[Bug 1206957] New: lua-lmod Permission denied in init/bash
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 Bug ID: 1206957 Summary: lua-lmod Permission denied in init/bash Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: aplanas@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- When calling `less` over a file I can see this output at the exit:
less /usr/share/lmod/8.7.15/init/bash /usr/share/lmod/8.7.15/init/bash: line 57: /usr/bin/readlink: Permission denied /usr/share/lmod/8.7.15/init/bash: line 61: /usr/bin/expr: Permission denied /usr/share/lmod/8.7.15/init/bash: line 62: /usr/bin/basename: Permission denied
I did not dig into the bug, but this file seems not to be updated in the last version in git. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 Alberto Planas Dominguez <aplanas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|screening-team-bugs@suse.de |eich@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 http://bugzilla.opensuse.org/show_bug.cgi?id=1206957#c1 --- Comment #1 from Alberto Planas Dominguez <aplanas@suse.com> --- Seems to be an apparmor related issue: from /var/log/audit/audit.log: type=AVC msg=audit(1673254728.860:235): apparmor="DENIED" operation="exec" profile="/usr/bin/lessopen.sh" name ="/usr/bin/readlink" pid=6441 comm="lessopen.sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 type=AVC msg=audit(1673254728.860:236): apparmor="DENIED" operation="exec" profile="/usr/bin/lessopen.sh" name ="/usr/bin/expr" pid=6442 comm="lessopen.sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 type=AVC msg=audit(1673254728.860:237): apparmor="DENIED" operation="exec" profile="/usr/bin/lessopen.sh" name ="/usr/bin/basename" pid=6443 comm="lessopen.sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 http://bugzilla.opensuse.org/show_bug.cgi?id=1206957#c2 --- Comment #2 from Alberto Planas Dominguez <aplanas@suse.com> --- Maybe related with https://bugzilla.opensuse.org/show_bug.cgi?id=1065388 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 http://bugzilla.opensuse.org/show_bug.cgi?id=1206957#c3 Egbert Eich <eich@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aplanas@suse.com, | |hpc-bugs@suse.de Assignee|eich@suse.com |screening-team-bugs@suse.de Flags| |needinfo?(aplanas@suse.com) --- Comment #3 from Egbert Eich <eich@suse.com> --- @Alberto, Indeed, it is gone after disabling apparmor and rebooting. But I don't think this is an lmod issue. Lmod seems to be working - at least the 'module' command is present: $ eich@localhost:~> module avail ------------------------- /usr/share/lmod/modulefiles -------------------------- gnu/12 $ module load gnu $ module avail ---------------------- /usr/share/lmod/moduledeps/gnu-12 ----------------------- hdf5/1.12.2 netcdf-cxx4/4.3.1 openmpi/4.1.4 mpich/4.0.2 netcdf/4.9.0 ------------------------- /usr/share/lmod/modulefiles -------------------------- gnu/12 (L) Where: L: Module is loaded Alberto: Where do you see a regression in the functionality of Lmod? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 http://bugzilla.opensuse.org/show_bug.cgi?id=1206957#c4 Alberto Planas Dominguez <aplanas@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |DUPLICATE Flags|needinfo?(aplanas@suse.com) | --- Comment #4 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Egbert Eich from comment #3)
@Alberto, Indeed, it is gone after disabling apparmor and rebooting.
But I don't think this is an lmod issue. Lmod seems to be working - at least the 'module' command is present:
$ eich@localhost:~> module avail
Alberto: Where do you see a regression in the functionality of Lmod?
Ok. You are right. I will mark it as a duplicate of the referenced one in another comment. *** This bug has been marked as a duplicate of bug 1065388 *** -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 http://bugzilla.opensuse.org/show_bug.cgi?id=1206957#c7 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #7 from Christian Boltz <suse-beta@cboltz.de> --- Looks like lessopen.sh wants to execute some more binaries. Since readlink, expr and basename are "harmless", the most boring solution is to allow executing them ;-) Please add the following lines to /etc/apparmor.d/local/usr.bin.lessopen.sh: /usr/bin/readlink ix, /usr/bin/expr ix, /usr/bin/basename ix, Then run rcapparmor reload and try again. Please report back if everything works with this addition or if you get more/other DENIED log lines. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 http://bugzilla.opensuse.org/show_bug.cgi?id=1206957#c8 --- Comment #8 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Christian Boltz from comment #7)
Looks like lessopen.sh wants to execute some more binaries.
I think that this is the issue. It is not lessopen.sh the one that want to execute those binaries, but /usr/share/lmod/8.7.15/init/bash. IIUC it is less that is sourcing BASH_ENV explicitly, but there can be others doing the same (maybe sshd) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 http://bugzilla.opensuse.org/show_bug.cgi?id=1206957#c9 --- Comment #9 from Alberto Planas Dominguez <aplanas@suse.com> --- (In reply to Alberto Planas Dominguez from comment #8)
IIUC it is less that is sourcing BASH_ENV explicitly
No. I must be corrected. It is Bash the one that source it in non-interactive shells: $ echo $BASH_ENV /usr/share/lmod/8.7.15/init/bash $ cat test.sh echo "Hi" $ export BASH_ENV=$HOME/test.sh $ bash -c "ls /" Hi bin boot dev etc ... We see the issue in lessopen.sh because it is confined in enforced more, but aa-status shows more there. Any other launching a non-interactive bash will have the same error, as will execute the same "/usr/share/lmod/8.7.15/init/bash" -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1206957 http://bugzilla.opensuse.org/show_bug.cgi?id=1206957#c13 --- Comment #13 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1206957) was mentioned in https://build.opensuse.org/request/show/1057160 Factory / lua-lmod -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com