Debian Bug report logs - #211884
login: doesnt work on NFS mounted homedirs with root_squash option and 700 permissions

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Michael Neuffer <neuffer@neuffer.info>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: login: doesnt work on NFS mounted homedirs with root_squash option and 700 permissions

Date: Sun, 21 Sep 2003 02:07:01 +0200

Package: login
Version: 1:4.0.3-11
Severity: grave

login doesnt work on NFS mounted homedirs with root_squash option and
700 permissions

>From the trace:
.
.
.
stat64("/dev/vc/2", {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...})
= 0
fstat64(0, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...}) = 0
chown32(0xbfffd6f0, 0x3e8, 0x5)         = 0
chmod("/dev/vc/2", 0600)                = 0
chdir("/homes/users/neuffer")           = -1 EACCES (Permission denied)
chdir("/")                              = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2598, ...}) = 0
.
.
.

It looks like login switches too late to the uid of the user logging in
and thus causes login to fall back to / as home directory.



My current workaround is changing the permissions of the home directory
to 711, but this is not a good longterm solution


-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux charion 2.6.0-test5 #1 Tue Sep 9 20:05:28 CEST 2003 i686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro

Versions of packages login depends on:
ii  libc6                         2.3.2-7    GNU C Library: Shared libraries an
ii  libpam-modules                0.76-14    Pluggable Authentication Modules f
ii  libpam-runtime                0.76-14    Runtime support for the PAM librar
ii  libpam0g                      0.76-14    Pluggable Authentication Modules l

-- no debconf information

Message #10 received at 211884@bugs.debian.org (full text, mbox, reply):

From: kcr@debian.org

To: Michael Neuffer <neuffer@neuffer.info>, 211884@bugs.debian.org

Subject: Re: Bug#211884: login: doesnt work on NFS mounted homedirs with root_squash option and 700 permissions

Date: 21 Sep 2003 02:57:26 -0400

Has this ever worked?  Or is this (as I suspect) a new bug in -11?

kcr

Michael Neuffer <neuffer@neuffer.info> writes:

> Package: login
> Version: 1:4.0.3-11
> Severity: grave
> 
> login doesnt work on NFS mounted homedirs with root_squash option and
> 700 permissions
> 
> >From the trace:
> .
> .
> .
> stat64("/dev/vc/2", {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...})
> = 0
> fstat64(0, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...}) = 0
> chown32(0xbfffd6f0, 0x3e8, 0x5)         = 0
> chmod("/dev/vc/2", 0600)                = 0
> chdir("/homes/users/neuffer")           = -1 EACCES (Permission denied)
> chdir("/")                              = 0
> open("/usr/share/locale/locale.alias", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=2598, ...}) = 0
> .
> .
> .
> 
> It looks like login switches too late to the uid of the user logging in
> and thus causes login to fall back to / as home directory.
> 
> 
> 
> My current workaround is changing the permissions of the home directory
> to 711, but this is not a good longterm solution
> 
> 
> -- System Information:
> Debian Release: testing/unstable
> Architecture: i386
> Kernel: Linux charion 2.6.0-test5 #1 Tue Sep 9 20:05:28 CEST 2003 i686
> Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro
> 
> Versions of packages login depends on:
> ii  libc6                         2.3.2-7    GNU C Library: Shared libraries an
> ii  libpam-modules                0.76-14    Pluggable Authentication Modules f
> ii  libpam-runtime                0.76-14    Runtime support for the PAM librar
> ii  libpam0g                      0.76-14    Pluggable Authentication Modules l
> 
> -- no debconf information

Message #15 received at 211884@bugs.debian.org (full text, mbox, reply):

From: Michael Neuffer <neuffer@neuffer.info>

To: kcr@debian.org

Cc: 211884@bugs.debian.org

Subject: Re: Bug#211884: login: doesnt work on NFS mounted homedirs with root_squash option and 700 permissions

Date: Sun, 21 Sep 2003 13:36:48 +0200

Quoting kcr@debian.org (kcr@debian.org):
> Has this ever worked?  Or is this (as I suspect) a new bug in -11?


Yes, this has worked before. It must have happened sometime last week 
(I update my Debian mirror and then the installation about once a week, 
usually on Saturdays), if I recall correctly. I only just had the idea 
that login might be the culprit and traced it.

Cheers
  Mike


> Michael Neuffer <neuffer@neuffer.info> writes:
> 
> > Package: login
> > Version: 1:4.0.3-11
> > Severity: grave
> > 
> > login doesnt work on NFS mounted homedirs with root_squash option and
> > 700 permissions
> > 
> > >From the trace:
> > .
> > .
> > .
> > stat64("/dev/vc/2", {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...})
> > = 0
> > fstat64(0, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...}) = 0
> > chown32(0xbfffd6f0, 0x3e8, 0x5)         = 0
> > chmod("/dev/vc/2", 0600)                = 0
> > chdir("/homes/users/neuffer")           = -1 EACCES (Permission denied)
> > chdir("/")                              = 0
> > open("/usr/share/locale/locale.alias", O_RDONLY) = 3
> > fstat64(3, {st_mode=S_IFREG|0644, st_size=2598, ...}) = 0
> > .
> > .
> > .
> > 
> > It looks like login switches too late to the uid of the user logging in
> > and thus causes login to fall back to / as home directory.
> > 
> > 
> > 
> > My current workaround is changing the permissions of the home directory
> > to 711, but this is not a good longterm solution
> > 
> > 
> > -- System Information:
> > Debian Release: testing/unstable
> > Architecture: i386
> > Kernel: Linux charion 2.6.0-test5 #1 Tue Sep 9 20:05:28 CEST 2003 i686
> > Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro
> > 
> > Versions of packages login depends on:
> > ii  libc6                         2.3.2-7    GNU C Library: Shared libraries an
> > ii  libpam-modules                0.76-14    Pluggable Authentication Modules f
> > ii  libpam-runtime                0.76-14    Runtime support for the PAM librar
> > ii  libpam0g                      0.76-14    Pluggable Authentication Modules l
> > 
> > -- no debconf information

-- 
---------------------------------------------------------------------
Michael Neuffer                            Phone:     +49 6131 540117
Zum Schiersteiner Grund 2                  Fax:       +49 6131 477288
55127 Mainz                                Mobile:    +49 171 1406664
Germany                                    Mail: neuffer@neuffer.info
---------------------------------------------------------------------

Message #20 received at 211884@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: 211884@bugs.debian.org

Cc: Michael Neuffer <neuffer@neuffer.info>

Subject: Re: Bug#211884: login: doesnt work on NFS mounted homedirs with root_squash option and 700 permissions

Date: Sat, 27 Sep 2003 23:29:15 -0400

It was arguably a bug that this worked before, since PAM things could expect
to access the user's home dir as root.  However, it doesn't seem acceptable
to fail this way after an upgrade when things worked.

It would be pretty straightforward to create a test to see whether this bug
would change behaviour for a given system, e.g. use getent to enumerate
users on the system, and try to chdir() to each home dir as root.  Then, a
warning could be displayed from postinst or such if this will be a problem.

-- 
 - mdz

Message #25 received at 211884@bugs.debian.org (full text, mbox, reply):

From: Michael Neuffer <neuffer@neuffer.info>

To: Matt Zimmerman <mdz@debian.org>

Cc: 211884@bugs.debian.org, Michael Neuffer <neuffer@neuffer.info>

Subject: Re: Bug#211884: login: doesnt work on NFS mounted homedirs with root_squash option and 700 permissions

Date: Sun, 28 Sep 2003 09:56:29 +0200

Quoting Matt Zimmerman (mdz@debian.org):
> It was arguably a bug that this worked before, since PAM things could expect
> to access the user's home dir as root.  However, it doesn't seem acceptable
> to fail this way after an upgrade when things worked.

For security reasons I am always root-squashing (most of) my NFS exports.

 
> It would be pretty straightforward to create a test to see whether this bug
> would change behaviour for a given system, e.g. use getent to enumerate
> users on the system, and try to chdir() to each home dir as root.  Then, a
> warning could be displayed from postinst or such if this will be a problem.

I agree. This is an acceptable solution for the behaviour change.
I think it should even be mailed to the root user incase of an 
unattended install.

Even so I'd personally very much prefer the old behaviour.

Cheers
  Mike

Message #30 received at 211884@bugs.debian.org (full text, mbox, reply):

From: Matt Zimmerman <mdz@debian.org>

To: Michael Neuffer <neuffer@neuffer.info>

Cc: 211884@bugs.debian.org

Subject: Re: Bug#211884: login: doesnt work on NFS mounted homedirs with root_squash option and 700 permissions

Date: Sun, 28 Sep 2003 10:02:41 -0400

On Sun, Sep 28, 2003 at 09:56:29AM +0200, Michael Neuffer wrote:

> Quoting Matt Zimmerman (mdz@debian.org):
> > It would be pretty straightforward to create a test to see whether this bug
> > would change behaviour for a given system, e.g. use getent to enumerate
> > users on the system, and try to chdir() to each home dir as root.  Then, a
> > warning could be displayed from postinst or such if this will be a problem.
> 
> I agree. This is an acceptable solution for the behaviour change.
> I think it should even be mailed to the root user incase of an 
> unattended install.
> 
> Even so I'd personally very much prefer the old behaviour.

I'm not sure why PAM is chdir'ing into the user's home directory during
cleanup; I suppose it could be a bug, but I haven't looked at the code.

-- 
 - mdz

Message #35 received at 211884-close@bugs.debian.org (full text, mbox, reply):

From: Karl Ramm <kcr@debian.org>

To: 211884-close@bugs.debian.org

Subject: Bug#211884: fixed in shadow 1:4.0.3-12

Date: Sat, 25 Oct 2003 16:05:23 -0400

Source: shadow
Source-Version: 1:4.0.3-12

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.3-12_i386.deb
  to pool/main/s/shadow/login_4.0.3-12_i386.deb
passwd_4.0.3-12_i386.deb
  to pool/main/s/shadow/passwd_4.0.3-12_i386.deb
shadow_4.0.3-12.diff.gz
  to pool/main/s/shadow/shadow_4.0.3-12.diff.gz
shadow_4.0.3-12.dsc
  to pool/main/s/shadow/shadow_4.0.3-12.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 211884@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Karl Ramm <kcr@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 25 Oct 2003 15:26:20 -0400
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-12
Distribution: unstable
Urgency: low
Maintainer: Karl Ramm <kcr@debian.org>
Changed-By: Karl Ramm <kcr@debian.org>
Description: 
 login      - System login tools
 passwd     - Change and administer password and group data.
Closes: 206352 211884 212935 212995 213592 213931 216535 216542 216594
Changes: 
 shadow (1:4.0.3-12) unstable; urgency=low
 .
   * Explicitly use automake-1.7 and aclocal-1.7.  closes: #216594
   * Update Danish debconf translation.  closes: #216542
   * Update French debconf translation.  closes: #206352
   * Update Dutch debconf translation.  closes: #212995
   * Remove redundant dependency on grep.  closes: #216535
   * Fix chfn documentation bug.  closes: #213931
   * Fix su syslogs to be less ambiguous.  (old:new instead of old-new
     because '-' can appear in usernames.)  Not clearer, mind you, but less
     ambiguous.  closes: #213592
   * Rename limits(5) to limits.conf(5) and edit to reflect reality.
     closes: #212935
   * Move the change_uid call in login back to where it was before -11, and
     relocate the fork for pam_close_session above it.  closes: #211884
Files: 
 b5577f9fed66b1bb740b190d12191c85 1383 base required shadow_4.0.3-12.dsc
 6b5951ee632cdbd3a78856b35bba9d8f 426804 base required shadow_4.0.3-12.diff.gz
 d3448107435a0e794aa2453a4f4685c5 440934 base required passwd_4.0.3-12_i386.deb
 743ae55af3c1a45ce90b1d7b1907c697 259990 base required login_4.0.3-12_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iQIVAwUBP5rV4XfSGPI1QaWIAQItWQ/+N8aRq3AtZrn6So428b1/mVTaQWACRbG5
Rk+CjUUY5Ph9xGqj+CfAIwTfKNxPjvKwE/U7cFLifrBy5l/o9U215FNlsLVZAwx8
EsB9y/SvMxro8IestoV8aXMg00nrCs/gY5q9QBCCHP8PECpknVWquUJzwWr6jMnQ
piAwAABfLS8C3rjI8yGGTmxN0vBxSVaYo2bXSiojlhPQw4JwDqDNnJ+bcSkYDV8R
vxwgsbR3bAQgmqQpM0CGT3BAnZEcmtwVuskt/A4VZBiroSM3Z5XBg726t51UVhfg
iCPOTEo8vu7tVaxxsn+vxClBGk0Ia385qf7QnCTKyQo/SW4dXP0xA3i3UWzWjAD7
kDLjqUwgq5jNfbNqZ2OrvzmdE2A0zBFHXz4Vljx7w+kZdDJWGb5oxLFq2W+39Umc
4GbB/gA0m6Lz48NesuIrwUf97Xe+VHIHux9uAZfAKDQ3+2w35WbR5T7YUX+dgsH1
k2dzRc1NNfgBrhuWGwgRVvBjqjwM1xn0Fd4P9ib81hixFGTuhfxXDm4FG0wO+5Gw
BNlhrZ8xfkDy/HvVMEa6q4v1J3fPIa82lgRkLZT8S7UDK94D2GumqF5SffB2dIqB
EHvOn8teJqqfhxUKqER/LlasYdgvsKvCrsWEbhcekJ9ZKv4TVZ4Z3NaEzoQ+xb2h
iemdhBEP8y8=
=y3CG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.