.3 is PostgreSQL 9.2 which is still maintained, but in case you’re more for a “cutting edge” technology, try to follow the next steps

First, remove the already installed version (in case you installed the default version)

yum remove postgresql-server postgresql-contrib

Install official PostgreSQL Yum repo with

yum -y install

which will create a new repo file /etc/yum.repos.d/pgdg-96-centos.repo with the next content

name=PostgreSQL 9.6 $releasever - $basearch
name=PostgreSQL 9.6 $releasever - $basearch - Source
name=PostgreSQL 9.6 $releasever - $basearch
name=PostgreSQL 9.6 $releasever - $basearch - Source

Now install PostgreSQL with

yum -y groupinstall "PostgreSQL Database Server 9.6 PGDG"

and initialize it with

/usr/pgsql-9.6/bin/postgresql96-setup initdb

Start and enable service with

systemctl start postgresql-9.6.service
systemctl enable postgresql-9.6.service

Switch to the postgres user with

su postgres -

and connect to the server (currently running only on localhost)


Check the installed version with

SELECT version();

You should get something like

 PostgreSQL 9.6.1 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4), 64-bit
(1 row)

The default PostgreSQL installation listens only on localhost so if you want to connect from the remote host you’ll need to change a few things.

Open /var/lib/pgsql/9.6/data/postgresql.conf and find the line #listen_addresses = ‘localhost’… and replace it with the listen_addresses = ‘*’


# - Connection Settings -
#listen_addresses = 'localhost'         # what IP address(es) to listen on;
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost'; use '*' for all
                                        # (change requires restart)
#port = 5432                            # (change requires restart)
max_connections = 100                   # (change requires restart)


# - Connection Settings -
#listen_addresses = 'localhost'         # what IP address(es) to listen on;
listen_addresses = '*'
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost'; use '*' for all
                                        # (change requires restart)
#port = 5432                            # (change requires restart)
max_connections = 100                   # (change requires restart)

Now open /var/lib/pgsql/9.6/data/pg_hba.conf and add at the end

host    all             all             YOUR_CLIENT_IP_ADDRESS/32            md5

save the file and restart service with

systemctl restart postgresql-9.6.service

The last step before you test it is to change the password for postgres user with

su postgres -
bash-4.2$ psql
psql (9.6.1)
Type "help" for help.
postgres=# \password
Enter new password:
Enter it again:
postgres=# \q

Now add new server in pgAdmin and test it

CentOS PPTP client Howto

The Point-to-Point Tunneling Protocol (PPTP) is a method for implementing virtual private networks. Since it is marked as non secure and vulnerable, I don’t recommend it as a “final” VPN solution. The main reason for its popularity is probably the native MS Windows support (since win 95). Also, it can be easily implemented with Mikrotik RouterOS (like I said, use it for internal VPNs only).

To set up your CentOS box as a PPTP clients you’ll need the pptp package.

yum -y pptp

Open /etc/ppp/chap-secrets and add the next line (at the end). Also, replace the userName and password with the correct details:

userName PPTP password *

Create profile file

nano /etc/ppp/peers/myVPN

and paste the next content (replace IP_OR_HOSTNAME with PPTP server IP or hostname)

pty "pptp IP_OR_HOSTNAME --nolaunchpppd"
name userName
remotename PPTP
file /etc/ppp/options.pptp
ipparam myVPN

save the file and test the connection with

pppd call myVPN

ifconfig should return something like

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:  P-t-P:  Mask:
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:2192 (2.1 KiB)  TX bytes:631 (631.0 b)

also in /var/log/messages you should see something like

Jul 20 10:58:50 mysrv pppd[9352]: pppd 2.4.5 started by root, uid 0
Jul 20 10:58:50 mysrv pppd[9352]: Using interface ppp0
Jul 20 10:58:50 mysrv pppd[9352]: Connect: ppp0 <--> /dev/pts/1
Jul 20 10:58:50 mysrv pptp[9353]: anon log[main:pptp.c:314]: The synchronous pptp option is NOT activated
Jul 20 10:58:50 mysrv pptp[9361]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 1 'Start-Control-Connection-Request'
Jul 20 10:58:50 mysrv pptp[9361]: anon log[ctrlp_disp:pptp_ctrl.c:739]: Received Start Control Connection Reply
Jul 20 10:58:50 mysrv pptp[9361]: anon log[ctrlp_disp:pptp_ctrl.c:773]: Client connection established.
Jul 20 10:58:51 mysrv pptp[9361]: anon log[ctrlp_rep:pptp_ctrl.c:251]: Sent control packet type is 7 'Outgoing-Call-Request'
Jul 20 10:58:51 mysrv pptp[9361]: anon log[ctrlp_disp:pptp_ctrl.c:858]: Received Outgoing Call Reply.
Jul 20 10:58:51 mysrv pptp[9361]: anon log[ctrlp_disp:pptp_ctrl.c:897]: Outgoing call established (call ID 0, peer's call ID 716).
Jul 20 10:58:51 mysrv pppd[9352]: CHAP authentication succeeded
Jul 20 10:58:51 mysrv pppd[9352]: MPPE 128-bit stateless compression enabled
Jul 20 10:58:51 mysrv pppd[9352]: local  IP address
Jul 20 10:58:51 mysrv pppd[9352]: remote IP address
Jul 20 10:59:51 mysrv pptp[9361]: anon log[logecho:pptp_ctrl.c:677]: Echo Reply received.

If you check your routes, you’ll probably notice that ppp0 connection is not used by any route(s). This is default behavior and you can easily switch/add default route with:

route add default dev ppp0

In my case, I don’t want to route the complete traffic (this VPN is just for management) so I’ll add only one static route

route add -net dev ppp0

To start this connection on boot, add “pppd call myVPN” in rc.local.

Kernel ACPI Error SMBus/IPMI/GenericSerialBus

I found the next error message in the log

May 8 10:48:57 srv kernel: ACPI Error: SMBus/IPMI/GenericSerialBus write requires Buffer of length 66, found length 32 (20130517/exfield-299)
May 8 10:48:57 srv kernel: ACPI Error: Method parse/execution failed [\_SB_.PMI0._PMM] (Node ffff88042949d960), AE_AML_BUFFER_LIMIT (20130517/psparse-536)
May 8 10:48:57 srv kernel: ACPI Exception: AE_AML_BUFFER_LIMIT, Evaluating _PMM (20130517/power_meter-339)

The message is generated every 5 minutes when lm-sensors try to read the values from the power meter sensor(s). HP has ignored the spec for this method and the result is the error shown above.
The problem can be solved on two ways:
– you can ignore this message (it is safely to ignore)
– you can skip the power meter sensors (at least until someone fix this)

Since I already have the latest firmware, I can’t suggest the firmware update (at least for 310 gen8 server).

To reproduce the problem just find the file power1_average and try to read it

find /sys/devices/LNXSYSTM\:00/ |grep ACPI000D

In my case the file is located in /sys/devices/LNXSYSTM:00/device:00/ACPI000D:00/

Read the file

cat /sys/devices/LNXSYSTM:00/device:00/ACPI000D:00/power1_average

The result will be probably 0 and the error will be thrown in the log.

To solve the problem check the exact sensor which is affected with:

[root@srv log]# sensors
Adapter: ACPI interface
power1:        0.00 W  (interval = 300.00 s)

As you can see above, the sensor is power_meter-acpi-0. Now disable the sensor by adding

chip "power_meter-acpi-0"
        ignore power1

at the end of the /etc/sensors3.conf file.

The reboot is recommended but it is not necessary.

Check the sensor again with

[root@srv log]# sensors
Adapter: ACPI interface

As you can see, the line “power1….” is missing and the log is empty.

More info

Firmware Bug – The BIOS Has Corrupted Hw-PMU Resources

If you’re trying to install CentOS 7 on HP server and you receive the error from the caption, don’t worry – you’re not alone. According to Google, there are about 48400 results related to this topic

The fix is still not available and according to HP, the problem is related to “Processor Power and Utilization Monitoring” function which should be disabled to fix this mess.

Affected servers:
– All ProLiant Gen8 Servers
– ProLiant DL580 G7
– ProLiant BL620 G7
– ProLiant BL680 G7

How to disable “Processor Power and Utilization Monitoring”:
– enter BIOS (press F9 during boot)
– press CTRL+A (Service Option is hidden by default)
– select “Service Options” -> Processor Power and Utilization Monitoring -> Disable

Press F10 to save and exit and reboot the server.

More information can be found on the next links:

DL380 Gen9 is also affected with this problem. The solution remains the same (disable Processor Power and Utilization Monitoring)

Edit: 2016-03-31 (comment by Jimmy)

There really isn’t any fix needed. It is just an informational message. The system is reserving performance counters for system management and the kernel wants to own all the performance counters regardless. You can disable the ProLiant management features if you really want to stop the message. Other than printing the message during boot, there isn’t any negative impact on the system or performance.

Huawei E1552/E1800/E173 on CentOS 6

Today I had a chance to test Huawei E173 USB dongle and it works perfectly on my Mint Linux. All I had to do was to plug it in and turn on via network manager applet.

I wanted to test this dongle with CentOS 6 and the main idea was to use this device for SMS monitoring. Using online SMS providers is much cheaper and easier (a bunch of APIs) but the online services are useless when your network is disconnected.

There are a lot differences between RH based server distros and the new/cutting edge distro like Mint. To be honest, I expected the problems with CentOS.

The first thing was to check the USB dongle

[root@server ~]# dmesg |grep usb
usb 2-4: new high speed USB device number 2 using ehci_hcd
usb 2-4: New USB device found, idVendor=12d1, idProduct=1446
usb 2-4: New USB device strings: Mfr=3, Product=2, SerialNumber=0
usb 2-4: Product: HUAWEI Mobile
usb 2-4: Manufacturer: HUAWEI Technology
usb 2-4: configuration #1 chosen from 1 choice
usb-storage: device found at 2
usb-storage: waiting for device to settle before scanning
usb-storage: device found at 2
usb-storage: waiting for device to settle before scanning
usbcore: registered new interface driver usb-storage
usb-storage: device scan complete
usb-storage: device scan complete

Ops… the device is detected as USB storage which I didn’t expect (and I don’t want).

[root@server ~]# lsusb
Bus 002 Device 002: ID 12d1:1446 Huawei Technologies Co., Ltd. E1552/E1800/E173 (HSPA modem)

After some googling I discovered that the first thing I need to do is to install usb_modeswitch and smstools packages. The first package will be used to switch USB dongle from usb storage into modem mode. The second one will be used for SMS operations.

In the moment I tested this, I was far away from the server and I couldn’t try the simple plug/unplug method. The solution was to invoke the next command

[root@server ~]# usb_modeswitch -c /etc/usb_modeswitch.d/12d1\:1446 -v 0x12d1 -p 0x1446
Looking for target devices ...
 No devices in target mode or class found
Looking for default devices ...
   found matching product ID
   adding device
 Found device in default mode, class or configuration (1)
Accessing device 002 on bus 002 ...
Getting the current device configuration ...
 OK, got current device configuration (1)
Using first interface: 0x00
Using endpoints 0x01 (out) and 0x81 (in)
Inquiring device details; driver will be detached ...
Looking for active driver ...
 No driver found. Either detached before or never attached
SCSI inquiry data (for identification)
  Vendor String: HUAWEI  
   Model String: Mass Storage    
Revision String: 2.31
USB description data (for identification)
Manufacturer: HUAWEI Technology
     Product: HUAWEI Mobile
  Serial No.: not provided
Setting up communication with interface 0
Using endpoint 0x01 for message sending ...
Trying to send message 1 to endpoint 0x01 ...
 OK, message successfully sent
Resetting response endpoint 0x81
 Could not reset endpoint (probably harmless): -71
Resetting message endpoint 0x01
 Could not reset endpoint (probably harmless): -19
 Device is gone, skipping any further commands
-> Run lsusb to note any changes. Bye.

As the output recommended, I tried again with lsusb

[root@server ~]# lsusb
Bus 002 Device 003: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem

Also, after this step, you should have

[root@server smsd]# ls /dev/ttyUSB*
/dev/ttyUSB0  /dev/ttyUSB1  /dev/ttyUSB2

I found that the settings file /etc/smsd.conf (for SMSTools) should be something like this:

devices = GSM1
logfile = /var/log/smsd/smsd.log
loglevel = 7
user = smstools
infofile = /var/run/smsd/smsd.working
pidfile = /var/run/smsd/
# 3.1.5 introduced smart logging
# once your configuration is OK, set log level lower (5 is good in most cases)
smart_logging = yes
init = AT+CPMS="ME","ME","ME"
device = /dev/ttyUSB0
incoming = yes

You can find more information about the configuration parameters on the next link

Start smsd service with service smsd start

To send SMS message go into /var/spool/sms/outgoing/ dir and create the file testSMS (for example) and add the next content inside

To: 38765655849

The other option is to use smssend command.

In case that something doesn’t work, check the logs inside /var/log/smsd/ dir.

HP B110i, B120i and B320i RAID controller – howto

The RAID functionality for the B120i and B320i controllers in the “e” series ProLiant servers is provided by a software driver (FakeRAID). The driver for these RAID controllers is available in binary form on HP site (Currently only for RHEL and SLES). CentOS users (of course) should download RHEL driver but in this case, do not expect support from HP.

Without drivers, the disks won’t be seen as a parts of RAID array.

Option 1 – disable controller / don’t use it

For systems with the B320i SAS controller

  • Boot the server into System Options
  • Navigate to HP Smart Array B320i Raid Configuration
  • Change to DISABLED

For systems with the B120i SATA controller

  • Boot the server into System Options
  • Navigate to SATA Controller Options -> Embedded SATA Configuration

Option 2 – install drivers

  1. Click here to download RHEL 6.x driver
  2. In “Software – Driver Update” section you’ll see the latest update (hpvsa-1.2.12-110.rhel6u6.x86_64.dd.gz). Download the file, extract into FAT32 formatted USB drive
  3. Boot Centos 6 from DVD (or how ever you want)
  4. On the main installation menu, plug in the USB drive. Press “ESC” to manually boot
  5. At that “boot” prompt enter the following command: linux dd blacklist=ahci
  6. Hit ENTER and select Yes for driver option. Select the USB drive, select the driver disk image and select OK.
  7. Continue with the OS installation


CentOS – setup utility

For RH based distros, the “setup” utility is a must. With this tool you can easily maintain basic system settings (firewall settings, network, start-up services, etc).

If you choose to install minimum system, this tool won’t be available and you’ll need to add it manually.

yum –y install setuptool system-config-network* system-config-firewall* system-config-securitylevel-tui system-config-keyboard ntsysv

SSH2 extension for PHP on CentOS 6

Before we can build and install ssh2 extension, we’ll need a few packages

yum install gcc php-devel php-pear libssh2 libssh2-devel make

Install the extension via pecl

pecl install -f ssh2

On CentOS, PHP will not load extension automatically. To “fix” this, create ssh2.ini file inside /etc/php.d/ and add


Restart apache (service httpd restart) and test PHP with

php -m | grep ssh2

As response, you should get ssh2.