Re: [linux-lvm] Programming interface
Hello, The 'new' idea was to use/provide 'DBus' API - however it's also not a lot of 'traction' :( and it's also missing lot of features and design... Surely you are not saying that the dbus interface will also disappear - because I am using that in another, less complicated application, though not directly, but with libblockdev. Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
[linux-lvm] Programming interface
Hello, Some time ago, we wrote an application that uses the lvm2app interface to manage volume groups and logical volumes. Of course, the application does not work anymore, now that lvm2app has been skipped. So, is there anywhere something like a guide how to rewrite code that used the lvm2app interface? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] dmsetup says "Device does not exist", though it exists
Hello, So are you actually trying to access not a 'normal' LV - but an LV under snapshot ? No, /dev/vg/lv20 is a normal logical volume. But /dev/vg/lv15 has been under snapshot before. Now, I created a snapshot manually (before. it was created by an automatic backup mechanism) and saw what happened: 1. I created the snapshot with 'lvcreate -s -L 2G /dev/vg/lv15' 2. Afterwards, a symbolic link /dev/vg/lvol0 existed and pointed to /dev/dm-21. Additionally, a link /dev/mapper/vg-lv15-real existed, pointing to /dev/dm-19 3. I deleted the snapshot with lvremove 4. Afterwards, /dev/vg/lvol0 had disappeared. /dev/mapper/vg-lv15-real was still present, and it did not point to /dev/dm-19 any more, but to /dev/dm-18, the same as /dev/vg/lv20 Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] dmsetup says "Device does not exist", though it exists
Hello,
I have a volume group with 20 logical volumes. Only the last one of
these volumes has a strange problem with dmsetup, shown by these
commands and output on the command line:
root@host:/home/linux# /sbin/dmsetup info -c -o name --noheadings
/dev/vg/lv20
Device does not exist.
Command failed
root@host:/home/linux# lvdisplay -c /dev/vg/lv20
/dev/vg/lv20:vg:3:1:-1:0:4194304:512:-1:0:-1:253:19
root@host:/home/linux# mount /dev/vg/lv20 /mnt
root@host:/home/linux# ls /mnt
lost+found data1 data2
That is, dmsetup says "Device does not exist" about a logical volume,
though the volume exists and is operating normally. What is the
possible problem here?
Have you tried strace ?
I attached the relevant lines of the strace output. I am really
wondering what is happening there:
1. A stat() on /dev/mapper/lv20 is performed, though I requested
/dev/mapper/vg-lv20
2. A stat() on/dev/mapper/vg-lv15-real is performed. What does this have
to do with lv20 (after I wrote what is at number 3, I know)
3. I do not even know where /dev/mapper/vg-lv15-real is coming from. I
created a logical volume named lv15, but none named lv15-real. And
really, 'ls -l /dev/vg/' does not list lv15-real, but 'ls -l
/dev/mapper' lists vg-lv15-real and shows that is has the same link
target /dev/dm-18 as lv20.
4. Though stat() found /dev/mapper/vg-lv15-real, ioctl() says that this
device does not exist.
Kernel version, lvm version, distribution... ?
Kernel Debian amd64 4.9.168-1+deb9u2, LVM version 2.03.02(2), Debian 9
(stretch)
Regards
Christophioctl(3, DM_VERSION, {version=4.0.0, data_size=16384, flags=DM_EXISTS_FLAG} =>
{version=4.35.0, data_size=16384, flags=DM_EXISTS_FLAG}) = 0
stat("/dev/vg/lv20", {st_mode=S_IFBLK|0660, st_rdev=makedev(253, 18), ...}) = 0
stat("/dev/mapper/lv20", 0x7ffd1b0ce0d0) = -1 ENOENT (No such file or directory)
open("/dev/mapper", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 4
fstat(4, {st_mode=S_IFDIR|0755, st_size=460, ...}) = 0
getdents(4, /* 23 entries */, 32768)= 992
stat("/dev/mapper/vg-lv15-real", {st_mode=S_IFBLK|0660, st_rdev=makedev(253,
18), ...}) = 0
close(4)= 0
ioctl(3, DM_DEV_STATUS, {version=4.0.0, data_size=16384, name="vg-lv15-real",
flags=DM_EXISTS_FLAG} => {version=4.35.0, data_size=16384, name="vg-lv15-real",
flags=DM_EXISTS_FLAG}) = -1 ENXIO (No such device or address)
write(2, "Device does not exist.", 22Device does not exist.) = 22
write(2, "\n", 1
) = 1
write(2, "Command failed.", 15Command failed.) = 15
write(2, "\n", 1
) = 1
close(3)= 0
exit_group(1) = ?
+++ exited with 1 +++
___
linux-lvm mailing list
linux-lvm@redhat.com
https://www.redhat.com/mailman/listinfo/linux-lvm
read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
[linux-lvm] dmsetup says "Device does not exist", though it exists
Hello, I have a volume group with 20 logical volumes. Only the last one of these volumes has a strange problem with dmsetup, shown by these commands and output on the command line: root@host:/home/linux# /sbin/dmsetup info -c -o name --noheadings /dev/vg/lv20 Device does not exist. Command failed root@host:/home/linux# lvdisplay -c /dev/vg/lv20 /dev/vg/lv20:vg:3:1:-1:0:4194304:512:-1:0:-1:253:19 root@host:/home/linux# mount /dev/vg/lv20 /mnt root@host:/home/linux# ls /mnt lost+found data1 data2 That is, dmsetup says "Device does not exist" about a logical volume, though the volume exists and is operating normally. What is the possible problem here? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, May be silly question: Do you have selinux or equivalent enabled? I HAD apparmor enabled, but after the first failures (like described here) had occurred, I also suspected apparmor as a possible reason and disabled it. Unfortunately, that did not help. Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, On 2018-11-16 16:41, Stuart D. Gathman wrote: It's not very elegant, but the quick and dirty solution is to use sudo probably you had not yet read that far in this thread, but I already wrote that sudo does not work when called from pam_exec. To get the stderr and stdout results of sudo, I wrote a shell script wrapper around it, and the results are (maybe because sudo itself uses PAM?): sudo: unable to change to root gid: Operation not permitted sudo: unable to initialize policy plugin Someone wrote that he assumes that pam_exec ignores the setuid-bit in the file permissions, but that is obviously wrong, as this whole thread is about why lvcreate, when being called from my setuid-root-binary, has permission problems though all three (real, effective and saved) UIDs are 0 (and of course I checked that they really are 0). Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello,
On 2018-11-15 17:39, Christoph Pleger wrote:
Unfortunately - though these UIDs are all set to 0 - lvcreate still
does not work for me. That is, it does work when I call my
setuid-binary as a non-root user from the command line, but it does
not work when I call my setuid-binary from PAM module pam_exec - and
that is what I need my program for. I let my program send lvcreate
output to a file and that file has the following content:
device-mapper: version ioctl on failed: Permission denied
Incompatible libdevmapper 1.02.137 (2016-11-30) and kernel driver
(unknown version).
striped: Required device-mapper target(s) not detected in your
kernel.
Run `lvcreate --help' for more information.
What might be the problem here so that lvcreate gives these errors
though all UIDs are 0?
No matter if I use that setuid-mechanism in the end or not, I would
still like to know why it does not work as-is with lvcreate. :-)
I guess that the error message "device-mapper: version ioctl on failed:
Permission denied" comes from the following lines in LVM's
libdm/ioctl/libdm-iface.c:
if (_log_suppress || dmt->ioctl_errno == EINTR)
log_verbose("device-mapper: %s ioctl on %s%s%s%.0d%s%.0d%s%s "
"failed: %s",
_cmd_data_v4[dmt->type].name,
dmi->name, dmi->uuid,
dmt->major > 0 ? "(" : "",
dmt->major > 0 ? dmt->major : 0,
dmt->major > 0 ? ":" : "",
dmt->minor > 0 ? dmt->minor : 0,
dmt->major > 0 && dmt->minor == 0 ? "0" : "",
dmt->major > 0 ? ")" : "",
strerror(dmt->ioctl_errno));
else
log_error("device-mapper: %s ioctl on %s%s%s%.0d%s%.0d%s%s "
"failed: %s",
_cmd_data_v4[dmt->type].name,
dmi->name, dmi->uuid,
dmt->major > 0 ? "(" : "",
dmt->major > 0 ? dmt->major : 0,
dmt->major > 0 ? ":" : "",
dmt->minor > 0 ? dmt->minor : 0,
dmt->major > 0 && dmt->minor == 0 ? "0" : "",
dmt->major > 0 ? ")" : "",
strerror(dmt->ioctl_errno));
But somehow, the values are empty ...
Regards
Christoph
___
linux-lvm mailing list
linux-lvm@redhat.com
https://www.redhat.com/mailman/listinfo/linux-lvm
read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, On 2018-11-19 14:19, Bryn M. Reeves wrote: On Fri, Nov 16, 2018 at 02:43:10PM +0100, Christoph Pleger wrote: The beginning is that I want to create a user-specific logical volume when a user logs in to a service that authenticates its users through pam and that does not run as root. Couldn't you use a pam_scripts ses_open/ses_close hook to do this? That way you can get rid of any suid binary and rely on the well tested PAM stack to carry out the set up (and optionally clean up) for the users at login/out time. Hm, I do not see how the scripts called by pam_scripts can be executed with another user id than the process that called pam_authenticate()? Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, On 2018-11-19 15:04, matthew patton wrote: program calls getpwuid() with the real user id of the calling user maybe I missed a critical post explaining why it has to be, but that's a job for a trivial sudo specification line. I can't think of any reason why sudo is not the answer to your problem, or frankly isn't always the answer. I have already tried sudo before writing my own setuid-root-program, by calling it directly from pam_exec and by letting pam_exec call another program first that calls sudo. Either case failed, even with simple tests like letting sudo run /bin/ls (and of course I checked before that the same user could use sudo from the command line). Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
Re: [linux-lvm] lvcreate from a setuid-root binary
Hello, Let's stop there. The fact you're asking a question about setuid suggests you don't understand enough to be able to use it safely. I get security by checking the real user id at the beginning of the program and aborting the program if that uid does not belong to the only user who is allowed to run the program. That user is me and I guess that it is much more insecure to run the whole service that wants to authenticate users through PAM as root. Go back to the beginning and describe the original problem you are trying to solve and the constraints you have and ask for advice about ways to achieve it. The beginning is that I want to create a user-specific logical volume when a user logs in to a service that authenticates its users through pam and that does not run as root. Regards Christoph ___ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
