[Touch-packages] [Bug 1408589] Comment bridged from LTC Bugzilla

bugproxy Tue, 27 Jan 2015 05:06:45 -0800

------- Comment From mauri...@br.ibm.com 2015-01-27 12:55 EDT-------
The error actually happened because the chroot was mounted over NFSv4, and the 
NFSv4 server had incorrect domain name configuration.


Then, the NFSv4 idmapd didn't match 'localdomain' (server) with
cluster.com (client), resulting in the chfn binary (and others) being
owned by nobody/nogroup, this combined with the suid bit of that binary,
resulted in kernel denying it during PAM/audit check (failure occurs
right after the socket/sendto/recvfrom syscalls from PAM to kernel
audit).

Solution was to configure the domain name correctly on the server.
Possible workarounds were:
- Use NFSv3 (which has no Name-ID Mapping / idmapd)
- Clear the suid bit

More detailed description from e-mail..
----------------------------------------------------

The problem happened because the 'chfn' binary had the suid bit set and was not 
owned by root
(actually, nobody/nogroup), so the kernel audit refused it during the PAM/auth 
step
(the PAM error follows right after the socket/sendto/recvfrom syscalls for 
kernel audit)

That ownership mistake only exists on the NFS mount/client (on tulgpu002). It 
is correct
(root/root) on the NFS server (bgxcat).

That happened due to a misconfiguration in the NFSv4 rpc.idmapd on the bgxcat 
server;
bgxcat had no FQDN/fully-qualified domain name configured, so the NFSv4 idmapd 
didn't
allow bgxcat user 'root' to be 'root' on tulgpu002, because of a mismatch 
between their
domains ('localdomain' on bgxcat, 'cluster.com' in tulgpu002).

For a solution, either fixing the network/domain configuration in bgxcat, or 
using NFSv3,
works.  I have already performed the former for you, and validated the latter.

[root@bgxcat mauricfo]# cat /etc/sysconfig/network
NETWORKING=yes
#HOSTNAME=bgxcat
HOSTNAME=bgxcat.cluster.com

For those interested, more technical details / demonstration are
provided below.

I'm happy to extend the discussion if anyone has questions/comments.

Demonstrating problem/workaround w/ NFSv4 ID Mapping (misconfiguration on 
bgxcat server)
----------------------------------------------------------------------------------------

Trying in tulgpu002 (/install mounted over NFSv4)

root@tulgpu002:~/mauricio# mount | grep /install
bgxcat:/install on /install type nfs 
(rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

root@tulgpu002:~/mauricio# chroot 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg 
/usr/bin/chfn -f 'games user' games
chfn: PAM: System error

The chfn binary has the suid bit set, but uid/gid are NOT root
(nobody/nogroup). This leads to the problem.

root@tulgpu002:~/mauricio# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 nobody nogroup 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

On bgxcat (the source of /install), all is fine: suid is set, and the
uid/gid are root. No problems there.

[root@bgxcat mauricfo]# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 root root 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

The owner/group permissions changes because of NFSv4 ID Mapping
(rpc.idmapd).

root@tulgpu002:~/mauricio# grep ^No /etc/idmapd.conf
Nobody-User = nobody
Nobody-Group = nogroup

# mount | grep /install
bgxcat:/install on /install type nfs 
(rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

If you retry with NFSv3, which has no ID Mapping, it works.

root@tulgpu002:~/mauricio# umount /install
root@tulgpu002:~/mauricio# mount -t nfs -o vers=3 bgxcat:/install /install
root@tulgpu002:~/mauricio# mount | grep /install
bgxcat:/install on /install type nfs (rw,vers=3,addr=10.0.0.1)

The user/group show up as root.

root@tulgpu002:~/mauricio# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 root root 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

And chroot chfn passes.

root@tulgpu002:~/mauricio# chroot 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg 
/usr/bin/chfn -f 'games user' games
root@tulgpu002:~/mauricio#

Go back to NFSv4, and you'll see the problem.

root@tulgpu002:~/mauricio# umount /install
root@tulgpu002:~/mauricio# mount -t nfs -o vers=4 bgxcat:/install /install
root@tulgpu002:~/mauricio# mount | grep /install
bgxcat:/install on /install type nfs 
(rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

User/group are not root anymore.

root@tulgpu002:~/mauricio# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 nobody nogroup 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

root@tulgpu002:~/mauricio# chroot 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg 
/usr/bin/chfn -f 'games user' games
chfn: PAM: System error

If you clear the suid bit, things work too.

root@tulgpu002:~/mauricio# chmod -s
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-
compute/rootimg/usr/bin/chfn

root@tulgpu002:~/mauricio# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwxr-xr-x 1 nobody nogroup 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

root@tulgpu002:~/mauricio# chroot
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg
/usr/bin/chfn -f 'games user' games

Set it, and the problem is back:

root@tulgpu002:~/mauricio# chmod +s
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-
compute/rootimg/usr/bin/chfn

root@tulgpu002:~/mauricio# ls -lh 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 nobody nogroup 53K Jul 18  2014 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

root@tulgpu002:~/mauricio# chroot 
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg 
/usr/bin/chfn -f 'games user' games
chfn: PAM: System error

Fixing this configuration in the bgxcat server:
-----------------------------------------------

root@tulgpu002:~/mauricio# grep idmap /var/log/syslog
<...>
Jan 27 04:51:13 tulgpu002 rpc.idmapd[146646]: nss_getpwnam: name 
'root@localdomain' does not map into domain 'cluster.com'
Jan 27 05:05:56 tulgpu002 rpc.idmapd[146646]: nss_getpwnam: name 
'nfsnobody@localdomain' does not map into domain 'cluster.com'
<...>

[root@bgxcat ppc64el]# grep idmap /var/log/messages
<...>
Jan 27 05:06:09 bgxcat rpc.idmapd[3851]: nss_getpwnam: name '0' does not map 
into domain 'localdomain'
Jan 27 05:06:13 tulgpu002 rpc.idmapd[146646]: nss_getpwnam: name 
'root@localdomain' does not map into domain 'cluster.com'
<...>

http://support.hp.com/us-en/document/c03462757

# man idmapd.conf
<...>
Domain The local NFSv4 domain name.  An NFSv4 domain is a namespace  with  a  
unique  username<->UID  and  groupname<->GID  mapping.
(Default: Host?s fully-qualified DNS domain name)
<...>

# cat /etc/idmapd.conf
<...>
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain = local.domain.edu
<...>

[root@bgxcat mauricfo]# hostname -f
bgxcat

[root@bgxcat mauricfo]# dnsdomainname
[root@bgxcat mauricfo]#

... Hm, not a FQDN / DNS domain name.

Fix:

[root@bgxcat mauricfo]# hostname bgxcat.cluster.com

[root@bgxcat mauricfo]# hostname -f
bgxcat.cluster.com

[root@bgxcat mauricfo]# dnsdomainname
cluster.com

[root@bgxcat mauricfo]# hostname
bgxcat.cluster.com

[root@bgxcat mauricfo]# hostname -s
bgxcat

All OK now.

# vim /etc/sysconfig/network
<... added domain cluster.com in HOSTNAME, as in 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-The_sysconfig_Directory.html)

[root@bgxcat mauricfo]# cat /etc/sysconfig/network
NETWORKING=yes
#HOSTNAME=bgxcat
HOSTNAME=bgxcat.cluster.com

[root@bgxcat mauricfo]# service rpcidmapd restart
Shutting down RPC idmapd:                                  [  OK  ]
Starting RPC idmapd:                                       [  OK  ]

root@tulgpu002:~/mauricio# mkdir test
root@tulgpu002:~/mauricio# mount bgxcat:/install test
root@tulgpu002:~/mauricio# mount | grep /test
bgxcat:/install on /root/mauricio/test type nfs 
(rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

It's NFSv4, but now w/ correct ID Mapping:

root@tulgpu002:~/mauricio# ls -lh 
test/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 root root 53K Jul 18  2014 
test/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

root@tulgpu002:~/mauricio# chroot 
test/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg 
/usr/bin/chfn -f test games
root@tulgpu002:~/mauricio#

And it works.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1408589

Title:
  chfn does not work in chroot environment

Status in shadow package in Ubuntu:
  New

Bug description:
  == Comment: #0 - Guang Cheng Li <ligua...@cn.ibm.com> - 2015-01-07 01:51:51 ==
  ---Problem Description---
  chfn does not work in a chroot environment.

  In a chroot environment, the chroot exits with error "chfn: PAM:
  System error" and does not do anything.

  This might be related to 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763391 and 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745082
   
  Contact Information = Guang Cheng Li ligua...@cn.ibm.com, Ralph Bellofatto 
ralph...@us.ibm.com 
   
  ---uname output---
  Linux tulgpu002 3.16.0-23-generic #31-Ubuntu SMP Tue Oct 21 17:55:08 UTC 2014 
ppc64le ppc64le ppc64le GNU/Linux
   
  Machine Type = N/A 
   
  ---Debugger---
  A debugger is not configured
   
  ---Steps to Reproduce---
   Create a Ubuntu chroot environment, chroot into the directory, then run chfn.

  root@tulgpu002:~# ls
  chfn-error-rootimg
  root@tulgpu002:~# chroot chfn-error-rootimg
  root@tulgpu002:/# ls
  bin   dev  home        lib    media  opt   root  sbin  sys  usr  vmlinux
  boot  etc  initrd.img  lib64  mnt    proc  run   srv   tmp  var  xcatpost
  root@tulgpu002:/# 
  root@tulgpu002:/# chfn -f 'games user id' games
  chfn: PAM: System error
  root@tulgpu002:/# 

   
  *Additional Instructions for Guang Cheng Li ligua...@cn.ibm.com, Ralph 
Bellofatto ralph...@us.ibm.com: 
  -Post a private note with access information to the machine that the bug is 
occuring on.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1408589/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1408589] Comment bridged from LTC Bugzilla

Reply via email to