Debian Bug report logs -
#211884
login: doesnt work on NFS mounted homedirs with root_squash option and 700 permissions
Reported by: Michael Neuffer <neuffer@neuffer.info>
Date: Sun, 21 Sep 2003 00:18:07 UTC
Severity: grave
Found in version 1:4.0.3-11
Fixed in version shadow/1:4.0.3-12
Done: Karl Ramm <kcr@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#211884; Package login.
(full text, mbox, link).
Acknowledgement sent to Michael Neuffer <neuffer@neuffer.info>:
New Bug report received and forwarded. Copy sent to Karl Ramm <kcr@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: login
Version: 1:4.0.3-11
Severity: grave
login doesnt work on NFS mounted homedirs with root_squash option and
700 permissions
>From the trace:
.
.
.
stat64("/dev/vc/2", {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...})
= 0
fstat64(0, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...}) = 0
chown32(0xbfffd6f0, 0x3e8, 0x5) = 0
chmod("/dev/vc/2", 0600) = 0
chdir("/homes/users/neuffer") = -1 EACCES (Permission denied)
chdir("/") = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=2598, ...}) = 0
.
.
.
It looks like login switches too late to the uid of the user logging in
and thus causes login to fall back to / as home directory.
My current workaround is changing the permissions of the home directory
to 711, but this is not a good longterm solution
-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux charion 2.6.0-test5 #1 Tue Sep 9 20:05:28 CEST 2003 i686
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro
Versions of packages login depends on:
ii libc6 2.3.2-7 GNU C Library: Shared libraries an
ii libpam-modules 0.76-14 Pluggable Authentication Modules f
ii libpam-runtime 0.76-14 Runtime support for the PAM librar
ii libpam0g 0.76-14 Pluggable Authentication Modules l
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#211884; Package login.
(full text, mbox, link).
Acknowledgement sent to kcr@debian.org:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>.
(full text, mbox, link).
Message #10 received at 211884@bugs.debian.org (full text, mbox, reply):
Has this ever worked? Or is this (as I suspect) a new bug in -11?
kcr
Michael Neuffer <neuffer@neuffer.info> writes:
> Package: login
> Version: 1:4.0.3-11
> Severity: grave
>
> login doesnt work on NFS mounted homedirs with root_squash option and
> 700 permissions
>
> >From the trace:
> .
> .
> .
> stat64("/dev/vc/2", {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...})
> = 0
> fstat64(0, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...}) = 0
> chown32(0xbfffd6f0, 0x3e8, 0x5) = 0
> chmod("/dev/vc/2", 0600) = 0
> chdir("/homes/users/neuffer") = -1 EACCES (Permission denied)
> chdir("/") = 0
> open("/usr/share/locale/locale.alias", O_RDONLY) = 3
> fstat64(3, {st_mode=S_IFREG|0644, st_size=2598, ...}) = 0
> .
> .
> .
>
> It looks like login switches too late to the uid of the user logging in
> and thus causes login to fall back to / as home directory.
>
>
>
> My current workaround is changing the permissions of the home directory
> to 711, but this is not a good longterm solution
>
>
> -- System Information:
> Debian Release: testing/unstable
> Architecture: i386
> Kernel: Linux charion 2.6.0-test5 #1 Tue Sep 9 20:05:28 CEST 2003 i686
> Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro
>
> Versions of packages login depends on:
> ii libc6 2.3.2-7 GNU C Library: Shared libraries an
> ii libpam-modules 0.76-14 Pluggable Authentication Modules f
> ii libpam-runtime 0.76-14 Runtime support for the PAM librar
> ii libpam0g 0.76-14 Pluggable Authentication Modules l
>
> -- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#211884; Package login.
(full text, mbox, link).
Acknowledgement sent to Michael Neuffer <neuffer@neuffer.info>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>.
(full text, mbox, link).
Message #15 received at 211884@bugs.debian.org (full text, mbox, reply):
Quoting kcr@debian.org (kcr@debian.org):
> Has this ever worked? Or is this (as I suspect) a new bug in -11?
Yes, this has worked before. It must have happened sometime last week
(I update my Debian mirror and then the installation about once a week,
usually on Saturdays), if I recall correctly. I only just had the idea
that login might be the culprit and traced it.
Cheers
Mike
> Michael Neuffer <neuffer@neuffer.info> writes:
>
> > Package: login
> > Version: 1:4.0.3-11
> > Severity: grave
> >
> > login doesnt work on NFS mounted homedirs with root_squash option and
> > 700 permissions
> >
> > >From the trace:
> > .
> > .
> > .
> > stat64("/dev/vc/2", {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...})
> > = 0
> > fstat64(0, {st_mode=S_IFCHR|0600, st_rdev=makedev(4, 2), ...}) = 0
> > chown32(0xbfffd6f0, 0x3e8, 0x5) = 0
> > chmod("/dev/vc/2", 0600) = 0
> > chdir("/homes/users/neuffer") = -1 EACCES (Permission denied)
> > chdir("/") = 0
> > open("/usr/share/locale/locale.alias", O_RDONLY) = 3
> > fstat64(3, {st_mode=S_IFREG|0644, st_size=2598, ...}) = 0
> > .
> > .
> > .
> >
> > It looks like login switches too late to the uid of the user logging in
> > and thus causes login to fall back to / as home directory.
> >
> >
> >
> > My current workaround is changing the permissions of the home directory
> > to 711, but this is not a good longterm solution
> >
> >
> > -- System Information:
> > Debian Release: testing/unstable
> > Architecture: i386
> > Kernel: Linux charion 2.6.0-test5 #1 Tue Sep 9 20:05:28 CEST 2003 i686
> > Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro
> >
> > Versions of packages login depends on:
> > ii libc6 2.3.2-7 GNU C Library: Shared libraries an
> > ii libpam-modules 0.76-14 Pluggable Authentication Modules f
> > ii libpam-runtime 0.76-14 Runtime support for the PAM librar
> > ii libpam0g 0.76-14 Pluggable Authentication Modules l
> >
> > -- no debconf information
--
---------------------------------------------------------------------
Michael Neuffer Phone: +49 6131 540117
Zum Schiersteiner Grund 2 Fax: +49 6131 477288
55127 Mainz Mobile: +49 171 1406664
Germany Mail: neuffer@neuffer.info
---------------------------------------------------------------------
Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#211884; Package login.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>.
(full text, mbox, link).
Message #20 received at 211884@bugs.debian.org (full text, mbox, reply):
It was arguably a bug that this worked before, since PAM things could expect
to access the user's home dir as root. However, it doesn't seem acceptable
to fail this way after an upgrade when things worked.
It would be pretty straightforward to create a test to see whether this bug
would change behaviour for a given system, e.g. use getent to enumerate
users on the system, and try to chdir() to each home dir as root. Then, a
warning could be displayed from postinst or such if this will be a problem.
--
- mdz
Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#211884; Package login.
(full text, mbox, link).
Acknowledgement sent to Michael Neuffer <neuffer@neuffer.info>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>.
(full text, mbox, link).
Message #25 received at 211884@bugs.debian.org (full text, mbox, reply):
Quoting Matt Zimmerman (mdz@debian.org):
> It was arguably a bug that this worked before, since PAM things could expect
> to access the user's home dir as root. However, it doesn't seem acceptable
> to fail this way after an upgrade when things worked.
For security reasons I am always root-squashing (most of) my NFS exports.
> It would be pretty straightforward to create a test to see whether this bug
> would change behaviour for a given system, e.g. use getent to enumerate
> users on the system, and try to chdir() to each home dir as root. Then, a
> warning could be displayed from postinst or such if this will be a problem.
I agree. This is an acceptable solution for the behaviour change.
I think it should even be mailed to the root user incase of an
unattended install.
Even so I'd personally very much prefer the old behaviour.
Cheers
Mike
Information forwarded to debian-bugs-dist@lists.debian.org, Karl Ramm <kcr@debian.org>:
Bug#211884; Package login.
(full text, mbox, link).
Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Karl Ramm <kcr@debian.org>.
(full text, mbox, link).
Message #30 received at 211884@bugs.debian.org (full text, mbox, reply):
On Sun, Sep 28, 2003 at 09:56:29AM +0200, Michael Neuffer wrote:
> Quoting Matt Zimmerman (mdz@debian.org):
> > It would be pretty straightforward to create a test to see whether this bug
> > would change behaviour for a given system, e.g. use getent to enumerate
> > users on the system, and try to chdir() to each home dir as root. Then, a
> > warning could be displayed from postinst or such if this will be a problem.
>
> I agree. This is an acceptable solution for the behaviour change.
> I think it should even be mailed to the root user incase of an
> unattended install.
>
> Even so I'd personally very much prefer the old behaviour.
I'm not sure why PAM is chdir'ing into the user's home directory during
cleanup; I suppose it could be a bug, but I haven't looked at the code.
--
- mdz
Reply sent to Karl Ramm <kcr@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Michael Neuffer <neuffer@neuffer.info>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #35 received at 211884-close@bugs.debian.org (full text, mbox, reply):
Source: shadow
Source-Version: 1:4.0.3-12
We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:
login_4.0.3-12_i386.deb
to pool/main/s/shadow/login_4.0.3-12_i386.deb
passwd_4.0.3-12_i386.deb
to pool/main/s/shadow/passwd_4.0.3-12_i386.deb
shadow_4.0.3-12.diff.gz
to pool/main/s/shadow/shadow_4.0.3-12.diff.gz
shadow_4.0.3-12.dsc
to pool/main/s/shadow/shadow_4.0.3-12.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 211884@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Karl Ramm <kcr@debian.org> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 25 Oct 2003 15:26:20 -0400
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-12
Distribution: unstable
Urgency: low
Maintainer: Karl Ramm <kcr@debian.org>
Changed-By: Karl Ramm <kcr@debian.org>
Description:
login - System login tools
passwd - Change and administer password and group data.
Closes: 206352 211884 212935 212995 213592 213931 216535 216542 216594
Changes:
shadow (1:4.0.3-12) unstable; urgency=low
.
* Explicitly use automake-1.7 and aclocal-1.7. closes: #216594
* Update Danish debconf translation. closes: #216542
* Update French debconf translation. closes: #206352
* Update Dutch debconf translation. closes: #212995
* Remove redundant dependency on grep. closes: #216535
* Fix chfn documentation bug. closes: #213931
* Fix su syslogs to be less ambiguous. (old:new instead of old-new
because '-' can appear in usernames.) Not clearer, mind you, but less
ambiguous. closes: #213592
* Rename limits(5) to limits.conf(5) and edit to reflect reality.
closes: #212935
* Move the change_uid call in login back to where it was before -11, and
relocate the fork for pam_close_session above it. closes: #211884
Files:
b5577f9fed66b1bb740b190d12191c85 1383 base required shadow_4.0.3-12.dsc
6b5951ee632cdbd3a78856b35bba9d8f 426804 base required shadow_4.0.3-12.diff.gz
d3448107435a0e794aa2453a4f4685c5 440934 base required passwd_4.0.3-12_i386.deb
743ae55af3c1a45ce90b1d7b1907c697 259990 base required login_4.0.3-12_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iQIVAwUBP5rV4XfSGPI1QaWIAQItWQ/+N8aRq3AtZrn6So428b1/mVTaQWACRbG5
Rk+CjUUY5Ph9xGqj+CfAIwTfKNxPjvKwE/U7cFLifrBy5l/o9U215FNlsLVZAwx8
EsB9y/SvMxro8IestoV8aXMg00nrCs/gY5q9QBCCHP8PECpknVWquUJzwWr6jMnQ
piAwAABfLS8C3rjI8yGGTmxN0vBxSVaYo2bXSiojlhPQw4JwDqDNnJ+bcSkYDV8R
vxwgsbR3bAQgmqQpM0CGT3BAnZEcmtwVuskt/A4VZBiroSM3Z5XBg726t51UVhfg
iCPOTEo8vu7tVaxxsn+vxClBGk0Ia385qf7QnCTKyQo/SW4dXP0xA3i3UWzWjAD7
kDLjqUwgq5jNfbNqZ2OrvzmdE2A0zBFHXz4Vljx7w+kZdDJWGb5oxLFq2W+39Umc
4GbB/gA0m6Lz48NesuIrwUf97Xe+VHIHux9uAZfAKDQ3+2w35WbR5T7YUX+dgsH1
k2dzRc1NNfgBrhuWGwgRVvBjqjwM1xn0Fd4P9ib81hixFGTuhfxXDm4FG0wO+5Gw
BNlhrZ8xfkDy/HvVMEa6q4v1J3fPIa82lgRkLZT8S7UDK94D2GumqF5SffB2dIqB
EHvOn8teJqqfhxUKqER/LlasYdgvsKvCrsWEbhcekJ9ZKv4TVZ4Z3NaEzoQ+xb2h
iemdhBEP8y8=
=y3CG
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jul 1 12:10:19 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.