Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chtab try to access /etc/xcat/*.sqlite by its own, but this does not work for non-root users #5260

Closed
dhilst opened this issue May 28, 2018 · 9 comments
Closed

chtab try to access /etc/xcat/*.sqlite by its own, but this does not work for non-root users #5260

dhilst opened this issue May 28, 2018 · 9 comments
Assignees
@cxhong
Labels
component:obj_db_cmds status:pending
Milestone
2.14.2

Comments

@dhilst
Copy link

dhilst commented May 28, 2018

Hi everybody,

I was testing xCAT with non-root users. I followed the docs for setting up user certificates, etc.. So I fired a chtab key=... and got a timeout.

After some digging, I found (with strace) that chtab was trying to open /etc/xcat/passwd.sqlite by it's own and facing denied access. Bellow is the relevant strace lines... It try about 3 times, at each second, then it times out.

As work around is possible to use sudo /opt/xcat/sbin/chtab ... or tabedit that works fine with non-root users.

getegid()                               = 1000
stat("/etc/xcat/site.sqlite", {st_mode=S_IFREG|0600, st_size=3072, ...}) = 0
open("/etc/xcat/site.sqlite", O_RDWR|O_CREAT|O_CLOEXEC, 0644) = -1 EACCES (Permission denied)
open("/etc/xcat/site.sqlite", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({1, 0}, 0x7ffd45cfa1f0)       = 0
nanosleep({0, 0}, NULL)                 = 0
stat("/etc/xcat/site.sqlite", {st_mode=S_IFREG|0600, st_size=3072, ...}) = 0
open("/etc/xcat/site.sqlite", O_RDWR|O_CREAT|O_CLOEXEC, 0644) = -1 EACCES (Permission denied)
open("/etc/xcat/site.sqlite", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({2, 0}, 0x7ffd45cfa1f0)       = 0
nanosleep({0, 0}, NULL)                 = 0
stat("/etc/xcat/site.sqlite", {st_mode=S_IFREG|0600, st_size=3072, ...}) = 0
open("/etc/xcat/site.sqlite", O_RDWR|O_CREAT|O_CLOEXEC, 0644) = -1 EACCES (Permission denied)
open("/etc/xcat/site.sqlite", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
nanosleep({4, 0}, 0x7ffd45cfa1f0)       = 0
nanosleep({0, 0}, NULL)                 = 0
stat("/etc/xcat/site.sqlite", {st_mode=S_IFREG|0600, st_size=3072, ...}) = 0
open("/etc/xcat/site.sqlite", O_RDWR|O_CREAT|O_CLOEXEC, 0644) = -1 EACCES (Permission denied)

Cheers,
@dhilst
Copy link
Author

dhilst commented May 28, 2018

I forgot to mention the versions

$ rpm -qa | grep xCAT
xCAT-genesis-base-x86_64-2.14-snap201803282249.noarch
xCAT-buildkit-2.13.11-snap201803130745.noarch
xCAT-server-2.13.11-snap201803130745.noarch
xCAT-genesis-base-ppc64-2.14-snap201804041553.noarch
xCAT-genesis-scripts-ppc64-2.13.11-snap201803130745.noarch
perl-xCAT-2.13.11-snap201803130745.noarch
xCAT-probe-2.13.11-snap201803130745.noarch
xCAT-genesis-scripts-x86_64-2.13.11-snap201803130745.noarch
xCAT-client-2.13.11-snap201803130745.noarch
xCAT-2.13.11-snap201803130745.x86_64

@cxhong
Copy link
Contributor

cxhong commented May 29, 2018
edited
Loading

Hi, @dhilst , for this case, you have to use the tabch command,

chtab is designed to work without passing xcatd, so it’s out of control of policy mechanism.
tabch runs as a plugin under the xcatd daemon. This give the additional security of being authorized by the daemon.

@team, is possible can we remove chtab command? or at least we should check if it is not ran by root, we should give out meaningful error message instead of this:

Failed to connect to switches table after retrying 3 times: DBI connect('/etc/xcat/switches.sqlite','',...) failed: unable to open database file at /opt/xcat/lib/perl/xCAT/Table.pm line 972.

Can't call method "prepare" on an undefined value at /opt/xcat/lib/perl/xCAT/Table.pm line 998.

@dhilst
Copy link
Author

dhilst commented May 29, 2018

@cxhong Ohh, thanks for the answer!

A better error message would be good!

Cheers

@immarvin
Copy link
Contributor

hi @cxhong ,where does the error message come from?

@cxhong
Copy link
Contributor

cxhong commented May 30, 2018

@immarvin , the error messages come from chtab command if it issued by the users

@cxhong cxhong mentioned this issue May 30, 2018
Merged
@cxhong cxhong self-assigned this Jun 1, 2018
@cxhong cxhong added this to the 2.14.2 milestone Jun 19, 2018
@immarvin
Copy link
Contributor

hi @dhilst , the fix has been merged, would you please take a try ? thx

@dhilst
Copy link
Author

dhilst commented Jun 22, 2018
edited
Loading

@immarvin sure! Excuse my ignorance, I tried /tmp/go-xcat update but I'm still on version 2.14.1, how would I get the update?

Okay I got it:

cd xcat-core
./buildcore.sh

Regards,

@dhilst
Copy link
Author

dhilst commented Jun 22, 2018

Okay, I got the warning. Thanks for everything!

Regards,

image

@immarvin
Copy link
Contributor

ok @dhilst , thanks for your confirm. Let me close this ticket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cxhong cxhong

Labels
component:obj_db_cmds status:pending
Projects
None yet
Milestone
2.14.2
Development

No branches or pull requests
3 participants
@dhilst @immarvin @cxhong