Class file permission issue

755 user and group root

I'd guess the issue is with the subdirectory within the /var/class directory. If you move the class file to /var/class does it work?

 

 

Aaron

I'm with Aaron on this one. I'm thinking there's an issue with reading a class file outside of that specific directory. I seem to recall hearing something about this being hard-set somewhere in the system for security. I can't seem to find any notes on that though, so at the moment it's just a hunch.

 

 

Colin

can you give an example of your i-rule that you use to call on the class? I just tried a few levels of subdirectories and it worked for me!

 

 

The error is caused by subdomain blocking access to the subdirectory. You can work around the issue by not using classes in subdirectories under /var/class. Else, here are steps to allow MCPD access to the /var/class subdirectory:

 

 

GUI error:

 

01070644:3: The requested class file (/var/class/subdir/subdir.test.class) exists, but does not have read/write privilege.

 

 

/var/log/kern.log:

 

Nov 10 10:41:12 test SubDomain: REJECTING rw access to /var/class/subdir/subdir.test.class (mcpd(24866) profile /bin/mcpd active /bin/mcpd)

 

 

There are two related files which you'd need to modify to allow access from the GUI and via iControl to subdirectories under /var/class:

 

 

/etc/subdomain.d/bin.mcpd

 

/etc/subdomain.d/usr.local.www.iControl.iControlPortal.cgi

 

 

grep -R class /etc/subdomain.d/*

 

 

bin.mcpd: /var/class/* lrw,

 

usr.local.www.iControl.iControlPortal.cgi: /var/class/* lrw,

 

 

I wasn't able to find documentation on this, but it looks like you can give recursive access by changing the /var/class/* entries to /var/class/**.

 

 

I tested this by:

 

 

- creating an external class file under /var/class/subdomain/subdir.test.class

 

- modifiying the /etc/subdomain.d/bin.mcpd file entry from /var/class/* lrw, to /var/class/** lrw

 

- restarting subdomain (bigstart restart subdomain)

 

 

I could then create an external class in the GUI which referenced the /var/class/subdir/subdir.test.class file.

 

 

Note that you should also modify the usr.local.www.iControl.iControlPortal.cgi entry for /var/class to allow iControl apps to access this class.

 

 

Aaron

Note that future upgrades/hotfixes may blow those changes away, so you'll want to have a detailed documentation process for making changes to system files.

That's a very good point, citizen_elah.

 

 

It would be cleaner to just put the external file in the /var/class directory. If you do need to use a subdirectory for some reason, it would make sense to open a case with F5 Support and ask them to support subdirectory access for iControl and MCPD to /var/class/.

 

 

Aaron

a