Description of problem: I have a college lab set up with Fedora 17 x86_64 machines. They authenticate against a CentOS 6 server with the 389 DS. Local unix users can mount USB drives and such under Gnome without a problem. However, when one of the LDAP users tries, they are denied permission to /run/media/$USER/$DEVICENAME. Looking at the directory permissions and selinux attributes between the folders created for local user and the LDAP user, I see no differences. This works fine for all users in KDE which still uses the first udisks and mounts to /media. Version-Release number of selected component (if applicable): udisks2-1.94.0-8.fc17 How reproducible: Every time Steps to Reproduce: 1. Set up Fedora machine with LDAP authenticated users 2. Log into Gnome 3. Try to mount a USB drive Actual results: Permission denied on mount folder Expected results: Normal access to the mount folder Additional info: This is preventing users from normal operations (backing up projects, etc) and the teachers wish for the students to use Gnome, so switching to KDE is not a universal fix.
Can the user access /run/media/$USER or is it only a problem with /run/media/$USER/$DEVICE ? What filesystem is used on the USB device? As root, please run this command and paste it here getfacl /run/media/$USER
The LDAP user cannot get to /run/media/$USER either. Output of getfacl is: [root@$HOST ~]# getfacl /run/media/999888 getfacl: Removing leading '/' from absolute path names # file: run/media/999888 # owner: root # group: root user::rwx user:999888:r-x group::--- mask::r-x other::--- I forgot to mention before that there are no selinux messages generated. Watching /var/log/messages when trying to mount for the LDAP user and the local user shows virtually the same thing (mounted $DEVICE at /run/media/$USER/$DEVICENAME on behalf of uid $UID).
Hmm, what is the UID of the user in question? Please provide the output of the id(1) command run as the user, for example $ id uid=500(davidz) gid=500(davidz) groups=500(davidz),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Also please provide the output of 'tree -ugp /run/media' run as both the user and root (you may need to install the 'tree' package). Please also try to see if the problem goes away when putting selinux in permissive mode (run 'setenforce 0' as root).
Output of id: uid=5001(999888) gid=5001(students) groups=5001(students) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Output of tree as LDAP user: /run/media ├── [drwxr-x--- root root ] 999888 [error opening dir] └── [drwxr-x--- root root ] ittech [error opening dir] 2 directories, 0 files Output of tree as root: /run/media ├── [drwxr-x--- root root ] 999888 │ └── [drwx------ 999888 students] 20C5-D752 │ ├── [drwx------ 999888 students] APS │ │ ├── [-rw-r--r-- 999888 students] 4D.chm │ │ ├── [drwx------ 999888 students] 4d\ Extensions │ │ │ ├── [-rw-r--r-- 999888 students] 4DAAACommonDials.4xr │ │ │ ├── [-rw-r--r-- 999888 students] 4DChartWin.4xr │ │ │ ├── [-rw-r--r-- 999888 students] 4D\ Compiler.dll │ │ │ ├── [-rw-r--r-- 999888 students] 4D\ Compiler.rsr │ │ │ ├── [-rw-r--r-- 999888 students] 4DQR.4xr │ │ │ ├── [-rw-r--r-- 999888 students] 4DSLI.DLL │ │ │ ├── [-rw-r--r-- 999888 students] 4D\ Syntax.rsr │ │ │ ├── [-rw-r--r-- 999888 students] ByteSwap.TXT │ │ │ ├── [-rw-r--r-- 999888 students] EnginedServer.xml │ │ │ ├── [-rw-r--r-- 999888 students] FormWiz.4xr │ │ │ ├── [-rw-r--r-- 999888 students] KeyboardMapping.XML │ │ │ ├── [drwx------ 999888 students] Language\ Support │ │ │ │ ├── [-rw-r--r-- 999888 students] arabic.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] chinese\ simplified.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] chinese\ traditional.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] croatian.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] cyrillic.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] eastern\ european.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] greek.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] hebrew.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] icelandic.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] japanese.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] korean.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] romanian.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] thai.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] turkish.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] us-european.uni │ │ │ │ ├── [-rw-r--r-- 999888 students] vietnamese.uni │ │ │ │ └── [-rw-r--r-- 999888 students] win_european.uni │ │ │ ├── [drwx------ 999888 students] Spellcheck │ │ │ │ ├── [-rw-r--r-- 999888 students] abbreviations.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Allemand.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] American.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Common\ nouns\ English.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Common\ Words.txt │ │ │ │ ├── [-rw-r--r-- 999888 students] CordialSpeller.dll │ │ │ │ ├── [-rw-r--r-- 999888 students] DicoPropreSemantique.dic │ │ │ │ ├── [drwx------ 999888 students] English │ │ │ │ │ └── [-rw-r--r-- 999888 students] English\ Common\ Words.txt │ │ │ │ ├── [-rw-r--r-- 999888 students] English-American.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] English.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Espagnol.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Feminine.dic │ │ │ │ ├── [drwx------ 999888 students] French │ │ │ │ │ └── [-rw-r--r-- 999888 students] French\ Common\ Words.txt │ │ │ │ ├── [drwx------ 999888 students] German │ │ │ │ │ └── [-rw-r--r-- 999888 students] German\ Common\ Words.txt │ │ │ │ ├── [-rw-r--r-- 999888 students] noms\ communs.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Nouvelle\ orthographe.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Proper\ nouns\ Allemand.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Proper\ nouns\ American.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Proper\ nouns\ English.dic │ │ │ │ ├── [-rw-r--r-- 999888 students] Proper\ nouns\ Espagnol.dic │ │ │ │ └── [drwx------ 999888 students] Spanish │ │ │ │ └── [-rw-r--r-- 999888 students] Spanish\ Common\ Words.txt │ │ │ └── [-rwxr-xr-x 999888 students] upgclnt.bat │ │ ├── [-rw-r--r-- 999888 students] 4D.GID │ │ ├── [-rw-r--r-- 999888 students] 4D.HLP │ │ ├── [-rwxr-xr-x 999888 students] APS\ Client.exe │ │ ├── [-rw-r--r-- 999888 students] APS\ Client.rsr │ │ ├── [-rw-r--r-- 999888 students] ASIFONT.FON │ │ ├── [-rw-r--r-- 999888 students] asifont.map │ │ ├── [-rw-r--r-- 999888 students] ASINTPPC.dll │ │ ├── [-rw-r--r-- 999888 students] ASIPORT.RSR │ │ ├── [-rw-r--r-- 999888 students] msvci70.dll │ │ ├── [-rw-r--r-- 999888 students] msvcp70.dll │ │ ├── [-rw-r--r-- 999888 students] msvcr70.dll │ │ ├── [-rw-r--r-- 999888 students] TempText.txt │ │ ├── [-rw-r--r-- 999888 students] Xalan-C_1_6_0.DLL │ │ └── [-rw-r--r-- 999888 students] xerces.DLL │ ├── [-rw-r--r-- 999888 students] APS_Admin.lnk │ ├── [-rw-r--r-- 999888 students] autorun.inf │ ├── [drwx------ 999888 students] club_application │ │ ├── [drwx------ 999888 students] ar │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [-rwxr-xr-x 999888 students] ClubSanDisk.exe │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.exe.config │ │ ├── [drwx------ 999888 students] de │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [-rwxr-xr-x 999888 students] dotnetfx30SP1setup.exe │ │ ├── [drwx------ 999888 students] en │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] es │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] fr │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] he │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] it │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] ja │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] ko │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [-rw-r--r-- 999888 students] MainrARA.dll │ │ ├── [-rw-r--r-- 999888 students] MainrCHS.dll │ │ ├── [-rw-r--r-- 999888 students] MainrCHT.dll │ │ ├── [-rw-r--r-- 999888 students] MainrDEU.dll │ │ ├── [-rw-r--r-- 999888 students] MainrENU.dll │ │ ├── [-rw-r--r-- 999888 students] MainrESN.dll │ │ ├── [-rw-r--r-- 999888 students] MainrFRA.dll │ │ ├── [-rw-r--r-- 999888 students] MainrHEB.dll │ │ ├── [-rw-r--r-- 999888 students] MainrITA.dll │ │ ├── [-rw-r--r-- 999888 students] MainrJPN.dll │ │ ├── [-rw-r--r-- 999888 students] MainrKOR.dll │ │ ├── [-rw-r--r-- 999888 students] MainrNLD.dll │ │ ├── [-rw-r--r-- 999888 students] MainrPLK.dll │ │ ├── [-rw-r--r-- 999888 students] MainrPTB.dll │ │ ├── [-rw-r--r-- 999888 students] MainrRUS.dll │ │ ├── [-rw-r--r-- 999888 students] MainrZHH.dll │ │ ├── [drwx------ 999888 students] nl │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] pl │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] Preload │ │ │ ├── [-rw-r--r-- 999888 students] preload.dat │ │ │ └── [-rwxr-xr-x 999888 students] setup.exe │ │ ├── [drwx------ 999888 students] pt │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] ru │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] Updater │ │ │ ├── [drwx------ 999888 students] ar │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] de │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] es │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] fr │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] he │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] it │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] ja │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] ko │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] nl │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] pl │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] pt │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] ru │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [-rwxr-xr-x 999888 students] Updater.exe │ │ │ ├── [drwx------ 999888 students] zh-CN │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ ├── [drwx------ 999888 students] zh-HK │ │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ │ └── [drwx------ 999888 students] zh-TW │ │ │ └── [-rw-r--r-- 999888 students] Updater.resources.dll │ │ ├── [drwx------ 999888 students] zh-CN │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ ├── [drwx------ 999888 students] zh-HK │ │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ │ └── [drwx------ 999888 students] zh-TW │ │ ├── [-rw-r--r-- 999888 students] ClubSanDisk.resources.dll │ │ └── [-rw-r--r-- 999888 students] eula.rtf │ ├── [-rwxr-xr-x 999888 students] LOM_Realtek_WIN_A04_Setup-PFD6F_ZPE.exe │ ├── [-rwxr-xr-x 999888 students] RunClubSanDisk.exe │ ├── [-rwxr-xr-x 999888 students] RunSanDiskSecureAccess_Win.exe │ └── [drwx------ 999888 students] SanDiskSecureAccess │ ├── [-rw-r--r-- 999888 students] DownloadSanDiskSecureAccess_Mac.pdf │ └── [-rw-r--r-- 999888 students] SanDisk_SecureAccess_QSG.pdf └── [drwxr-x--- root root ] ittech 46 directories, 140 files I already tried turning off selinux via setenforce and it made no difference.
So, wait a minute, the username is "999888" with the uid being 5001, correct? If so, I don't see udisks doing anything wrong ... I mean, according to comment 2, there is a read ACL for that user. Please also provide the output of getfacl -n /run/media/999888 run as root and strace ls -l /run/media/999888 run as the user. Thanks.
Output of getfacl: getfacl: Removing leading '/' from absolute path names # file: run/media/999888 # owner: 0 # group: 0 user::rwx user:999888:r-x group::--- mask::r-x other::--- And herein I believe lies the problem. It's setting the username as the uid and not resolving properly. I ran into the problem with the quota packages and had to do some fancy workarounds to pass the uid directly. Seems all numeric user names cause all kinds of trouble. But that unfortunately can't change in our policies.
OK, I just tried this with a user with username "1001" and uid 502 and it seems to work just fine: [root@thinkpad ~]# getfacl /run/media/1001 getfacl: Removing leading '/' from absolute path names # file: run/media/1001 # owner: root # group: root user::rwx user:1001:r-x group::--- mask::r-x other::--- [root@thinkpad ~]# getfacl -n /run/media/1001 getfacl: Removing leading '/' from absolute path names # file: run/media/1001 # owner: 0 # group: 0 user::rwx user:502:r-x group::--- mask::r-x other::--- [1001@thinkpad ~]$ ls -l /run/media/1001/Fedora_17_ppc/ total 8 dr-xr-xr-x. 2 1001 1001 2048 Jun 8 18:19 etc dr-xr-xr-x. 3 1001 1001 2048 Jun 8 18:19 images dr-xr-xr-x. 2 1001 1001 2048 Jun 8 18:19 LiveOS dr-xr-xr-x. 5 1001 1001 2048 Jun 8 18:19 ppc
This is with Fedora 18 though which uses libacl directly. I see that you filed this against Fedora 17 which, IIRC, is calling out to setfacl: http://cgit.freedesktop.org/udisks/tree/src/udiskslinuxfilesystem.c?id=1.94.0#n831 which explains the problem.
Okay, thanks. I'll see if I can cherry-pick the newer package into our installation and that should work. Since the problem has been indirectly fixed upstream, I would assume the bug can be closed.
The patch actually applies to the f17 packages. I'm building an update right now.
Great! Thank you. Unfortunately, I won't be able to test the update until Monday.
udisks2-1.94.0-10.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/udisks2-1.94.0-10.fc17
Package udisks2-1.94.0-10.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing udisks2-1.94.0-10.fc17' as soon as you are able to, then reboot. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16098/udisks2-1.94.0-10.fc17 then log in and leave karma (feedback).
Works perfectly. I commented on the update. Now I'm pushing the package to the lab. Thanks for your help.
udisks2-1.94.0-10.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.