[linux-lvm] dmsetup says "Device does not exist", though it exists
Hello, I have a volume group with 20 logical volumes. Only the last one of these volumes has a strange problem with dmsetup, shown by these commands and output on the command line: root@host:/home/linux# /sbin/dmsetup info -c -o name --noheadings /dev/vg/lv20 Device does not exist. Command failed root@host:/home/linux# lvdisplay -c /dev/vg/lv20 /dev/vg/lv20:vg:3:1:-1:0:4194304:512:-1:0:-1:253:19 root@host:/home/linux# mount /dev/vg/lv20 /mnt root@host:/home/linux# ls /mnt lost+found data1 data2 That is, dmsetup says "Device does not exist" about a logical volume, though the volume exists and is operating normally. What is the possible problem here? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] dmsetup says "Device does not exist", though it exists
Hello, I have a volume group with 20 logical volumes. Only the last one of these volumes has a strange problem with dmsetup, shown by these commands and output on the command line: root@host:/home/linux# /sbin/dmsetup info -c -o name --noheadings /dev/vg/lv20 Device does not exist. Command failed root@host:/home/linux# lvdisplay -c /dev/vg/lv20 /dev/vg/lv20:vg:3:1:-1:0:4194304:512:-1:0:-1:253:19 root@host:/home/linux# mount /dev/vg/lv20 /mnt root@host:/home/linux# ls /mnt lost+found data1 data2 That is, dmsetup says "Device does not exist" about a logical volume, though the volume exists and is operating normally. What is the possible problem here? Have you tried strace ? I attached the relevant lines of the strace output. I am really wondering what is happening there: 1. A stat() on /dev/mapper/lv20 is performed, though I requested /dev/mapper/vg-lv20 2. A stat() on/dev/mapper/vg-lv15-real is performed. What does this have to do with lv20 (after I wrote what is at number 3, I know) 3. I do not even know where /dev/mapper/vg-lv15-real is coming from. I created a logical volume named lv15, but none named lv15-real. And really, 'ls -l /dev/vg/' does not list lv15-real, but 'ls -l /dev/mapper' lists vg-lv15-real and shows that is has the same link target /dev/dm-18 as lv20. 4. Though stat() found /dev/mapper/vg-lv15-real, ioctl() says that this device does not exist. Kernel version, lvm version, distribution... ? Kernel Debian amd64 4.9.168-1+deb9u2, LVM version 2.03.02(2), Debian 9 (stretch) Regards Christophioctl(3, DM_VERSION, {version=4.0.0, data_size=16384, flags=DM_EXISTS_FLAG} => {version=4.35.0, data_size=16384, flags=DM_EXISTS_FLAG}) = 0 stat("/dev/vg/lv20", {st_mode=S_IFBLK|0660, st_rdev=makedev(253, 18), ...}) = 0 stat("/dev/mapper/lv20", 0x7ffd1b0ce0d0) = -1 ENOENT (No such file or directory) open("/dev/mapper", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4 fstat(4, {st_mode=S_IFDIR|0755, st_size=460, ...}) = 0 getdents(4, /* 23 entries */, 32768)= 992 stat("/dev/mapper/vg-lv15-real", {st_mode=S_IFBLK|0660, st_rdev=makedev(253, 18), ...}) = 0 close(4)= 0 ioctl(3, DM_DEV_STATUS, {version=4.0.0, data_size=16384, name="vg-lv15-real", flags=DM_EXISTS_FLAG} => {version=4.35.0, data_size=16384, name="vg-lv15-real", flags=DM_EXISTS_FLAG}) = -1 ENXIO (No such device or address) write(2, "Device does not exist.", 22Device does not exist.) = 22 write(2, "\n", 1 ) = 1 write(2, "Command failed.", 15Command failed.) = 15 write(2, "\n", 1 ) = 1 close(3)= 0 exit_group(1) = ? +++ exited with 1 +++ ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] dmsetup says "Device does not exist", though it exists
Hello, So are you actually trying to access not a 'normal' LV - but an LV under snapshot ? No, /dev/vg/lv20 is a normal logical volume. But /dev/vg/lv15 has been under snapshot before. Now, I created a snapshot manually (before. it was created by an automatic backup mechanism) and saw what happened: 1. I created the snapshot with 'lvcreate -s -L 2G /dev/vg/lv15' 2. Afterwards, a symbolic link /dev/vg/lvol0 existed and pointed to /dev/dm-21. Additionally, a link /dev/mapper/vg-lv15-real existed, pointing to /dev/dm-19 3. I deleted the snapshot with lvremove 4. Afterwards, /dev/vg/lvol0 had disappeared. /dev/mapper/vg-lv15-real was still present, and it did not point to /dev/dm-19 any more, but to /dev/dm-18, the same as /dev/vg/lv20 Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] dmsetup says "Device does not exist", though it exists
Hello, and you can enable verification of udev rule processing with lvm.conf option: verify_udev_operations = 1 after setting this, I got the following message from lvremove: Node /dev/mapper/vg-lv15-real was not removed by udev. Falling back to direct node removal. Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
[linux-lvm] Programming interface
Hello, Some time ago, we wrote an application that uses the lvm2app interface to manage volume groups and logical volumes. Of course, the application does not work anymore, now that lvm2app has been skipped. So, is there anywhere something like a guide how to rewrite code that used the lvm2app interface? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] Programming interface
Hello, The 'new' idea was to use/provide 'DBus' API - however it's also not a lot of 'traction' :( and it's also missing lot of features and design... Surely you are not saying that the dbus interface will also disappear - because I am using that in another, less complicated application, though not directly, but with libblockdev. Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] Programming interface
Hello, Some time ago, we wrote an application that uses the lvm2app interface to manage volume groups and logical volumes. Of course, the application does not work anymore, now that lvm2app has been skipped. So, is there anywhere something like a guide how to rewrite code that used the lvm2app interface? Unfortunatelly there is no API library anymore - we were simply not able to provide such interface - it's complex task and very low number of developers... When, as a quick solution, I install a binary package containing one of the last lvm2app versions that was still included in the same lvm2 upstream version, will that still work, in combination with newer lvm programs and libraries? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
[linux-lvm] lvcreate from a setuid-root binary
Hello, I am calling lvcreate from a setuid-binary, which internally calls setreuid(), so that not only effective and saved UIDs, but also the real UID is set to 0. From _nonroot_warning() in lvmcmdline.c I see that LVM command line tools expect that. Unfortunately - though these UIDs are all set to 0 - lvcreate still does not work for me. That is, it does work when I call my setuid-binary as a non-root user from the command line, but it does not work when I call my setuid-binary from PAM module pam_exec - and that is what I need my program for. I let my program send lvcreate output to a file and that file has the following content: device-mapper: version ioctl on failed: Permission denied Incompatible libdevmapper 1.02.137 (2016-11-30) and kernel driver (unknown version). striped: Required device-mapper target(s) not detected in your kernel. Run `lvcreate --help' for more information. What might be the problem here so that lvcreate gives these errors though all UIDs are 0? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, Let's stop there. The fact you're asking a question about setuid suggests you don't understand enough to be able to use it safely. I get security by checking the real user id at the beginning of the program and aborting the program if that uid does not belong to the only user who is allowed to run the program. That user is me and I guess that it is much more insecure to run the whole service that wants to authenticate users through PAM as root. Go back to the beginning and describe the original problem you are trying to solve and the constraints you have and ask for advice about ways to achieve it. The beginning is that I want to create a user-specific logical volume when a user logs in to a service that authenticates its users through pam and that does not run as root. Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, How do you plan to 'authorize' passed command line options ?? My program has no command line options. It just takes PAM_USER from PAM environment and creates a logical volume /dev/vg1/$PAM_USER, creates a filesystem and changes directory permissions of the top directory of the new filesystem. lvm2 is designed to be always executed with root privileges - so it's believed admin knows how he can destroy his own system. It is NOT designed/supposed to be used as suid binary - this would give user a way to big power to very easily destroy your filesystem and gain root privileges (i.e.by overwriting /etc/passwd file) Either you misunderstood what I mean, or I am misunderstanding what you mean - I do not set lvcreate suid root, but a program that has only a small and well defined set of instructions (described above) and that restricts its execution to only one user (by checking the real uid before setuid(0)). Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, On 2018-11-17 01:24, Alasdair G Kergon wrote: On Fri, Nov 16, 2018 at 02:43:10PM +0100, Christoph Pleger wrote: I get security by checking the real user id at the beginning of the program and aborting the program if that uid does not belong to the only user who is allowed to run the program. Sounds familiar. Shall I tell you one of those stories? ... ... ... My program calls getpwuid() with the real user id of the calling user and then compares this user's name with the name of the one and only user who is allowed to continue program execution. Do you think that this can be circumvented? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, On 2018-11-19 15:04, matthew patton wrote: program calls getpwuid() with the real user id of the calling user maybe I missed a critical post explaining why it has to be, but that's a job for a trivial sudo specification line. I can't think of any reason why sudo is not the answer to your problem, or frankly isn't always the answer. I have already tried sudo before writing my own setuid-root-program, by calling it directly from pam_exec and by letting pam_exec call another program first that calls sudo. Either case failed, even with simple tests like letting sudo run /bin/ls (and of course I checked before that the same user could use sudo from the command line). Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, On 2018-11-19 14:19, Bryn M. Reeves wrote: On Fri, Nov 16, 2018 at 02:43:10PM +0100, Christoph Pleger wrote: The beginning is that I want to create a user-specific logical volume when a user logs in to a service that authenticates its users through pam and that does not run as root. Couldn't you use a pam_scripts ses_open/ses_close hook to do this? That way you can get rid of any suid binary and rely on the well tested PAM stack to carry out the set up (and optionally clean up) for the users at login/out time. Hm, I do not see how the scripts called by pam_scripts can be executed with another user id than the process that called pam_authenticate()? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, On 2018-11-15 17:39, Christoph Pleger wrote: Unfortunately - though these UIDs are all set to 0 - lvcreate still does not work for me. That is, it does work when I call my setuid-binary as a non-root user from the command line, but it does not work when I call my setuid-binary from PAM module pam_exec - and that is what I need my program for. I let my program send lvcreate output to a file and that file has the following content: device-mapper: version ioctl on failed: Permission denied Incompatible libdevmapper 1.02.137 (2016-11-30) and kernel driver (unknown version). striped: Required device-mapper target(s) not detected in your kernel. Run `lvcreate --help' for more information. What might be the problem here so that lvcreate gives these errors though all UIDs are 0? No matter if I use that setuid-mechanism in the end or not, I would still like to know why it does not work as-is with lvcreate. :-) I guess that the error message "device-mapper: version ioctl on failed: Permission denied" comes from the following lines in LVM's libdm/ioctl/libdm-iface.c: if (_log_suppress || dmt->ioctl_errno == EINTR) log_verbose("device-mapper: %s ioctl on %s%s%s%.0d%s%.0d%s%s " "failed: %s", _cmd_data_v4[dmt->type].name, dmi->name, dmi->uuid, dmt->major > 0 ? "(" : "", dmt->major > 0 ? dmt->major : 0, dmt->major > 0 ? ":" : "", dmt->minor > 0 ? dmt->minor : 0, dmt->major > 0 && dmt->minor == 0 ? "0" : "", dmt->major > 0 ? ")" : "", strerror(dmt->ioctl_errno)); else log_error("device-mapper: %s ioctl on %s%s%s%.0d%s%.0d%s%s " "failed: %s", _cmd_data_v4[dmt->type].name, dmi->name, dmi->uuid, dmt->major > 0 ? "(" : "", dmt->major > 0 ? dmt->major : 0, dmt->major > 0 ? ":" : "", dmt->minor > 0 ? dmt->minor : 0, dmt->major > 0 && dmt->minor == 0 ? "0" : "", dmt->major > 0 ? ")" : "", strerror(dmt->ioctl_errno)); But somehow, the values are empty ... Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, On 2018-11-16 16:41, Stuart D. Gathman wrote: It's not very elegant, but the quick and dirty solution is to use sudo probably you had not yet read that far in this thread, but I already wrote that sudo does not work when called from pam_exec. To get the stderr and stdout results of sudo, I wrote a shell script wrapper around it, and the results are (maybe because sudo itself uses PAM?): sudo: unable to change to root gid: Operation not permitted sudo: unable to initialize policy plugin Someone wrote that he assumes that pam_exec ignores the setuid-bit in the file permissions, but that is obviously wrong, as this whole thread is about why lvcreate, when being called from my setuid-root-binary, has permission problems though all three (real, effective and saved) UIDs are 0 (and of course I checked that they really are 0). Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, May be silly question: Do you have selinux or equivalent enabled? I HAD apparmor enabled, but after the first failures (like described here) had occurred, I also suspected apparmor as a possible reason and disabled it. Unfortunately, that did not help. Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
[linux-lvm] lvm_vg_create_lv_linear() returns error though device was created
Hello, I am now trying to not call external LVM commands, but to use LVM library calls instead. Now I have another problem: lvm_vg_create_lv_linear(vg, pam_user, LVSIZE) returns NULL, what means an error. Normally I would think that I made a mistake, but when I manually call lvdisplay, I can see the LV and I can activate it with lvchange. How can it happen that lvm_vg_create_lv_linear() returns NULL though the LV was created? And a minor problem: The LVM library logs with syslog(), but I use my own syslog() calls in my program and as soon as lvm_init() has been called, both the identifier and the log facility change, so that logs go to another file. Can I somehow disable that? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/