On Mon, Jun 07, 2010 at 01:30:22PM -0700, Zach Carter wrote: > When a non-root user is accessing an lvm snapshot chroot, the call to lockdev > is made with insufficient permissions, resulting in this error: > > E: test-f13-401b1c48-570f-48bb-8389-4b6d44f18577: Failed to lock chroot: > /dev/fastvg/f13lv: Failed to lock device: Failed to lock device > > This issue can also be reproduced in schroot 1.4.2 > > Additional details are available in Fedora bug 600638 here: > > https://bugzilla.redhat.com/show_bug.cgi?id=600636 > > The patch proposed there consists of moving the setuid call to an earlier > point before the call to lockdev is made.
Hi Zach, This is not a bug in schroot. It's a bug in lockdev, specifically a patch to lockdev added in RedHat/Fedora which breaks setuid programs. schroot works fine using the vanilla upstream/Debian lockdev without this patch. This is the patch: http://lists.alioth.debian.org/pipermail/lockdev-devel/2010-February/000013.html and this is my review with the rationale: http://lists.alioth.debian.org/pipermail/lockdev-devel/2010-February/000039.html and here's a previous finder of this issue in CentOS: http://www.nikhef.nl/~dennisvd/schroot.html To summarise the above: this patch uses access(2) to see if the user has permission to use the device. access(2) is racy, but more importantly uses the real UID, not the effective UID of the calling process. Normally this makes no difference, but in a setuid program such as schroot, this completely breaks things. The suggested fix of the setuid call is AFAICT just working around this problem; schroot itself only has a single setuid call, and that's when switching to user context prior to invoking a program or shell on their behalf. All the locking and other setup is always done as root with EUID=0. I'm not sure why this patch was introduced, but as it stands it's lockdev at fault here, not schroot. Due to lack of upstream maintenance of lockdev, the Debian and Fedora lockdev sources have diverged with the accumulation of different patches over the last few years. Debian was the upstream for the last 10 years or so since upstream passed away. Over the last six months, mainly with the assistance of Ludwig Nussel (though Karel Zak at Red Hat was also involved initiating this), we have merged all the outstanding RedHat patches into upstream. You can find the git repo and mailing list at alioth.debian.org. Some bits were not included or were reworked , and the access(2) checks were one of those. We haven't yet made a new upstream release of this unified tree, but I would hope this is possible soon (the work is basically done, it just needs review and testing). Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
signature.asc
Description: Digital signature
