[opensuse-buildservice] /dev/pts/* being chowned outside chroots
Has anyone else seen this issue where the /dev/pts/* pseudo-terminals outside the build chroots are having their permissions changed? When it happens, users can't run commands anymore because the permissions on their terminals change from user:tty to 399:399, which is the default UID:GID pair for abuild:abuild in the chroots. Before (/dev/pts): crw--w---- 1 user tty 136, 13 Jan 18 15:06 13 Users see these errors: rsisys1 2.1HD/fw > popd ~/wrk/obs_dev/svn/fw-hang /dev/pts/13: Permission denied. rsisys1 svn/fw-hang > rsisys1 svn/fw-hang > mesg n mesg: /dev/pts/13: Operation not permitted rsisys1 svn/fw-hang > After (/dev/pts): crw--w---- 1 399 399 136, 13 Jan 18 15:06 13 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Luke Imhoff wrote:
Has anyone else seen this issue where the /dev/pts/* pseudo-terminals outside the build chroots are having their permissions changed? Yes
When it happens, users can't run commands anymore because the permissions on their terminals change from user:tty to 399:399, which is the default UID:GID pair for abuild:abuild in the chroots. not noticed that but...
After (/dev/pts):
crw--w---- 1 399 399 136, 13 Jan 18 15:06 13
crw------- 1 david tty 136, 25 2010-02-18 11:06 /dev/pts/25 crw------- 1 399 399 136, 3 2010-02-17 23:28 /dev/pts/3 David -- "Don't worry, you'll be fine; I saw it work in a cartoon once..." -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thu, 2010-02-18 at 05:56 -0600, David Greaves wrote:
Luke Imhoff wrote:
Has anyone else seen this issue where the /dev/pts/* pseudo-terminals outside the build chroots are having their permissions changed? Yes
When it happens, users can't run commands anymore because the permissions on their terminals change from user:tty to 399:399, which is the default UID:GID pair for abuild:abuild in the chroots. not noticed that but...
After (/dev/pts):
crw--w---- 1 399 399 136, 13 Jan 18 15:06 13
crw------- 1 david tty 136, 25 2010-02-18 11:06 /dev/pts/25 crw------- 1 399 399 136, 3 2010-02-17 23:28 /dev/pts/3
David
I've already determined that due to the nature of devpts being a pseudo-filesystem, /dev/pts is the same inside and outside the chroot. (It works like a bind mount.) The problem is that somehow the chroot isn't leaving the pre-existing /dev/pts/* entries alone and instead chowning them. It would be fine if it just created new /dev/pts entries. What you're seeing is fine, assuming that /dev/pts/25 doesn't get chowned to 399:399 all of a sudden when you're still using it. This in use chowning is what is affecting my users. The problem is I couldn't figure out how to determine which user or script is doing the chown since inotify doesn't include an actor field to determine who did the change. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Luke Imhoff wrote:
What you're seeing is fine, assuming that /dev/pts/25 doesn't get chowned to 399:399 all of a sudden when you're still using it. This in use chowning is what is affecting my users. The problem is I couldn't figure out how to determine which user or script is doing the chown since inotify doesn't include an actor field to determine who did the change.
Try auditctl. But then the build script has some pretty obvious chown -R 399:399 so the question probably rather is why does that recurse to /dev/pts? Do you use the rsync option with some weird parameter maybe? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (3)
-
David Greaves -
Ludwig Nussel -
Luke Imhoff