Bug 2022658 - shadow-utils-4.9-5.fc35 broke copying files from /etc/skel using gnome-control-center
Summary: shadow-utils-4.9-5.fc35 broke copying files from /etc/skel using gnome-contro...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: shadow-utils
Version: 35
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
Assignee: Iker Pedrosa
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-12 10:14 UTC by Kamil Páral
Modified: 2021-12-13 13:10 UTC (History)
12 users (show)

Fixed In Version: shadow-utils-4.9-7.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-15 05:47:28 UTC
Type: Bug


Attachments (Terms of Use)
journal (227.53 KB, text/plain)
2021-11-12 10:56 UTC, Kamil Páral
no flags Details

Description Kamil Páral 2021-11-12 10:14:15 UTC
Description of problem:
Since shadow-utils-4.9-5.fc35, new users created through gnome-control-center are missing files that should've been copied from /etc/skel. That means they don't have .bashrc and similar, i.e. no PS1 variable etc. Users created through adduser are fine. shadow-utils-4.9-4.fc35 worked OK even with gnome-control-center, it's -5 that broke it.

With shadow-utils-4.9-4.fc35, a newly created user through gnome-control-center contains:

# tree -a /home/tester
/home/tester
├── .bash_logout
├── .bash_profile
├── .bashrc
└── .mozilla
    ├── extensions
    └── plugins

With shadow-utils-4.9-5.fc35 (or -6), a newly created user through gnome-control-center contains:

# tree -a /home/tester
/home/tester
└── .mozilla

Current contents of /etc/skel:

# tree -a /etc/skel
/etc/skel
├── .bash_logout
├── .bash_profile
├── .bashrc
└── .mozilla
    ├── extensions
    └── plugins


Can you please consider this as a bug with the utmost priority? Currently this is broken for all Fedora users, because shadow-utils-4.9-5.fc35 is already in stable updates. That means everyone who creates a new users gets it with a broken (incomplete) profile, and it will not fix itself after this bug is resolved. So we need to push the fix to stable updates ASAP, so that as few users as possible are affected. Thanks!


Version-Release number of selected component (if applicable):
gnome-control-center-41.1-1.fc35.x86_64

working:
shadow-utils-4.9-3.fc35
shadow-utils-4.9-4.fc35

broken:
shadow-utils-4.9-5.fc35
shadow-utils-4.9-6.fc35

How reproducible:
always

Steps to Reproduce:
1. open gnome-control-center -> Users
2. create a new standard user "tester"
3. sudo ls -a /home/tester

Actual results:
most files from /etc/skel are missing

Expected results:
all files from /etc/skel are present

Comment 1 Iker Pedrosa 2021-11-12 10:27:17 UTC
I'm working on it. If you could provide the logs from /var/log/messages and /var/log/secure that would be really helpful.

Comment 2 Kamil Páral 2021-11-12 10:56:45 UTC
Created attachment 1841420 [details]
journal

There is no /var/log/{messages,secure}. I'm attaching `journalctl -b` output instead.

Comment 3 Kamil Páral 2021-11-12 10:58:19 UTC
$ grep tester journal.txt 
Nov 12 11:53:20 f35 accounts-daemon[696]: request by system-bus-name::1.145 [gnome-control-center pid:2528 uid:1000]: create user 'tester'
Nov 12 11:53:20 f35 useradd[2637]: new group: name=tester, GID=1001
Nov 12 11:53:20 f35 audit[2637]: ADD_GROUP pid=2637 uid=0 auid=1000 ses=4 subj=system_u:system_r:useradd_t:s0 msg='op=add-group acct="tester" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
Nov 12 11:53:20 f35 useradd[2637]: new user: name=tester, UID=1001, GID=1001, home=/home/tester, shell=/bin/bash, from=none
Nov 12 11:53:20 f35 audit[2637]: ADD_USER pid=2637 uid=0 auid=1000 ses=4 subj=system_u:system_r:useradd_t:s0 msg='op=add-user acct="tester" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
Nov 12 11:53:20 f35 accounts-daemon[2637]: useradd: setting attribute security.selinux for /home/tester/.mozilla: Permission denied
Nov 12 11:53:20 f35 accounts-daemon[696]: request by system-bus-name::1.145 [gnome-control-center pid:2528 uid:1000]: change password mode of user 'tester' (1001) to 1
Nov 12 11:53:20 f35 accounts-daemon[2652]: Removing password for user tester.
Nov 12 11:53:20 f35 chage[2653]: changed password expiry for tester

Comment 4 Kamil Páral 2021-11-12 11:27:54 UTC
This problem doesn't occur when SELinux is changed to Permissive mode, even with latest shadow-utils. So this seems clearly SELinux-related. From the journal:

$ grep -i avc journal.txt 
Nov 12 11:53:20 f35 audit[2640]: AVC avc:  denied  { setgid } for  pid=2640 comm="sss_cache" capability=6  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0
Nov 12 11:53:20 f35 audit[2640]: AVC avc:  denied  { setgid } for  pid=2640 comm="sss_cache" capability=6  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0
Nov 12 11:53:20 f35 audit[2643]: AVC avc:  denied  { setgid } for  pid=2643 comm="sss_cache" capability=6  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0
Nov 12 11:53:20 f35 audit[2643]: AVC avc:  denied  { setgid } for  pid=2643 comm="sss_cache" capability=6  scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0
Nov 12 11:53:20 f35 audit[2637]: AVC avc:  denied  { relabelto } for  pid=2637 comm="useradd" name=".mozilla" dev="vda2" ino=986 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0

Comment 5 Iker Pedrosa 2021-11-12 11:30:59 UTC
When I try to add the user using gnome the home directory is empty and I get the following error in /var/log/messages:
Nov 12 11:33:17 fedora audit[10205]: AVC avc:  denied  { relabelto } for  pid=10205 comm="useradd" name=".mozilla" dev="sda2" ino=9136 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
Nov 12 11:33:17 fedora accounts-daemon[10205]: useradd: setting attribute security.selinux for /home/testuser2/.mozilla: Permission denied

If I do the same with the useradd command the user is created correctly and I don't see an empty home directory.

Changing the component to selinux-policy.

Comment 6 Iker Pedrosa 2021-11-12 12:28:07 UTC
My bad, this definitely belongs to shadow-utils.

Comment 7 Fedora Update System 2021-11-12 16:14:12 UTC
FEDORA-2021-2709419aea has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-2709419aea

Comment 8 Fedora Update System 2021-11-14 02:39:56 UTC
FEDORA-2021-2709419aea has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-2709419aea`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-2709419aea

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2021-11-15 05:47:28 UTC
FEDORA-2021-2709419aea has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 10 Kamil Páral 2021-12-13 13:10:25 UTC
Thanks, I verified that this is fixed now.


Note You need to log in before you can comment on or make changes to this bug.