From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.comp.sysutils.supervision.general/1905 Path: news.gmane.org!not-for-mail From: David Miller Newsgroups: gmane.comp.sysutils.supervision.general Subject: Re: chpst -u -/ "unable to get password/group file entry" Date: Thu, 7 Aug 2008 16:25:48 -0500 Message-ID: <20080807212548.GA18682@pretender.frop.net> References: <20080804165415.GA7030@pretender.frop.net> <20080805145630.GX16519@ice.mudshark.org> <20080807023941.GA15934@pretender.frop.net> <200808070023.39434.mike@geekgene.com> <20080807203234.GA17664@pretender.frop.net> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1218144358 19614 80.91.229.12 (7 Aug 2008 21:25:58 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 7 Aug 2008 21:25:58 +0000 (UTC) To: supervision@list.skarnet.org Original-X-From: supervision-return-2140-gcsg-supervision=m.gmane.org@list.skarnet.org Thu Aug 07 23:26:47 2008 Return-path: Envelope-to: gcsg-supervision@gmane.org Original-Received: from antah.skarnet.org ([212.85.147.14]) by lo.gmane.org with smtp (Exim 4.50) id 1KRD0Q-0006hO-RV for gcsg-supervision@gmane.org; Thu, 07 Aug 2008 23:26:46 +0200 Original-Received: (qmail 16642 invoked by uid 76); 7 Aug 2008 21:26:11 -0000 Mailing-List: contact supervision-help@list.skarnet.org; run by ezmlm List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Archive: Original-Received: (qmail 16634 invoked from network); 7 Aug 2008 21:26:11 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=frop.net; b=F4j5Jeu7IewKsqaGhMxoYMVjPTMOnkhD+0H+vGnTBQjGSs5JMUQczRgbZErneIEIIg9H8VovyLimQKKSPjCUiJb3TEHeP8kOenQSuv3ztmRjLQoPa9fXi3JQgXSku/4kBoCNtQJJcYJWM2x+XRI5JVun64VFCEqnj2paqS6dfkg= ; Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Xref: news.gmane.org gmane.comp.sysutils.supervision.general:1905 Archived-At: Indeed it was looking for the libnss libraries and /etc/nsswitch.conf as Jack suspected. Mike's td.py script didn't find the nss library dependency, neither does ldd. Looking at the source and the strace, the chroot happens before the suidgid. And the uid/gid is looked up at the same time as the suidgid. I just wasn't expecting it to work this way. the -U workaround seems to do the trick, Thanks paul. Paul spoke thusly: > David Miller wrote: > > I wonder if you could give me some pointers on how to use strace and > > what to look for. I'm not very familiar with it > > You don't need to copy strace into the chroot area. Just run: > strace chpst -u dave -/ chroot /ls > > strace will output a lot of information, but the interesting bit will > be near the end. Just before the error message appears, you should > see one of more failed open() calls. That will tell you what files > are missing. > > Or you could work around the problem like this: > chpst -U dave sh -c 'exec chpst -u ":$UID:$GID" -/ chroot /ls' > > > Shouldn''t chpst look up the uid and gid for -u before the chroot > > happens? > > That's probably a good idea, but in fact it doesn't do that. > > > paul