Re: Antw: Re: Problem with multiple root-users (UID=0)
No, sudo does not solve the problem. And what about people that give their root-users different uids for security reasons? In this case the check in mgmt_ipc.c will be successful, but iscsiadm still aborts due to missing write permissions. From my point of view, the only way to solve this issue is to replace the check for username root to a check for uid 0. Kind regards Thomas On 11 Nov., 08:05, Ulrich Windl ulrich.wi...@rz.uni-regensburg.de wrote: Hi! I wonder whether sudo could solve your problem. Ulrich Thomas Weichert tho...@weichert-web.de schrieb am 10.11.2011 um 09:33 in Nachricht 13d84f75-4818-40be-ac53-e9d754555...@i15g2000yqm.googlegroups.com: I can do anything like root does including writing to /etc/iscsi and / var/lib/iscsi. For files in /sys/block/sdX/device/queue_depth it was not successful (E667: Fsync failed), but this also happens when I try the same as real user root and seems not to be a permissen issue. As far as I know, all users that have uid=0, are root users, however this might not be forseen in Linux, since the actual logged in user (`whoami`) is not stable across different logins. E.g. I log in on one console as root and whoami returns root. Do I log in on another console with lroot, _both_ outputs of whoami return lroot. What I also saw is, that sometime I login as lroot (after reboot) and whoami returns root and vice versa. The latter effect seems to be associated with the order of entries in /etc/passwd, however it does not solve the multiple login issue. I guess it would be enough just to check if the user that calls iscsiadm has uid=0 and not the name root, because if uid=0 the user is definitively a root user with sufficient privileges. Kind regards Thomas -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
Re: Antw: Re: Problem with multiple root-users (UID=0)
Thomas Weichert tho...@weichert-web.de schrieb am 11.11.2011 um 10:00 in Nachricht e2a38854-d35c-4177-b358-3b24abc4a...@w3g2000vbw.googlegroups.com: No, sudo does not solve the problem. And what about people that give their root-users different uids for security reasons? In this case the check in mgmt_ipc.c will be successful, but iscsiadm still aborts due to missing write permissions. From my point of view, the only way to solve this issue is to replace the check for username root to a check for uid 0. Hi! I wonder how changing the permissions of root will make the system more secure: If someone manages to break in as root, he will find out what the real root is. Having multiple roots will not add anything to security IMHO, either. I agree with the permission check, but I'm worried about your security policies ;-) Regards, Ulrich Kind regards Thomas On 11 Nov., 08:05, Ulrich Windl ulrich.wi...@rz.uni-regensburg.de wrote: Hi! I wonder whether sudo could solve your problem. Ulrich Thomas Weichert tho...@weichert-web.de schrieb am 10.11.2011 um 09:33 in Nachricht 13d84f75-4818-40be-ac53-e9d754555...@i15g2000yqm.googlegroups.com: I can do anything like root does including writing to /etc/iscsi and / var/lib/iscsi. For files in /sys/block/sdX/device/queue_depth it was not successful (E667: Fsync failed), but this also happens when I try the same as real user root and seems not to be a permissen issue. As far as I know, all users that have uid=0, are root users, however this might not be forseen in Linux, since the actual logged in user (`whoami`) is not stable across different logins. E.g. I log in on one console as root and whoami returns root. Do I log in on another console with lroot, _both_ outputs of whoami return lroot. What I also saw is, that sometime I login as lroot (after reboot) and whoami returns root and vice versa. The latter effect seems to be associated with the order of entries in /etc/passwd, however it does not solve the multiple login issue. I guess it would be enough just to check if the user that calls iscsiadm has uid=0 and not the name root, because if uid=0 the user is definitively a root user with sufficient privileges. Kind regards Thomas -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
Antw: Re: Problem with multiple root-users (UID=0)
Mike Christie micha...@cs.wisc.edu schrieb am 09.11.2011 um 21:05 in
Nachricht 4ebadd08.3060...@cs.wisc.edu:
On 11/07/2011 01:37 PM, Thomas Weichert wrote:
Hi,
in the last few days I encountered a problem on my SLES 11.1 Linux
with the open-iscsi package in version 2.0-871 respectively 0.872. I
investigated the problem and found out that in my system there are two
root users with uid = 0 (sadly, this is required). Therefore I digged
deeper and found out that the problem most probably lies in the two
code snippets where root is defnied explicitely. Those are usr/
mgmt_ipc.c around line 549 with:
if (!mgmt_peeruser(fd, user) || strncmp(user, root, PEERUSER_MAX)) {
err = MGMT_IPC_ERR_ACCESS;
goto err;
}
as well as usr/statics.c around line 7:
static struct passwd root_pw = {
.pw_name = root,
}
When the Linux command `whoami` returns something different than
root, open-iscsi will not work.
As far as I understand the issue, the function call to mgmt_peeruser()
in mgmt_ipc.c sets the variable user to the currently logged in user
name and then it is compared to root. If my root-user is named
differently, the strncmp function fails of course. I did not
investigate the code in statics.c further, whether it plays a role or
not, since a change to mgmt_ipc.c solves my problem.
Is there a chance to fix this issue just by checking if the user has
sufficient rights, e.g. has uid=0, or is there any special reason for
demanding a user named root?
If you have a uid=0, but you do not have the username of root can you
write files like the ones in /etc/iscsi or /var/lib/iscsi or can you
write to some proc/sysfs files like the
/sys/block/sdX/device/queue_depth one?
Hi Mike!
I guess so, because the open() syscall doesn't care about the user's name; just
about the UID (and GIDs).
Ulrich
--
You received this message because you are subscribed to the Google Groups
open-iscsi group.
To post to this group, send email to open-iscsi@googlegroups.com.
To unsubscribe from this group, send email to
open-iscsi+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/open-iscsi?hl=en.
Antw: Re: Problem with multiple root-users (UID=0)
Hi! I wonder whether sudo could solve your problem. Ulrich Thomas Weichert tho...@weichert-web.de schrieb am 10.11.2011 um 09:33 in Nachricht 13d84f75-4818-40be-ac53-e9d754555...@i15g2000yqm.googlegroups.com: I can do anything like root does including writing to /etc/iscsi and / var/lib/iscsi. For files in /sys/block/sdX/device/queue_depth it was not successful (E667: Fsync failed), but this also happens when I try the same as real user root and seems not to be a permissen issue. As far as I know, all users that have uid=0, are root users, however this might not be forseen in Linux, since the actual logged in user (`whoami`) is not stable across different logins. E.g. I log in on one console as root and whoami returns root. Do I log in on another console with lroot, _both_ outputs of whoami return lroot. What I also saw is, that sometime I login as lroot (after reboot) and whoami returns root and vice versa. The latter effect seems to be associated with the order of entries in /etc/passwd, however it does not solve the multiple login issue. I guess it would be enough just to check if the user that calls iscsiadm has uid=0 and not the name root, because if uid=0 the user is definitively a root user with sufficient privileges. Kind regards Thomas -- You received this message because you are subscribed to the Google Groups open-iscsi group. To post to this group, send email to open-iscsi@googlegroups.com. To unsubscribe from this group, send email to open-iscsi+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/open-iscsi?hl=en.
