| Summary: | sys-apps/openrc does not cleanup pam_mktemp-created temporary directories | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Mike Nerone <mike> |
| Component: | Current packages | Assignee: | OpenRC Team <openrc> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | pam-bugs+disabled, swegener |
| Priority: | High | Keywords: | InOverlay |
| Version: | 2008.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Attachments: | git am-compatible patch for the issue | ||
For convenience please post your "emerge --info". no real need for the info, I can see the problem... I'll think a bit about it... Yes, I, of course, normally post the emerge --info - in this case I didn't see any need because the cause is clear. it's always safer to append `emerge --info` even if you dont think it's necessary. sometimes developers want it to correlate things. Ok, then - I've seen the problem on systems using 2008.0 and hardened at this point (a couple of each - across different CPUs and very different systems - all x86, though). Here's my laptop, the one I first noticed it on: # emerge --info Portage 2.1.6.7 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.8_p20080602-r1, 2.6.24-tuxonice-r9 i686) ================================================================= System uname: Linux-2.6.24-tuxonice-r9-i686-Intel-R-_Core-TM-2_Duo_CPU_T7500_@_2.20GHz-with-glibc2.0 Timestamp of tree: Thu, 09 Apr 2009 16:45:03 +0000 app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7-r1, 2.1.7 dev-lang/python: 2.5.2-r7 dev-util/cmake: 2.6.2-r1 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -fomit-frame-pointer -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config /var/lib/hsqldb" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=prescott -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS=" --with-bdeps y" FEATURES="buildpkg collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv userpriv_fakeroot usersandbox verify-rdepend" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en en_US" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local/layman/nerone /usr/portage/local/layman/sunrise /usr/local/portage" SYNC="PRIVATE MIRROR OMITTED" USE="X a52 aac acl acpi alsa amr audiofile avahi bash-completion bluetooth branding bsf bzip2 cairo caps cddb cdparanoia cdr cleartype cli cracklib crypt css cups curl dbus dri dts dv dvd dvdr dvdread emboss encode evo exif expat fam fame fastcgi fat fbsplash ffmpeg fftw firefox flac flash ftp gd gdbm geoip gif glib glitz glut gmp gnutls gphoto2 gpm gstreamer gtk hal hbci iconv idn imagemagick imap imlib ipv6 isdnlog ithreads jack java javascript jfs jpeg kde kdeenablefinal kdehiddenvisibility kipi lame laptop lcms libnotify lighttpd live lzo mad matroska mcal memlimit midi mikmod mjpeg mmap mmx mng mozilla mp3 mp4 mpeg mplayer mudflap musepack musicbrainz mysql ncurses network network-cron nls nntp nptl nptlonly nsplugin ntfs offensive ofx ogg openexr opengl pam pch pcre pdf perl physfs png postgres ppds pppd python qt3 qt3support qt4 quicktime rdesktop readline reflection reiserfs resolvconf rtc sasl schroedinger sdl session slp speex spell spl sqlite sse sse2 ssl startup-notification subversion svg symlink sysfs syslog taglib theora threads threadsafe thunderbird tidy tiff tk truetype unicode usb utempter utf8 vcd video vim-syntax vnc vorbis webdav win32codecs x264 x86 xattr xcb xcomposite xine xml xorg xosd xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="alias auth_basic authn_alias authn_default authn_file authz_default authz_groupfile authz_host authz_user autoindex dav dav_fs dir env include info log_config mime mime_magic negotiation proxy proxy_http rewrite setenvif status unique_id" APACHE2_MPMS="event" CAMERAS="directory" ELIBC="glibc" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" USERLAND="GNU" VIDEO_CARDS="intel" Unset: CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS I know I haven't found a solution yet, but since my time is limited, may _all_ of you please stop the "emerge --info yes or not" debate here? Thank you. Yes it is safer to always append it in the first description, but since I explicitly said I didn't need it, I would have preferred to not get it, just because it's more mail in my bugzilla inbox that I have to sift through. Thanks ^^; And now back to the drawing board... i imagine the chattr is more along the lines of preventing the user from doing `rm -rf ${TMP}` than making sure its state is preserved across reboots (since that is an invalid assumption).
might be nice if pam_mktemp cleaned up after itself with a call to chattr when the user logs out ?
I don't think pam_mktemp can ever chattr it away, it's not about preserving it between reboots but more as you said to stop users from deleting their tmpdir altogether. Okay seems like this one was worked around by Roy with 7b8215bbd3124117b1c5618cea05b6d6d29fce09 but also causes WIPE_TMP not to clean up the users' temporary directories. I'm going to attach a git commit that uses chattr to make sure WIPE_TMP is properly done. Created attachment 252703 [details, diff]
git am-compatible patch for the issue
(In reply to comment #10) > Created an attachment (id=252703) [details] > git am-compatible patch for the issue > Thank you Diego, it has been landed on trunk, we will branch 0.6.4 in next few days. |
As of recently, stable sys-auth/pambase has a "mktemp" USE flag, which enables pam_mktemp. pam_mktemp creates a per-use temp directory upon user login, setting TMP to point to it. The directory it creates is "/tmp/.private/username". When it creates that ".private" directory, it does a "chattr +a" on it, making it append-only - i.e. files and directories within it aren't allowed to be deleted. At the next boot, if WIPE_TMP is turned on, as it is by default, /etc/init.d/bootmisc tries to rmdir /tmp/.private/username, resulting in a message similar to: rmdir: failed to remove './.private/username': Operation not permitted Boot then proceeds normally, but the error is not desirable at best, and potentially alarming if someone doesn't know what they're seeing. I'm not positive what the best solution is. Some possibilities that jump to mind are: 1. Patch mktemp to not do the chattr at all. 2. Add ".private" to the WIPE_TMP exclusion list in bootmisc. 3. "[ -d /tmp/.private ] && chattr -a /tmp/.private" in bootmisc just prior to the wipe. Option 1 doesn't see ideal - the devs thought the chattr was important enough to put it, so perhaps it should remain. Additionally, the difference from other distros might cause confusion. Option 2 would mean that the tmp directories never get deleted, which could eventually result in a *lot* of cruft on multi-user systems. Option 3 seems like the least of the evils to my meager brain, but more experienced distro folks might see a problem with doing that.