[Bug 1408589] Comment bridged from LTC Bugzilla

bugproxy bugproxy at us.ibm.com
Tue Jan 27 12:59:20 UTC 2015 

------- Comment From mauricfo at br.ibm.com 2015-01-27 12:55 EDT-------
The error actually happened because the chroot was mounted over NFSv4, and the NFSv4 server had incorrect domain name configuration.

Then, the NFSv4 idmapd didn't match 'localdomain' (server) with
cluster.com (client), resulting in the chfn binary (and others) being
owned by nobody/nogroup, this combined with the suid bit of that binary,
resulted in kernel denying it during PAM/audit check (failure occurs
right after the socket/sendto/recvfrom syscalls from PAM to kernel
audit).

Solution was to configure the domain name correctly on the server.
Possible workarounds were:
- Use NFSv3 (which has no Name-ID Mapping / idmapd)
- Clear the suid bit

More detailed description from e-mail..
----------------------------------------------------

The problem happened because the 'chfn' binary had the suid bit set and was not owned by root
(actually, nobody/nogroup), so the kernel audit refused it during the PAM/auth step
(the PAM error follows right after the socket/sendto/recvfrom syscalls for kernel audit)

That ownership mistake only exists on the NFS mount/client (on tulgpu002). It is correct
(root/root) on the NFS server (bgxcat).

That happened due to a misconfiguration in the NFSv4 rpc.idmapd on the bgxcat server;
bgxcat had no FQDN/fully-qualified domain name configured, so the NFSv4 idmapd didn't
allow bgxcat user 'root' to be 'root' on tulgpu002, because of a mismatch between their
domains ('localdomain' on bgxcat, 'cluster.com' in tulgpu002).

For a solution, either fixing the network/domain configuration in bgxcat, or using NFSv3,
works.  I have already performed the former for you, and validated the latter.

[root at bgxcat mauricfo]# cat /etc/sysconfig/network
NETWORKING=yes
#HOSTNAME=bgxcat
HOSTNAME=bgxcat.cluster.com

For those interested, more technical details / demonstration are
provided below.

I'm happy to extend the discussion if anyone has questions/comments.

Demonstrating problem/workaround w/ NFSv4 ID Mapping (misconfiguration on bgxcat server)
----------------------------------------------------------------------------------------

Trying in tulgpu002 (/install mounted over NFSv4)

root at tulgpu002:~/mauricio# mount | grep /install
bgxcat:/install on /install type nfs (rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

root at tulgpu002:~/mauricio# chroot /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg /usr/bin/chfn -f 'games user' games
chfn: PAM: System error

The chfn binary has the suid bit set, but uid/gid are NOT root
(nobody/nogroup). This leads to the problem.

root at tulgpu002:~/mauricio# ls -lh /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 nobody nogroup 53K Jul 18  2014 /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

On bgxcat (the source of /install), all is fine: suid is set, and the
uid/gid are root. No problems there.

[root at bgxcat mauricfo]# ls -lh /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 root root 53K Jul 18  2014 /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

The owner/group permissions changes because of NFSv4 ID Mapping
(rpc.idmapd).

root at tulgpu002:~/mauricio# grep ^No /etc/idmapd.conf
Nobody-User = nobody
Nobody-Group = nogroup

# mount | grep /install
bgxcat:/install on /install type nfs (rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

If you retry with NFSv3, which has no ID Mapping, it works.

root at tulgpu002:~/mauricio# umount /install
root at tulgpu002:~/mauricio# mount -t nfs -o vers=3 bgxcat:/install /install
root at tulgpu002:~/mauricio# mount | grep /install
bgxcat:/install on /install type nfs (rw,vers=3,addr=10.0.0.1)

The user/group show up as root.

root at tulgpu002:~/mauricio# ls -lh /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 root root 53K Jul 18  2014 /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

And chroot chfn passes.

root at tulgpu002:~/mauricio# chroot /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg /usr/bin/chfn -f 'games user' games
root at tulgpu002:~/mauricio#

Go back to NFSv4, and you'll see the problem.

root at tulgpu002:~/mauricio# umount /install
root at tulgpu002:~/mauricio# mount -t nfs -o vers=4 bgxcat:/install /install
root at tulgpu002:~/mauricio# mount | grep /install
bgxcat:/install on /install type nfs (rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

User/group are not root anymore.

root at tulgpu002:~/mauricio# ls -lh /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 nobody nogroup 53K Jul 18  2014 /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

root at tulgpu002:~/mauricio# chroot /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg /usr/bin/chfn -f 'games user' games
chfn: PAM: System error

If you clear the suid bit, things work too.

root at tulgpu002:~/mauricio# chmod -s
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-
compute/rootimg/usr/bin/chfn

root at tulgpu002:~/mauricio# ls -lh /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwxr-xr-x 1 nobody nogroup 53K Jul 18  2014 /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

root at tulgpu002:~/mauricio# chroot
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg
/usr/bin/chfn -f 'games user' games

Set it, and the problem is back:

root at tulgpu002:~/mauricio# chmod +s
/install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-
compute/rootimg/usr/bin/chfn

root at tulgpu002:~/mauricio# ls -lh /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 nobody nogroup 53K Jul 18  2014 /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

root at tulgpu002:~/mauricio# chroot /install/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg /usr/bin/chfn -f 'games user' games
chfn: PAM: System error

Fixing this configuration in the bgxcat server:
-----------------------------------------------

root at tulgpu002:~/mauricio# grep idmap /var/log/syslog
<...>
Jan 27 04:51:13 tulgpu002 rpc.idmapd[146646]: nss_getpwnam: name 'root at localdomain' does not map into domain 'cluster.com'
Jan 27 05:05:56 tulgpu002 rpc.idmapd[146646]: nss_getpwnam: name 'nfsnobody at localdomain' does not map into domain 'cluster.com'
<...>

[root at bgxcat ppc64el]# grep idmap /var/log/messages
<...>
Jan 27 05:06:09 bgxcat rpc.idmapd[3851]: nss_getpwnam: name '0' does not map into domain 'localdomain'
Jan 27 05:06:13 tulgpu002 rpc.idmapd[146646]: nss_getpwnam: name 'root at localdomain' does not map into domain 'cluster.com'
<...>

http://support.hp.com/us-en/document/c03462757

# man idmapd.conf
<...>
Domain The local NFSv4 domain name.  An NFSv4 domain is a namespace  with  a  unique  username<->UID  and  groupname<->GID  mapping.
(Default: Host?s fully-qualified DNS domain name)
<...>

# cat /etc/idmapd.conf
<...>
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
#Domain = local.domain.edu
<...>

[root at bgxcat mauricfo]# hostname -f
bgxcat

[root at bgxcat mauricfo]# dnsdomainname
[root at bgxcat mauricfo]#

... Hm, not a FQDN / DNS domain name.

Fix:

[root at bgxcat mauricfo]# hostname bgxcat.cluster.com

[root at bgxcat mauricfo]# hostname -f
bgxcat.cluster.com

[root at bgxcat mauricfo]# dnsdomainname
cluster.com

[root at bgxcat mauricfo]# hostname
bgxcat.cluster.com

[root at bgxcat mauricfo]# hostname -s
bgxcat

All OK now.

# vim /etc/sysconfig/network
<... added domain cluster.com in HOSTNAME, as in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-The_sysconfig_Directory.html)

[root at bgxcat mauricfo]# cat /etc/sysconfig/network
NETWORKING=yes
#HOSTNAME=bgxcat
HOSTNAME=bgxcat.cluster.com

[root at bgxcat mauricfo]# service rpcidmapd restart
Shutting down RPC idmapd:                                  [  OK  ]
Starting RPC idmapd:                                       [  OK  ]

root at tulgpu002:~/mauricio# mkdir test
root at tulgpu002:~/mauricio# mount bgxcat:/install test
root at tulgpu002:~/mauricio# mount | grep /test
bgxcat:/install on /root/mauricio/test type nfs (rw,vers=4,addr=10.0.0.1,clientaddr=10.0.0.7)

It's NFSv4, but now w/ correct ID Mapping:

root at tulgpu002:~/mauricio# ls -lh test/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn
-rwsr-sr-x 1 root root 53K Jul 18  2014 test/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg/usr/bin/chfn

root at tulgpu002:~/mauricio# chroot test/netboot/ubuntu14.10/ppc64el/tulgpu-0001-netboot-compute/rootimg /usr/bin/chfn -f test games
root at tulgpu002:~/mauricio#

And it works.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1408589

Title:
  chfn does not work in chroot environment

Status in shadow package in Ubuntu:
  New

Bug description:
  == Comment: #0 - Guang Cheng Li <liguangc at cn.ibm.com> - 2015-01-07 01:51:51 ==
  ---Problem Description---
  chfn does not work in a chroot environment.

  In a chroot environment, the chroot exits with error "chfn: PAM:
  System error" and does not do anything.

  This might be related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763391 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=745082
   
  Contact Information = Guang Cheng Li liguangc at cn.ibm.com, Ralph Bellofatto ralphbel at us.ibm.com 
   
  ---uname output---
  Linux tulgpu002 3.16.0-23-generic #31-Ubuntu SMP Tue Oct 21 17:55:08 UTC 2014 ppc64le ppc64le ppc64le GNU/Linux
   
  Machine Type = N/A 
   
  ---Debugger---
  A debugger is not configured
   
  ---Steps to Reproduce---
   Create a Ubuntu chroot environment, chroot into the directory, then run chfn.

  root at tulgpu002:~# ls
  chfn-error-rootimg
  root at tulgpu002:~# chroot chfn-error-rootimg
  root at tulgpu002:/# ls
  bin   dev  home        lib    media  opt   root  sbin  sys  usr  vmlinux
  boot  etc  initrd.img  lib64  mnt    proc  run   srv   tmp  var  xcatpost
  root at tulgpu002:/# 
  root at tulgpu002:/# chfn -f 'games user id' games
  chfn: PAM: System error
  root at tulgpu002:/# 

   
  *Additional Instructions for Guang Cheng Li liguangc at cn.ibm.com, Ralph Bellofatto ralphbel at us.ibm.com: 
  -Post a private note with access information to the machine that the bug is occuring on.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1408589/+subscriptions

More information about the foundations-bugs mailing list