Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 497456 - sys-apps/opentmpfiles with sys-auth/nss_ldap - /lib64/rc/sh/tmpfiles.sh sets invalid gid/uid on /dev nodes
Summary: sys-apps/opentmpfiles with sys-auth/nss_ldap - /lib64/rc/sh/tmpfiles.sh sets ...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: William Hubbs
URL:
Whiteboard:
Keywords: PATCH
Depends on:
Blocks:
 
Reported: 2014-01-07 22:28 UTC by José María Fernández González
Modified: 2021-03-22 20:43 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
tmpfiles.sh patch (file_497456.txt,573 bytes, patch)
2014-08-30 17:53 UTC, razamatan
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description José María Fernández González 2014-01-07 22:28:58 UTC
sys-apps/kmod installs /etc/init.d/kmod-static-nodes, which on boot generates file /run/tmpfiles.d/kmod.conf. This file is used by /etc/init.d/tmpfiles.setup and /etc/init.d/tmpfiles.dev in order to read the list of static device files which have to be created in /dev.

When a system is configured to use LDAP, through setting up at least passwd, shadow and group entries of /etc/nsswitch.conf to something similar to:

passwd:      files ldap
shadow:      files ldap
group:       files ldap

user lookups are first done in local files, and then in LDAP.

If you setup /etc/ldap.conf properly (through nss_initgroups_ignoreusers directive), nss_ldap skips looking for the users you tell there, which is useful when the machine is booting and the network is not yet online.

But even with that, as it is documented in next blog entry:

https://bugs.archlinux.org/task/27984

when /lib/rc/sh/tmpfiles.sh uses files which contain entries where user or group declarations are not names (i.e. numbers or the dash), then nss_ldap does not skip the search. This search will hang on scenarios where there is no reachable LDAP server, like booting.

kmod, on boot time, generates compatible tmpfiles.d configuration files, containing dashes for the user and group declarations of each entry.

Reproducible: Always

Steps to Reproduce:
1. Install kmod and nss_ldap
2. Setup your system to retrieve the list of users and groups through LDAP
3. Reboot your system

Actual Results:  
The system stalls on /etc/init.d/tmpfiles.setup and /etc/init.d/tmpfiles.dev when /lib/rc/sh/tmpfiles.sh processes file /run/tmpfiles.d/kmod.conf, generated inside /etc/init.d/kmod-static-nodes by 'kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf' due the generated file uses dashes, for instance:

c /dev/fuse 0600 - - - 10:229
c /dev/loop-control 0600 - - - 10:237
d /dev/net 0755 - - -
c /dev/net/tun 0600 - - - 10:200
d /dev/snd 0755 - - -
c /dev/snd/timer 0600 - - - 116:33
d /dev/snd 0755 - - -
c /dev/snd/seq 0600 - - - 116:1

instead of named user/group declarations:

c /dev/fuse 0600 root root - 10:229
c /dev/loop-control 0600 root root - 10:237
d /dev/net 0755 root root -
c /dev/net/tun 0600 root root - 10:200
d /dev/snd 0755 root root -
c /dev/snd/timer 0600 root root - 116:33
d /dev/snd 0755 root root -
c /dev/snd/seq 0600 root root - 116:1


Expected Results:  
When /etc/init.d/kmod-static-nodes generates /run/tmpfiles.d/kmod.conf using named users and groups, the system boots properly, with no stalls. I have tested it adding next line in /etc/init.d/kmod-static-nodes :

sed -i 's/ - - / root root /' /run/tmpfiles.d/kmod.conf

after 'kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf' declaration
Comment 1 William Hubbs gentoo-dev 2014-01-08 19:56:24 UTC
This is a bug for kmod, not OpenRC.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-08 20:00:56 UTC
not a bug in ldap, removing mine self
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2014-01-08 20:01:23 UTC
not ldap bug, removing ldap-bugs...
Comment 4 Mike Gilbert gentoo-dev 2014-01-08 20:12:59 UTC
Why is it trying to do a passwd lookup when we pass a UID value of 0? That seems kind of broken.
Comment 5 Samuli Suominen (RETIRED) gentoo-dev 2014-05-11 10:45:04 UTC
(In reply to William Hubbs from comment #1)
> This is a bug for kmod, not OpenRC.

That doesn't seem right where as systemd is capable of handling the kmod generated .conf properly, why OpenRC can't?
Comment 6 razamatan 2014-08-30 17:53:01 UTC
Created attachment 383978 [details, diff]
tmpfiles.sh patch

sys-apps/openrc-0.12.4 patch
Comment 7 razamatan 2014-08-30 17:55:21 UTC
the patch i just posted fixes things for me.. doesn't have to rely on upstream kmod changes.

ideally, the script should drop the -o and -g flags when the user and group params are unset (or set to -) to let the commands use the running user and their group.  but, i got lazy and just hard coded root.
Comment 8 William Hubbs gentoo-dev 2014-09-01 18:28:48 UTC
@floppym:
Does systemd's tmpfiles program ignore the uid and gid if "-" is passedin those positions?
Comment 9 Nico Suhl 2015-01-25 15:43:46 UTC
The patch for tmpfiles.sh is working and correct, for my opinion.
+1
Comment 10 Mike Gilbert gentoo-dev 2021-03-22 20:38:45 UTC
tmpfiles.sh was moved to opentmpfiles a while ago. I wonder if this is still an issue for opentmpfiles?
Comment 11 Mike Gilbert gentoo-dev 2021-03-22 20:43:07 UTC
(In reply to William Hubbs from comment #8)
> @floppym:
> Does systemd's tmpfiles program ignore the uid and gid if "-" is passedin
> those positions?

When systemd-tmpfiles sees a dash, it skips calling chown() and leaves the uid/gid as-is. No NSS lookups are performed.