From: Mike Buland <mike@geekgene.com>
To: supervision@list.skarnet.org
Subject: Re: chpst -u -/ "unable to get password/group file entry"
Date: Thu, 7 Aug 2008 15:30:51 -0600 [thread overview]
Message-ID: <200808071530.51536.mike@geekgene.com> (raw)
In-Reply-To: <20080807212548.GA18682@pretender.frop.net>
On Thursday 07 August 2008 03:25:48 pm David Miller wrote:
> Indeed it was looking for the libnss libraries and /etc/nsswitch.conf as
> Jack suspected. Mike's td.py script didn't find the nss library dependency,
> neither does ldd.
That's true, if it was a libnss issue it wouldn't, in order to make those more
dynamic and easily changable while a system is running (is my understanding)
the name service switch libraries are not loaded at link time, but as plugins
at runtime, only strace would help with that. Sorry, I totally spaced on
that.
Of course that makes sense, it's the error you get whenever you write a
program that uses the libc passwd interfaces and try to make it static.
> Looking at the source and the strace, the chroot happens before the
> suidgid. And the uid/gid is looked up at the same time as the suidgid. I
> just wasn't expecting it to work this way.
>
> the -U workaround seems to do the trick, Thanks paul.
>
> Paul spoke thusly:
> > David Miller <dave@frop.net> wrote:
> > > I wonder if you could give me some pointers on how to use strace and
> > > what to look for. I'm not very familiar with it
> >
> > You don't need to copy strace into the chroot area. Just run:
> > strace chpst -u dave -/ chroot /ls
> >
> > strace will output a lot of information, but the interesting bit will
> > be near the end. Just before the error message appears, you should
> > see one of more failed open() calls. That will tell you what files
> > are missing.
> >
> > Or you could work around the problem like this:
> > chpst -U dave sh -c 'exec chpst -u ":$UID:$GID" -/ chroot /ls'
> >
> > > Shouldn''t chpst look up the uid and gid for -u before the chroot
> > > happens?
> >
> > That's probably a good idea, but in fact it doesn't do that.
> >
> >
> > paul
prev parent reply other threads:[~2008-08-07 21:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-04 16:54 David Miller
2008-08-05 14:56 ` Jack Cummings
2008-08-07 2:39 ` David Miller
2008-08-07 6:23 ` Mike Buland
2008-08-07 20:32 ` David Miller
2008-08-07 20:40 ` Mike Buland
[not found] ` <m3abfo7din.fsf@multivac.cwru.edu>
2008-08-07 21:25 ` David Miller
2008-08-07 21:30 ` Mike Buland [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200808071530.51536.mike@geekgene.com \
--to=mike@geekgene.com \
--cc=supervision@list.skarnet.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).