Bug 631717 - Create local user fails mysteriously
Summary: Create local user fails mysteriously
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libuser
Version: 14
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Miloslav Trmač
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-08 09:17 UTC by Nils Philippsen
Modified: 2010-10-18 05:34 UTC (History)
5 users (show)

Fixed In Version: libuser-0.56.18-2.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of: 599214
Environment:
Last Closed: 2010-10-18 05:34:52 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nils Philippsen 2010-09-08 09:17:37 UTC 
During QA of system-config-users, we found an (arguably artificial) corner case where libuser failed to create a home directory because the parent directory has mode 000 -- a simple mkdir works there because root usually has CAP_DAC_OVERRIDE, but something SELinux-related that libuser attempts to do, fails.

+++ This bug was initially created as a clone of Bug #599214 +++
[...]
--- Additional comment from omoris on 2010-08-30 16:29:41 EDT ---

Nils, here's another problem:

1. mkdir /tmp/x
2. chmod a-rwx /tmp/x
3. s-c-users -> add user 'y' -> set home dir to /tmp/x/y

It will succeeded:

# getent passwd y
y:x:504:504::/tmp/x/y:/bin/bash

But no homedir is created and s-c-users prints the following traceback:

# system-config-users 
Traceback (most recent call last):
  File "/usr/share/system-config-users/userWindow.py", line 408, in on_userWin_ok_button_clicked
    self.parent.ADMIN.addUser(userEnt, mkhomedir = True)
RuntimeError: couldn't determine security context for `/tmp/x/y': No such file or directory

# rpm -q system-config-users
system-config-users-1.2.104-1.el6.noarch
[...]
--- Additional comment from nphilipp on 2010-09-08 05:01:21 EDT ---

I've added fixes to the upstream repo to deal better with homes in automounted directories:


commit 5fcefe54e19760559ef425205c434e94f8bbd524
Author: Nils Philippsen <nils>
Date:   Tue Sep 7 17:39:11 2010 +0200

    cope better with deleting auto-mounted home directories
    
    Auto-mounted home directories cannot be removed normally, the automounter
    needs to be reconfigured for that. In that case, remove the contents and
    change ownership back to root.


commit d76a8c7dcde7a9309676f25f13ff0961f7a169fc
Author: Nils Philippsen <nils>
Date:   Tue Sep 7 16:55:33 2010 +0200

    Attempt to mkdir home directory instead of using os.access().
    
    The access system call may erroneously assume that a directory is writable
    (e.g. in autofs roots, procsfs, sysfs, ...). Rather than special-casing
    affected file systems, simply try to create the home directory -- libuser
    copes well with existing directories.

This does not yet cover the (arguably artificial) case described in comment #13, where libuser fails to create the home directory:

root@gibraltar:~> mkdir /tmp/x
root@gibraltar:~> chmod 000 /tmp/x
root@gibraltar:~> luseradd -d /tmp/x/y y
Error creating /tmp/x/y: couldn't determine security context for `/tmp/x/y': No such file or directory.
root@gibraltar:~> getent passwd y
y:x:501:502:y:/tmp/x/y:/bin/bash
root@gibraltar:~> ls /tmp/x
root@gibraltar:~> mkdir /tmp/x/y
root@gibraltar:~> ls /tmp/x
y
root@gibraltar:~>

I'm not sure whether this issue lies in libuser or in some SELinux code, though. S-c-users could only catch the error at this point and bail out.
Comment 1 Nils Philippsen 2010-09-08 09:36:51 UTC 
Just tried this for something remotely resembling a valid use case: having a home directory for which the parent doesn't allow listing (chmod a=x):

root@gibraltar:~> mkdir /tmp/x
root@gibraltar:~> chmod a=x /tmp/x
root@gibraltar:~> luseradd -d /tmp/x/y y
Error creating /tmp/x/y: couldn't determine security context for `/tmp/x/y': No such file or directory.
root@gibraltar:~> ls /tmp/x
root@gibraltar:~>
Comment 2 Nils Philippsen 2010-09-08 11:38:57 UTC 
I think the problem rather may be related to the SELinux context (of /tmp or directories created therein) rather than the mode:

It works in /home/x, with all permissions removed on /home/x:
root@gibraltar:/home> mkdir x
root@gibraltar:/home> chmod 000 x
root@gibraltar:/home> luseradd -d /home/x/y y
root@gibraltar:/home> 

It doesn't work in /tmp/x, or /tmp, with normal permissions:

root@gibraltar:/tmp> mkdir x
root@gibraltar:/tmp> ls -ld x
drwxr-xr-x. 2 root root 4096 Sep  8 13:36 x
root@gibraltar:/tmp> luseradd -d /tmp/x/y y
Error creating /tmp/x/y: couldn't determine security context for `/tmp/x/y': No such file or directory.
root@gibraltar:/tmp> luserdel -r y
Error removing /tmp/x/y: Error removing `/tmp/x/y': No such file or directory.
root@gibraltar:/tmp> ls -ld /tmp
drwxrwxrwt. 15 root root 4096 Sep  8 13:36 /tmp
root@gibraltar:/tmp> luseradd -d /tmp/y y
Error creating /tmp/y: couldn't determine security context for `/tmp/y': No such file or directory.
root@gibraltar:/tmp>
Comment 3 Miloslav Trmač 2010-09-29 21:08:37 UTC 
Fixed upstream in 2744aecc92b1f0c78d19022bf9e8107450544e18.  Thanks for your report.
Comment 4 Fedora Update System 2010-09-29 21:27:39 UTC 
libuser-0.56.18-2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/libuser-0.56.18-2.fc14
Comment 5 Fedora Update System 2010-09-30 05:31:18 UTC 
libuser-0.56.18-2.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update libuser'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libuser-0.56.18-2.fc14
Comment 6 Fedora Update System 2010-10-18 05:34:46 UTC 
libuser-0.56.18-2.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.