Bug 554203
Summary: | LXC: /dev/pts needs to be mounted with mount options gid=5,mode=620. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Robin Green <greenrd> | ||||||
Component: | libvirt | Assignee: | Libvirt Maintainers <libvirt-maint> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 14 | CC: | anton, berrange, clalance, crobinso, dougsland, gansalmon, itamar, jforbes, jonathan, kernel-maint, onestero, veillard, virt-maint | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-01-24 21:46:35 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Robin Green
2010-01-10 22:28:04 UTC
(In reply to comment #0) > > 9. virsh --connect lxc:/// define ptybug.xml > 10. virsh --connect lxc:/// start ptybug > 11. virsh --connect lxc:/// console ptybug > 12. su - test this fails with su: incorrect password# id uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:virtd_t:s0-s0:c0.c1023 and I don't know how to fix su. > 13. strace -f -e trace=none nullmodem -F 0 1 if I do the above without su, it fails with EPERM instead of ENOEXEC. And, it fails the same way without strace too. Hmm. According to strace, chown32("/dev/pts/1", 0, 5) returns EPERM and then nullmodem reports "Open pty failed: Permission denied". bash-4.1# touch /tmp/xxx bash-4.1# ls -l /tmp/xxx -rw-r--r--. 1 root root 0 Mar 5 13:36 /tmp/xxx bash-4.1# chown test:test /tmp/xxx chown: changing ownership of `/tmp/xxx': Operation not permitted So. it is not clear to me how to reproduce the problem. And sorry, I do not know how to setup this container environment correctly. Could you please confirm nullmodem does work without strace? If yes, please do "strace -ff -o log" and show the resulting log.* files. --------------------------------------------------------------------- But. Please note that, since you run "strace -f" under user "test", any setuid binary will not get the root privs. Probably this explains the problem, afaics nullmodem needs the help of /usr/libexec/pt_chown. I took the Fedora 13 choice when rawhide was forked, and unfortunately LXC is unusable for me on F13 at the moment due to bug 570708. I will come back to this bug after that bug is addressed. (In reply to comment #1) > (In reply to comment #0) > > > > 9. virsh --connect lxc:/// define ptybug.xml > > 10. virsh --connect lxc:/// start ptybug > > 11. virsh --connect lxc:/// console ptybug > > 12. su - test > > this fails with > > su: incorrect password# id > uid=0(root) gid=0(root) groups=0(root) > context=system_u:system_r:virtd_t:s0-s0:c0.c1023 > > and I don't know how to fix su. Hmm, strange. I don't encounter this error. Maybe an SELinux issue? (SELinux is disabled on my machine.) > > 13. strace -f -e trace=none nullmodem -F 0 1 > > if I do the above without su, it fails with EPERM instead > of ENOEXEC. This bug only occurs when you run as non-root. EPERM might also be an SELinux issue? > Could you please confirm nullmodem does work without strace? Yes, reconfirmed. > If yes, please do "strace -ff -o log" and show the resulting log.* > files. I will attach them momentarily. > > --------------------------------------------------------------------- > But. Please note that, since you run "strace -f" under user "test", > any setuid binary will not get the root privs. Probably this explains > the problem, afaics nullmodem needs the help of /usr/libexec/pt_chown. No, it doesn't explain the problem, because nullmodem does work as user test without strace. It also works when run under strace, but not inside LXC. Created attachment 399815 [details]
logs from strace
(In reply to comment #3) > (In reply to comment #1) > > --------------------------------------------------------------------- > > But. Please note that, since you run "strace -f" under user "test", > > any setuid binary will not get the root privs. Probably this explains > > the problem, afaics nullmodem needs the help of /usr/libexec/pt_chown. > > No, it doesn't explain the problem, it does ;) please look into the logs. Like I expected, nullmodem failed to chown32("/dev/pts/1", 500, 5) (see log.30) and it spawns the suid pt_chown to do this. But since this all runs under strace, pt_chown starts without root privileges and therefore it can't help. > because nullmodem does work as user test > without strace. See above. Say, /bin/mount, won't work under strace too. Any suid app won't work, this is correct. > It also works when run under strace, but not inside LXC. So the question is: how to setup the devpts magic properly inside LXC so that pt_exec is not needed. But I know nothing about this. To be absolutely sure, please do "chmod u-s /usr/libexec/pt_chown" _inside_ lxc, then run nullmodem without strace. (In reply to comment #5) > So the question is: how to setup the devpts magic properly > inside LXC so that pt_exec is not needed. Ah, yes, you're right. Sorry. > To be absolutely sure, please do "chmod u-s /usr/libexec/pt_chown" > _inside_ lxc, then run nullmodem without strace. Indeed, it doesn't work when I do that, as you expected. After some work, I found out that the problem is very similar to the one described in bug 506219. Summary: /dev/pts needs to be mounted with mount options gid=5,mode=620. Since libvirt is responsible for mounting the private /dev/pts (and nothing else changes the mount options) I've changed the component of this bug to libvirt. Please reassign this bug to an appropriate owner, as I don't have privileges to do that. This bug still exists in libvirt-0.8.3-2.fc14.i686 on Fedora 14 (see comment#6 above for how to fix). This is fixed in libvirt GIT now http://libvirt.org/git/?p=libvirt.git;a=commit;h=08fb2a9ce855c6ed1042e451fb4dfc6664a77d64 This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. F14 is EOL, please reopen if this is still relevant in a more recent fedora. |