Hide Forgot
Description of problem: useradd will not add to /etc/passwd groupadd will add to /etc/group Version-Release number of selected component (if applicable): # rpm -q -f /usr/sbin/useradd shadow-utils-4.1.4.3-12.fc17.i686 How reproducible: 100% on 3x installations of rawhide 2012-01-02 Steps to Reproduce: 1. install rawhide 2. ssh in as root 3. useradd -u 500 -g wbaker wbaker 3. Actual results: $ useradd -u 500 -g wbaker wbaker useradd: cannot open /etc/passwd Expected results: a user record for wbaker Additional info: I am trying to accomplish: groupadd -g 500 wbaker useradd -u 500 -g wbaker wbaker usermod -c 'Wendell Craig Baker' wbaker This works on F16 This does not work on rawhide My SElinux contexts are ok. # id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 # id -a uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 The filesystem has not failed and become readonly underneath me # grep ro, /proc/mounts Not out of space on / # df -h . Filesystem Size Used Avail Use% Mounted on /dev/mapper/vg_fishneteffect-lv_root 50G 4.3G 44G 9% / No new permissions (this is the same as on F16.Verne) # lsattr -d /etc /etc/passwd /etc/group ----------I--e- /etc -------------e- /etc/passwd -------------e- /etc/group Ibidem. # ls -alsdZ /etc /etc/passwd /etc/group drwxr-xr-x. root root system_u:object_r:etc_t:s0 /etc -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/group -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/passwd strace shows $ strace useradd -u 500 -g wbaker wbaker >& /tmp/o.strace.out $ less /tmp/o.strace.out ...etc... connect(4, {sa_family=AF_FILE, path="/var/run/nscd/socket"}, 110) = -1 ENOENT (N o such file or directory) close(4) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 4 fstat64(4, {st_mode=S_IFREG|0644, st_size=1742, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7 5ea000 read(4, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 1742 read(4, "", 4096) = 0 close(4) = 0 munmap(0xb75ea000, 4096) = 0 open("/etc/.pwd.lock", O_WRONLY|O_CREAT|O_CLOEXEC, 0600) = 4 rt_sigaction(SIGALRM, {0x426e19b0, ~[], 0}, {SIG_DFL, [], 0}, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [ALRM], [], 8) = 0 alarm(15) = 0 fcntl64(4, F_SETLKW, {type=F_WRLCK, whence=SEEK_SET, start=0, len=0}) = 0 alarm(0) = 15 rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 rt_sigaction(SIGALRM, {SIG_DFL, [], 0}, NULL, 8) = 0 getpid() = 3427 open("/etc/passwd.3427", O_WRONLY|O_CREAT|O_EXCL|O_LARGEFILE, 0600) = 5 write(5, "3427\0", 5) = 5 close(5) = 0 link("/etc/passwd.3427", "/etc/passwd.lock") = 0 stat64("/etc/passwd.3427", {st_mode=S_IFREG|0600, st_size=5, ...}) = 0 unlink("/etc/passwd.3427") = 0 open("/etc/passwd", O_RDWR|O_LARGEFILE) = -1 EACCES (Permission denied) open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 5 fstat64(5, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb75ea000 read(5, "# Locale name alias data base.\n#"..., 4096) = 2512 read(5, "", 4096) = 0 close(5) = 0 munmap(0xb75ea000, 4096) = 0 The groupadd worked (groupadd is not broken) The useradd did not (useradd is broken) # tail /etc/passwd /etc/group ==> /etc/passwd <== pulse:x:996:994:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin gdm:x:42:42::/var/lib/gdm:/sbin/nologin nm-openconnect:x:995:992:NetworkManager user for OpenConnect:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin chrony:x:994:991::/var/lib/chrony:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin ==> /etc/group <== nm-openconnect:x:992: mailnull:x:47: smmsp:x:51: rpcuser:x:29: nfsnobody:x:65534: sshd:x:74: chrony:x:991: slocate:x:21: tcpdump:x:72: wbaker:x:500:
*** Bug 771630 has been marked as a duplicate of this bug. ***
Created attachment 550722 [details] audit.log from a fresh rawhide install (install circa 2012-01-02) For completeness I submit the whole audit.log trail over the (short) lifetime of the install. Highlighting: type=AVC msg=audit(1325618084.951:825): avc: denied { write } for pid=3360 comm="useradd" name="passwd" dev=dm-2 ino=2099408 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Here's the relevant parts. # grep -iEe '(useradd|groupadd)' audit.log > usergroupadd-audit.log # audit2allow < usergroupadd-audit.log #============= useradd_t ============== allow useradd_t etc_t:file write;
/etc/passwd is mislabeled. You need to execute $ restorecon -R -v /etc/passwd /etc/group
Got it. Need to relabel the tmpfile /etc/passwd- (which doesn't exist) too. [root ~]# /sbin/restorecon -v -v -R /etc/{passwd,group,shadow,gshadow} /sbin/restorecon reset /etc/passwd context system_u:object_r:etc_t:s0->system_u:object_r:passwd_file_t:s0 /sbin/restorecon reset /etc/group context system_u:object_r:etc_t:s0->system_u:object_r:passwd_file_t:s0 [root ~]# useradd -u 500 -g wbaker wbaker useradd: failure while writing changes to /etc/passwd (the /var/mail/wbaker and /home/wbaker got created but not the passwd entry) Also mislabeled: [root ~]# /sbin/restorecon -v -v -R /etc/passwd- /sbin/restorecon reset /etc/passwd- context system_u:object_r:etc_t:s0->system_u:object_r:passwd_file_t:s0 (retrying) [root ~]# rm -rf /var/mail/wbaker / [root ~]# useradd -u 500 -g wbaker wbaker (ok) Happy.
*** Bug 781737 has been marked as a duplicate of this bug. ***