During QA of system-config-users, we found an (arguably artificial) corner case where libuser failed to create a home directory because the parent directory has mode 000 -- a simple mkdir works there because root usually has CAP_DAC_OVERRIDE, but something SELinux-related that libuser attempts to do, fails. +++ This bug was initially created as a clone of Bug #599214 +++ [...] --- Additional comment from omoris on 2010-08-30 16:29:41 EDT --- Nils, here's another problem: 1. mkdir /tmp/x 2. chmod a-rwx /tmp/x 3. s-c-users -> add user 'y' -> set home dir to /tmp/x/y It will succeeded: # getent passwd y y:x:504:504::/tmp/x/y:/bin/bash But no homedir is created and s-c-users prints the following traceback: # system-config-users Traceback (most recent call last): File "/usr/share/system-config-users/userWindow.py", line 408, in on_userWin_ok_button_clicked self.parent.ADMIN.addUser(userEnt, mkhomedir = True) RuntimeError: couldn't determine security context for `/tmp/x/y': No such file or directory # rpm -q system-config-users system-config-users-1.2.104-1.el6.noarch [...] --- Additional comment from nphilipp on 2010-09-08 05:01:21 EDT --- I've added fixes to the upstream repo to deal better with homes in automounted directories: commit 5fcefe54e19760559ef425205c434e94f8bbd524 Author: Nils Philippsen <nils> Date: Tue Sep 7 17:39:11 2010 +0200 cope better with deleting auto-mounted home directories Auto-mounted home directories cannot be removed normally, the automounter needs to be reconfigured for that. In that case, remove the contents and change ownership back to root. commit d76a8c7dcde7a9309676f25f13ff0961f7a169fc Author: Nils Philippsen <nils> Date: Tue Sep 7 16:55:33 2010 +0200 Attempt to mkdir home directory instead of using os.access(). The access system call may erroneously assume that a directory is writable (e.g. in autofs roots, procsfs, sysfs, ...). Rather than special-casing affected file systems, simply try to create the home directory -- libuser copes well with existing directories. This does not yet cover the (arguably artificial) case described in comment #13, where libuser fails to create the home directory: root@gibraltar:~> mkdir /tmp/x root@gibraltar:~> chmod 000 /tmp/x root@gibraltar:~> luseradd -d /tmp/x/y y Error creating /tmp/x/y: couldn't determine security context for `/tmp/x/y': No such file or directory. root@gibraltar:~> getent passwd y y:x:501:502:y:/tmp/x/y:/bin/bash root@gibraltar:~> ls /tmp/x root@gibraltar:~> mkdir /tmp/x/y root@gibraltar:~> ls /tmp/x y root@gibraltar:~> I'm not sure whether this issue lies in libuser or in some SELinux code, though. S-c-users could only catch the error at this point and bail out.
Just tried this for something remotely resembling a valid use case: having a home directory for which the parent doesn't allow listing (chmod a=x): root@gibraltar:~> mkdir /tmp/x root@gibraltar:~> chmod a=x /tmp/x root@gibraltar:~> luseradd -d /tmp/x/y y Error creating /tmp/x/y: couldn't determine security context for `/tmp/x/y': No such file or directory. root@gibraltar:~> ls /tmp/x root@gibraltar:~>
I think the problem rather may be related to the SELinux context (of /tmp or directories created therein) rather than the mode: It works in /home/x, with all permissions removed on /home/x: root@gibraltar:/home> mkdir x root@gibraltar:/home> chmod 000 x root@gibraltar:/home> luseradd -d /home/x/y y root@gibraltar:/home> It doesn't work in /tmp/x, or /tmp, with normal permissions: root@gibraltar:/tmp> mkdir x root@gibraltar:/tmp> ls -ld x drwxr-xr-x. 2 root root 4096 Sep 8 13:36 x root@gibraltar:/tmp> luseradd -d /tmp/x/y y Error creating /tmp/x/y: couldn't determine security context for `/tmp/x/y': No such file or directory. root@gibraltar:/tmp> luserdel -r y Error removing /tmp/x/y: Error removing `/tmp/x/y': No such file or directory. root@gibraltar:/tmp> ls -ld /tmp drwxrwxrwt. 15 root root 4096 Sep 8 13:36 /tmp root@gibraltar:/tmp> luseradd -d /tmp/y y Error creating /tmp/y: couldn't determine security context for `/tmp/y': No such file or directory. root@gibraltar:/tmp>
Fixed upstream in 2744aecc92b1f0c78d19022bf9e8107450544e18. Thanks for your report.
libuser-0.56.18-2.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/libuser-0.56.18-2.fc14
libuser-0.56.18-2.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update libuser'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/libuser-0.56.18-2.fc14
libuser-0.56.18-2.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.