Bug 865801
Summary: | LDAP Users cannot access external media through udisks2 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Aaron Kling <webgeek1234> |
Component: | udisks2 | Assignee: | David Zeuthen <davidz> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | davidz, jlugo, mclasen |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-20 16:11:59 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Aaron Kling
2012-10-12 13:31:39 UTC
Can the user access /run/media/$USER or is it only a problem with /run/media/$USER/$DEVICE ? What filesystem is used on the USB device? As root, please run this command and paste it here getfacl /run/media/$USER The LDAP user cannot get to /run/media/$USER either. Output of getfacl is: [root@$HOST ~]# getfacl /run/media/999888 getfacl: Removing leading '/' from absolute path names # file: run/media/999888 # owner: root # group: root user::rwx user:999888:r-x group::--- mask::r-x other::--- I forgot to mention before that there are no selinux messages generated. Watching /var/log/messages when trying to mount for the LDAP user and the local user shows virtually the same thing (mounted $DEVICE at /run/media/$USER/$DEVICENAME on behalf of uid $UID). Hmm, what is the UID of the user in question? Please provide the output of the id(1) command run as the user, for example $ id uid=500(davidz) gid=500(davidz) groups=500(davidz),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Also please provide the output of 'tree -ugp /run/media' run as both the user and root (you may need to install the 'tree' package). Please also try to see if the problem goes away when putting selinux in permissive mode (run 'setenforce 0' as root). Output of id: uid=5001(999888) gid=5001(students) groups=5001(students) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Output of tree as LDAP user: /run/media ├── [drwxr-x--- root root ] 999888 [error opening dir] └── [drwxr-x--- root root ] ittech [error opening dir] 2 directories, 0 files Output of tree as root: /run/media ├── [drwxr-x--- root root ] 999888 │ └── [drwx------ 999888 students] 20C5-D752 │ ├── [drwx------ 999888 students] APS │ │ ├── [-rw-r--r-- 999888 students] 4D.chm │ │ ├── [drwx------ 999888 students] 4d\ Extensions │ │ │ ├── [-rw-r--r-- 999888 students] 4DAAACommonDials.4xr │ │ │ ├── [-rw-r--r-- 999888 students] 4DChartWin.4xr │ │ │ ├── [-rw-r--r-- 999888 students] 4D\ Compiler.dll │ │ │ ├── [-rw-r--r-- 999888 students] 4D\ Compiler.rsr │ │ │ ├── [-rw-r--r-- 999888 students] 4DQR.4xr │ │ │ ├── [-rw-r--r-- 999888 students] 4DSLI.DLL │ │ │ ├── [-rw-r--r-- 999888 students] 4D\ Syntax.rsr │ │ │ ├── [-rw-r--r-- 999888 students] ByteSwap.TXT │ │ │ ├── [-rw-r--r-- 999888 students] EnginedServer.xml │ │ │ ├── [-rw-r--r-- 999888 students] FormWiz.4xr │ │ │ ├── [-rw-r--r-- 999888 students] KeyboardMapping.XML │ │ │ ├── [drwx------ 999888 students] Language\ Support │ │ │ │ ├── [-rw-r--r-- 999888 students] arabic.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] chinese\ simplified.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] chinese\ traditional.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] croatian.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] cyrillic.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] eastern\ european.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] greek.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] hebrew.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] icelandic.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] japanese.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] korean.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] romanian.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] thai.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] turkish.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] us-european.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] vietnamese.uni │ │ │ │ └── [-rw-r--r-- 999888 students] win_european.uni │ │ │ ├── [drwx------ 999888 students] Spellcheck │ │ │ │ ├── [-rw-r--r-- 999888 students] abbreviations.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Allemand.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] American.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Common\ nouns\ English.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Common\ Words.txt │ │ │ │ ├── [-rw-r--r-- 999888 students] CordialSpeller.dll │ │ │ │ ├── [-rw-r--r-- 999888 students] DicoPropreSemantique.dic │ │ │ │ ├── [drwx------ 999888 students] English │ │ │ │ │ └── [-rw-r--r-- 999888 students] English\ Common\ Words.txt │ │ │ │ ├── [-rw-r--r-- 999888 students] English-American.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] English.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Espagnol.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Feminine.dic │ │ │ │ ├── [drwx------ 999888 students] French │ │ │ │ │ └── [-rw-r--r-- 999888 students] French\ Common\ Words.txt │ │ │ │ ├── [drwx------ 999888 students] German │ │ │ │ │ └── [-rw-r--r-- 999888 students] German\ Common\ Words.txt │ │ │ │ ├── [-rw-r--r-- 999888 students] noms\ communs.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Nouvelle\ orthographe.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Proper\ nouns\ Allemand.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Proper\ nouns\ American.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Proper\ nouns\ English.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Proper\ nouns\ Espagnol.dic │ │ │ │ └── [drwx------ 999888 students] Spanish │ │ │ │ └── [-rw-r--r-- 999888 students] Spanish\ Common\ Words.txt │ │ │ └── [-rwxr-xr-x 999888 students] upgclnt.bat │ │ ├── [-rw-r--r-- 999888 students] 4D.GID │ │ ├── [-rw-r--r-- 999888 students] 4D.HLP │ │ ├── [-rwxr-xr-x 999888 students] APS\ Client.exe │ │ ├── [-rw-r--r-- 999888 students] APS\ Client.rsr │ │ ├── [-rw-r--r-- 999888 students] ASIFONT.FON │ │ ├── [-rw-r--r-- 999888 students] asifont.map │ │ ├── [-rw-r--r-- 999888 students] ASINTPPC.dll │ │ ├── [-rw-r--r-- 999888 students] ASIPORT.RSR │ │ ├── [-rw-r--r-- 999888 students] msvci70.dll │ │ ├── [-rw-r--r-- 999888 students] msvcp70.dll │ │ ├── [-rw-r--r-- 999888 students] msvcr70.dll │ │ ├── [-rw-r--r-- 999888 students] TempText.txt │ │ ├── [-rw-r--r-- 999888 students] Xalan-C_1_6_0.DLL │ │ └── [-rw-r--r-- 999888 students] xerces.DLL │ ├── [-rw-r--r-- 999888 students] APS_Admin.lnk │ ├── [-rw-r--r-- 999888 students] autorun.inf │ ├── [drwx------ 999888 students] club_application │ │ ├── [drwx------ 999888 students] ar │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [-rwxr-xr-x 999888 students] ClubSanDisk.exe │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.exe.config │ │ ├── [drwx------ 999888 students] de │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [-rwxr-xr-x 999888 students] dotnetfx30SP1setup.exe │ │ ├── [drwx------ 999888 students] en │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] es │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] fr │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] he │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] it │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] ja │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] ko │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [-rw-r--r-- 999888 students] MainrARA.dll │ │ ├── [-rw-r--r-- 999888 students] MainrCHS.dll │ │ ├── [-rw-r--r-- 999888 students] MainrCHT.dll │ │ ├── [-rw-r--r-- 999888 students] MainrDEU.dll │ │ ├── [-rw-r--r-- 999888 students] MainrENU.dll │ │ ├── [-rw-r--r-- 999888 students] MainrESN.dll │ │ ├── [-rw-r--r-- 999888 students] MainrFRA.dll │ │ ├── [-rw-r--r-- 999888 students] MainrHEB.dll │ │ ├── [-rw-r--r-- 999888 students] MainrITA.dll │ │ ├── [-rw-r--r-- 999888 students] MainrJPN.dll │ │ ├── [-rw-r--r-- 999888 students] MainrKOR.dll │ │ ├── [-rw-r--r-- 999888 students] MainrNLD.dll │ │ ├── [-rw-r--r-- 999888 students] MainrPLK.dll │ │ ├── [-rw-r--r-- 999888 students] MainrPTB.dll │ │ ├── [-rw-r--r-- 999888 students] MainrRUS.dll │ │ ├── [-rw-r--r-- 999888 students] MainrZHH.dll │ │ ├── [drwx------ 999888 students] nl │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] pl │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] Preload │ │ │ ├── [-rw-r--r-- 999888 students] preload.dat │ │ │ └── [-rwxr-xr-x 999888 students] setup.exe │ │ ├── [drwx------ 999888 students] pt │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] ru │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] Updater │ │ │ ├── [drwx------ 999888 students] ar │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] de │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] es │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] fr │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] he │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] it │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] ja │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] ko │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] nl │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] pl │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] pt │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] ru │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [-rwxr-xr-x 999888 students] Updater.exe │ │ │ ├── [drwx------ 999888 students] zh-CN │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] zh-HK │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ └── [drwx------ 999888 students] zh-TW │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ ├── [drwx------ 999888 students] zh-CN │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] zh-HK │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ └── [drwx------ 999888 students] zh-TW │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ ├── [-rwxr-xr-x 999888 students] LOM_Realtek_WIN_A04_Setup-PFD6F_ZPE.exe │ ├── [-rwxr-xr-x 999888 students] RunClubSanDisk.exe │ ├── [-rwxr-xr-x 999888 students] RunSanDiskSecureAccess_Win.exe │ └── [drwx------ 999888 students] SanDiskSecureAccess │ ├── [-rw-r--r-- 999888 students] DownloadSanDiskSecureAccess_Mac.pdf │ └── [-rw-r--r-- 999888 students] SanDisk_SecureAccess_QSG.pdf └── [drwxr-x--- root root ] ittech 46 directories, 140 files I already tried turning off selinux via setenforce and it made no difference. So, wait a minute, the username is "999888" with the uid being 5001, correct? If so, I don't see udisks doing anything wrong ... I mean, according to comment 2, there is a read ACL for that user. Please also provide the output of getfacl -n /run/media/999888 run as root and strace ls -l /run/media/999888 run as the user. Thanks. Output of getfacl: getfacl: Removing leading '/' from absolute path names # file: run/media/999888 # owner: 0 # group: 0 user::rwx user:999888:r-x group::--- mask::r-x other::--- And herein I believe lies the problem. It's setting the username as the uid and not resolving properly. I ran into the problem with the quota packages and had to do some fancy workarounds to pass the uid directly. Seems all numeric user names cause all kinds of trouble. But that unfortunately can't change in our policies. OK, I just tried this with a user with username "1001" and uid 502 and it seems to work just fine: [root@thinkpad ~]# getfacl /run/media/1001 getfacl: Removing leading '/' from absolute path names # file: run/media/1001 # owner: root # group: root user::rwx user:1001:r-x group::--- mask::r-x other::--- [root@thinkpad ~]# getfacl -n /run/media/1001 getfacl: Removing leading '/' from absolute path names # file: run/media/1001 # owner: 0 # group: 0 user::rwx user:502:r-x group::--- mask::r-x other::--- [1001@thinkpad ~]$ ls -l /run/media/1001/Fedora_17_ppc/ total 8 dr-xr-xr-x. 2 1001 1001 2048 Jun 8 18:19 etc dr-xr-xr-x. 3 1001 1001 2048 Jun 8 18:19 images dr-xr-xr-x. 2 1001 1001 2048 Jun 8 18:19 LiveOS dr-xr-xr-x. 5 1001 1001 2048 Jun 8 18:19 ppc This is with Fedora 18 though which uses libacl directly. I see that you filed this against Fedora 17 which, IIRC, is calling out to setfacl: http://cgit.freedesktop.org/udisks/tree/src/udiskslinuxfilesystem.c?id=1.94.0#n831 which explains the problem. Okay, thanks. I'll see if I can cherry-pick the newer package into our installation and that should work. Since the problem has been indirectly fixed upstream, I would assume the bug can be closed. The patch actually applies to the f17 packages. I'm building an update right now. Great! Thank you. Unfortunately, I won't be able to test the update until Monday. udisks2-1.94.0-10.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/udisks2-1.94.0-10.fc17 Package udisks2-1.94.0-10.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing udisks2-1.94.0-10.fc17' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16098/udisks2-1.94.0-10.fc17 then log in and leave karma (feedback). Works perfectly. I commented on the update. Now I'm pushing the package to the lab. Thanks for your help. udisks2-1.94.0-10.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |