subject:"\[Touch\-packages\] \[Bug 1408589\] Comment bridged from LTC Bugzilla"

[Touch-packages] [Bug 1408589] Comment bridged from LTC Bugzilla

2015-01-27 Thread bugproxy

--- Comment From mauri...@br.ibm.com 2015-01-27 12:55 EDT---
The error actually happened because the chroot was mounted over NFSv4, and the 
NFSv4 server had incorrect domain name configuration.

Then, the NFSv4 idmapd didn't match 'localdomain' (server) with
cluster.com (client), resulting in the chfn binary (and others) being
owned by nobody/nogroup, this combined with the suid bit of that binary,
resulted in kernel denying it during PAM/audit check (failure occurs
right after the socket/sendto/recvfrom syscalls from PAM to kernel
audit).

Solution was to configure the domain name correctly on the server.
Possible workarounds were:
- Use NFSv3 (which has no Name-ID Mapping / idmapd)
- Clear the suid bit

More detailed description from e-mail..


The problem happened because the 'chfn' binary had the suid bit set and was not 
owned by root
(actually, nobody/nogroup), so the kernel audit refused it during the PAM/auth 
step
(the PAM error follows right after the socket/sendto/recvfrom syscalls for 
kernel audit)

That ownership mistake only exists on the NFS mount/client (on tulgpu002). It 
is correct
(root/root) on the NFS server (bgxcat).

That happened due to a misconfiguration in the NFSv4 rpc.idmapd on the bgxcat 
server;
bgxcat had no FQDN/fully-qualified domain name configured, so the NFSv4 idmapd 
didn't
allow bgxcat user 'root' to be 'root' on tulgpu002, because of a mismatch 
between their
domains ('localdomain' on bgxcat, 'cluster.com' in tulgpu002).

For a solution, either fixing the network/domain configuration in bgxcat, or 
using NFSv3,
works.  I have already performed the former for you, and validated the latter.

[root@bgxcat mauricfo]# cat /etc/sysconfig/network
NETWORKING=yes
#HOSTNAME=bgxcat
HOSTNAME=bgxcat.cluster.com

For those interested, more technical details / demonstration are
provided below.

I'm happy to extend the discussion if anyone has questions/comments.

Demonstrating problem/workaround w/ NFSv4 ID Mapping (misconfiguration on 
bgxcat server)


Trying in tulgpu002 (/install mounted over NFSv4)

root@tulgpu002:~/mauricio# mount | grep /install
bgxcat:/install on /install type nfs 
(rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

root@tulgpu002:~/mauricio# chroot 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg 
/usr/bin/chfn -f 'games user' games
chfn: PAM: System error

The chfn binary has the suid bit set, but uid/gid are NOT root
(nobody/nogroup). This leads to the problem.

root@tulgpu002:~/mauricio# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 nobody nogroup 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

On bgxcat (the source of /install), all is fine: suid is set, and the
uid/gid are root. No problems there.

[root@bgxcat mauricfo]# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 root root 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

The owner/group permissions changes because of NFSv4 ID Mapping
(rpc.idmapd).

root@tulgpu002:~/mauricio# grep ^No /etc/idmapd.conf
Nobody-User = nobody
Nobody-Group = nogroup

# mount | grep /install
bgxcat:/install on /install type nfs 
(rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

If you retry with NFSv3, which has no ID Mapping, it works.

root@tulgpu002:~/mauricio# umount /install
root@tulgpu002:~/mauricio# mount -t nfs -o vers=3 bgxcat:/install /install
root@tulgpu002:~/mauricio# mount | grep /install
bgxcat:/install on /install type nfs (rw,vers=3,addr=10.0.0.1)

The user/group show up as root.

root@tulgpu002:~/mauricio# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 root root 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

And chroot chfn passes.

root@tulgpu002:~/mauricio# chroot 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg 
/usr/bin/chfn -f 'games user' games
root@tulgpu002:~/mauricio#

Go back to NFSv4, and you'll see the problem.

root@tulgpu002:~/mauricio# umount /install
root@tulgpu002:~/mauricio# mount -t nfs -o vers=4 bgxcat:/install /install
root@tulgpu002:~/mauricio# mount | grep /install
bgxcat:/install on /install type nfs 
(rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

User/group are not root anymore.

root@tulgpu002:~/mauricio# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 nobody nogroup 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

root@tulgpu002:~/mauricio# chroot 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg 
/usr/bin/ch

[Touch-packages] [Bug 1408589] Comment bridged from LTC Bugzilla

2015-01-19 Thread bugproxy

--- Comment From mainam...@in.ibm.com 2015-01-19 10:36 EDT---
Hello Ubuntu,

Any update on this?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1408589

Title:
  chfn does not work in chroot environment

Status in shadow package in Ubuntu:
  New

Bug description:
  == Comment: #0 - Guang Cheng Li  - 2015-01-07 01:51:51 ==
  ---Problem Description---
  chfn does not work in a chroot environment.

  In a chroot environment, the chroot exits with error "chfn: PAM:
  System error" and does not do anything.

  This might be related to 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763391 and 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745082
   
  Contact Information = Guang Cheng Li ligua...@cn.ibm.com, Ralph Bellofatto 
ralph...@us.ibm.com 
   
  ---uname output---
  Linux tulgpu002 3.16.0-23-generic #31-Ubuntu SMP Tue Oct 21 17:55:08 UTC 2014 
ppc64le ppc64le ppc64le GNU/Linux
   
  Machine Type = N/A 
   
  ---Debugger---
  A debugger is not configured
   
  ---Steps to Reproduce---
   Create a Ubuntu chroot environment, chroot into the directory, then run chfn.

  root@tulgpu002:~# ls
  chfn-error-rootimg
  root@tulgpu002:~# chroot chfn-error-rootimg
  root@tulgpu002:/# ls
  bin   dev  homelibmedia  opt   root  sbin  sys  usr  vmlinux
  boot  etc  initrd.img  lib64  mntproc  run   srv   tmp  var  xcatpost
  root@tulgpu002:/# 
  root@tulgpu002:/# chfn -f 'games user id' games
  chfn: PAM: System error
  root@tulgpu002:/# 

   
  *Additional Instructions for Guang Cheng Li ligua...@cn.ibm.com, Ralph 
Bellofatto ralph...@us.ibm.com: 
  -Post a private note with access information to the machine that the bug is 
occuring on.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1408589/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1408589] Comment bridged from LTC Bugzilla

[Touch-packages] [Bug 1408589] Comment bridged from LTC Bugzilla

2 matches

Site Navigation

Mail list logo

Footer information