[105] in The Cryptographic File System users list
Re: cattach permission problem
daemon@ATHENA.MIT.EDU (Rob Stampfli)
Mon Oct 5 13:15:35 1998
From owner-cfs-users@research.att.com Mon Oct 05 17:15:34 1998
Return-Path: <owner-cfs-users@research.att.com>
Delivered-To: cfs-mtg@bloom-picayune.mit.edu
Received: (qmail 16942 invoked from network); 5 Oct 1998 17:15:33 -0000
Received: from unknown (HELO rumor.research.att.com) (192.20.225.9)
by bloom-picayune.mit.edu with SMTP; 5 Oct 1998 17:15:33 -0000
Received: from research.att.com ([135.207.30.100]) by rumor; Mon Oct 5 13:09:56 EDT 1998
Received: from amontillado.research.att.com ([135.207.24.32]) by research; Mon Oct 5 13:14:27 EDT 1998
Received: from nsa.research.att.com (majordomo@nsa.research.att.com [135.207.24.155])
by amontillado.research.att.com (8.8.7/8.8.7) with ESMTP id NAA09874;
Mon, 5 Oct 1998 13:15:01 -0400 (EDT)
Received: (from majordomo@localhost) by nsa.research.att.com (8.7.3/8.7.3) id NAA24955 for cfs-users-list; Mon, 5 Oct 1998 13:07:02 -0400 (EDT)
X-Authentication-Warning: nsa.research.att.com: majordomo set sender to owner-cfs-users@nsa.research.att.com using -f
Received: from research.att.com (research.research.att.com [135.207.30.100]) by nsa.research.att.com (8.7.3/8.7.3) with SMTP id NAA24951 for <cfs-users@nsa.research.att.com>; Mon, 5 Oct 1998 13:07:00 -0400 (EDT)
Received: from elektro.cmhnet.org ([192.188.133.3]) by research; Mon Oct 5 13:11:29 EDT 1998
Received: from colnet by elektro.cmhnet.org with uucp
(Smail3.1.29.1 #1) id m0zQE9O-0001f9C; Mon, 5 Oct 98 13:10 EDT
Received: from kd8wk.cmhnet.org by colnet.cmhnet.org with smtp
(Smail3.1.28.1 #4) id m0zQDhK-0008F9C; Mon, 5 Oct 98 12:41 EDT
Received: by kd8wk.cmhnet.org (Smail3.1.28.1 #4)
id m0zQDhA-0000nqC; Mon, 5 Oct 98 12:41 EDT
Message-Id: <m0zQDhA-0000nqC@kd8wk.cmhnet.org>
Date: Mon, 5 Oct 98 12:41 EDT
From: res@kd8wk.cmhnet.org (Rob Stampfli)
To: Walter Haidinger <walter.haidinger@gmx.net>
Cc: cfs-users@research.att.com
Subject: Re: cattach permission problem
Sender: owner-cfs-users@research.att.com
Precedence: bulk
In recent email Walter writes:
>I've installed cfs-1.3.3 my Linux machine.
>As root, everything works fine. No troubles at all.
>
>However, if I want to run cattach as a normal user, it doesn't work.
>I'd say it is a NFS permission problem but who knows?
>
>FYI: Everything next was done as user 'walter' on my machine.
>
>After a 'cmkdir secure' which succeeded, I tried to attach the directory:
> cattach secure walter
>Key: <...>
>cattach: no such encrypted directory
>
>If I issue the above command as root, it succeeds but user walter cannot
>access /cfs/walter then, of course. BTW, same effect as if cattach is
>setuid root.
>
>Now, here is my NFS setup (NFS itself works, I have another machine's
>directory mounted):
>
>'mount' shows:
>localhost:/nfs/.cfsfs on /cfs type nfs (rw,port=3049,intr,addr=127.0.0.1)
>
>'/etc/exports' lists:
>/tmp localhost(ro)
>/nfs/.cfsfs localhost(rw)
>
>Of course, the nfs server is started before cfsd. Both run as root.
>
>The directory and file owners with permissions are:
>/cfs root.root 777
>/nfs root.nfs 750
>/nfs/.cfsfs root.root 000
>
>/usr/local/sbin/cfsd root.cfs 550
>/usr/local/bin/cattach root.cfs 550
>/usr/local/bin/cmkdir root.cfs 550
>/usr/local/bin/cdetach root.cfs 550
>
>FYI: user walter *is* member of groups 'cfs' and 'nfs'. At least 'groups'
>says so...
>
>Perhaps most interesting are the strace output of the above cattach which
>I add as an attachment. bind() to localhost fails with an EACCESS error.
>This makes this post a bit long but the list seems to have very low
>traffic, so I hope you aren't that upset...
>
>Perhaps there is trouble because of the shadow suite?
>
>Also, sometimes I encounter the error message "RPC: Timed out" when
>running cattach as root. However, the cattach command succeeds despite
>this message. Where does it come from and what can I do about it?
>
>Well, you see I'm quite puzzled. Any suggestion is appreciated.
>
>Thanks, Walter
Walter,
The "cattach: no such encrypted directory" is generated from a return code
passed back to cattach by cfsd, and it basically means that cfsd could not
find the secure directory and thus could not set things up. (If cattach
couldn't find it, you'd never get asked for the key.) Look carefully at
the permissions of the directories above the "secure" directory. Remember:
on nfs mounted file systems, the program running as root (cfsd) really
has the permissions of "nobody". Although it (cfsd) can setuid() and
masquerade as "walter", if there is any higher level directory that
doesn't allow at least "execute" permission, you will get this error.
And, remember, cfsd doesn't belong to the same "groups" as the walter
user.
This has always been my problem when I have encountered the above. Hope
it helps resolve your problem.
--
Robert Stampfli rob@colnet.cmhnet.org stampfli@bell-labs.com
kd8wk@w8cqk.oh (ham) 614-864-9377 (home) 614-860-4268 (work)
