From: Mike Buland <mike@geekgene.com>
To: supervision@list.skarnet.org
Subject: Re: chpst -u -/ "unable to get password/group file entry"
Date: Thu, 7 Aug 2008 00:23:39 -0600 [thread overview]
Message-ID: <200808070023.39434.mike@geekgene.com> (raw)
In-Reply-To: <20080807023941.GA15934@pretender.frop.net>
I've run into a similar type of problem before, sometimes when shared
libraries are missing you can get very strange errors when entering a chroot.
I would actually recommend using "readelf -d <binary>" to find out the
dependancies. You can use strace, but you'll have to wade through a lot of
garbage that's unrelated to what you're looking for.
If you use readelf, say "readelf -d /bin/bash" It will list a lot of
information, most of which you don't care about, but the first few lines will
look like:
0x00000001 (NEEDED) Shared library: [libreadline.so.5]
0x00000001 (NEEDED) Shared library: [libhistory.so.5]
0x00000001 (NEEDED) Shared library: [libncursesw.so.5]
0x00000001 (NEEDED) Shared library: [libdl.so.2]
0x00000001 (NEEDED) Shared library: [libc.so.6]
those files at the end are the ones you need. Unfortunately, executables as
well as shared objects (.so files) can have dynamic dependancies, so you may
have to check some of your .so files as well. readelf works on them as well.
On the other hand, if you do want to use strace, you're looking for a lot of
open function calls at the very begining, generally opening .so files, for
example, running "strace ls 2>&1 | less" (strace outputs it's useful info on
stderr, or fd 2) produces a lot of output, but searching for "open" you
quickly find blocks that look like:
open("/lib/librt.so.1", O_RDONLY) = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\35\0"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=31364, ...}) = 0
mmap2(NULL, 33356, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0xb7f
c2000
mmap2(0xb7fc9000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRIT
E, 3, 0x6) = 0xb7fc9000
close(3) = 0
You really only care about the open line at the top, the = 3 at the end
indicates that the file was opened sucessfully, less than zero indicates an
error, strace will tell you what the error was.
Honestly, I would use readelf out of the two options, but both work. Remember
not to run the chroot environment with strace if you do, use both of these
options on your system normally, readelf will always list all dependancies
weather they exist or not, but strace runs the program, and the program
aborts after the first missing library, so you'll run into a long, iterative
process to find all missing libraries.
Actually...I have a simple python script that will generate a complete
dependancy list using readelf for a given binary, I just remembered.
I uploaded the file, it's simple, it just uses readelf a lot.
http://www.xagasoft.com/~eichlan/td.txt
make it executable, I would rename it to td.py, and run:
./td.py /bin/bash
This program will find the dependancies of the given file, all of it's
dependancies' dependancies and so on until it has a complete list and prints
it out for you. Should come in handy :)
--Mike
On Wednesday 06 August 2008 08:39:41 pm David Miller wrote:
> Thanks for the suggestion.
>
> I wonder if you could give me some pointers on how to use strace and what
> to look for. I'm not very familiar with it
>
> Thanks
>
> Jack spoke thusly:
> > On Mon, Aug 04, 2008 at 11:54:15AM -0500, David Miller wrote:
> > > When I try to combine -u and -/ I get the error:
> > > chpst: fatal: unable to get password/group file entry: file does not
> > > exist
> >
> > I suspect glibc NSS[0] (name service switching). chpst is *probably*
> > trying to dlopen() one of the libnss_* files or /etc/nsswitch.conf. I
> > suggest putting strace into your chroot, and then tracing chpst.
> >
> > --Jack
> >
> > [0] NSS is also the typical argument the glibc developers use not to
> > support static linking. Statically linked binaries are great for chroots,
> > because you don't need any libraries.
> >
> > --
> > Jack (John) Cummings http://mudshark.org/
> > PGP fingerprint: F18B 13A3 6D06 D48A 598D 42EA 3D53 BDC8 7917 F802
next prev parent reply other threads:[~2008-08-07 6:23 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-04 16:54 David Miller
2008-08-05 14:56 ` Jack Cummings
2008-08-07 2:39 ` David Miller
2008-08-07 6:23 ` Mike Buland [this message]
2008-08-07 20:32 ` David Miller
2008-08-07 20:40 ` Mike Buland
[not found] ` <m3abfo7din.fsf@multivac.cwru.edu>
2008-08-07 21:25 ` David Miller
2008-08-07 21:30 ` Mike Buland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200808070023.39434.mike@geekgene.com \
--to=mike@geekgene.com \
--cc=supervision@list.skarnet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).