X2Go Bug report logs - #1145
x2godbadmin + postgres + non-existent home directory = wrong ownerships

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Stefan Baur <X2Go-ML-1@baur-itcs.de>

To: submit@bugs.x2go.org

Subject: x2godbadmin + postgres + non-existent home directory = wrong ownerships

Date: Tue, 7 Feb 2017 14:10:44 +0100

[Message part 1 (text/plain, inline)]

package: x2goserver

When x2godbadmin is used with a postgres database, and the user name
given doesn't yet have a home directory, it creates this home directory.
(see line 368 and following of /usr/sbin/x2godbadmin).

However, it fails to set the proper UID/GID ownerships for
/home/<username> - only the files below it have the proper ownership.

The proper way how to determine the correct UID for /home/<username> is
simple - use the UID that has been determined previously and that is
used as $uid within /usr/sbin/x2godbadmin.

The proper way how to determine the correct *GID* is more tricky, I
believe.  I can only speak for Debian here - this may be
distribution-specific:

You need to check if /etc/default/useradd contains a line
USERGROUPS_ENAB=yes
(which might also be "yes", or 'yes', or Yes, YES, ... you get the idea)

Check if that value is set to any variant of yes, or not set at all:
If yes: Check if the user already has a group named after them:
        If yes, use the GID of that group.
        If no, create a new group with a name matching the username,
        and assign the GID of that group.

If no (meaning the value is set to any variant of no, "no", 'no', No, etc.):
      Check if /etc/default/useradd contains a valid GID value for
      a variable named GROUP:
      If it does, assign that GID.
      If it doesn't, assign GID 100.

This pseudocode builds on the documentation found in "man useradd" on
Debian Jessie, after confirming the default value of USERGROUPS_ENAB is,
in fact, "unset".

Kind Regards,
Stefan Baur

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243

[signature.asc (application/pgp-signature, attachment)]

Message #10 received at 1145@bugs.x2go.org (full text, mbox, reply):

From: Nable <nable.maininbox@googlemail.com>

To: Stefan Baur <X2Go-ML-1@baur-itcs.de>, 1145@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#1145: x2godbadmin + postgres + non-existent home directory = wrong ownerships

Date: Wed, 8 Feb 2017 01:14:12 +0300

Hi, Stefan.

> When x2godbadmin is used with a postgres database, and the user name
> given doesn't yet have a home directory, it creates this home directory.
I've thought that creation of home directories is a task for useradd
(for local users) or pam_mkhomedir from libpam-modules (in case of
centralized database of network logins) and there may be even more
existing alternatives. Should this non-trivial code be implemented
once again in X2Go tools instead of trying to keep things closer to a
UNIX-way?

Cheers, Nable.

Message #15 received at 1145@bugs.x2go.org (full text, mbox, reply):

From: Stefan Baur <X2Go-ML-1@baur-itcs.de>

To: Nable <nable.maininbox@googlemail.com>, 1145@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#1145: x2godbadmin + postgres + non-existent home directory = wrong ownerships

Date: Tue, 7 Feb 2017 23:41:17 +0100

[Message part 1 (text/plain, inline)]

Am 07.02.2017 um 23:14 schrieb Nable:

>> When x2godbadmin is used with a postgres database, and the user name
>> given doesn't yet have a home directory, it creates this home directory.
> I've thought that creation of home directories is a task for useradd
> (for local users) or pam_mkhomedir from libpam-modules (in case of
> centralized database of network logins) and there may be even more
> existing alternatives. Should this non-trivial code be implemented
> once again in X2Go tools instead of trying to keep things closer to a
> UNIX-way?

Well, there already is code in there that is doing it - it just does it
wrong in this particular case.  Of course, we could argue that the
entire piece of code should be removed - but how would you handle things
in this particular case?
Having no /home/<username> is something that is most likely to happen
with non-local accounts.
pam_mkhomedir fixes this and creates it on the spot - IF, and only IF
the user logs in.
x2godbadmin, however, needs to be run
- on the x2goserver
- by root
- before the user logs in

-> chicken and egg.

So - to expand this bug - what we'd need is some piece of code that does
what pam_mkhomedir does (not only create the directory and set
ownership/permissions, *but also* populate it with the contents of
/etc/skel) - but for a user other than the one that's currently logged
in.  Are you aware of anything that does that and that we could call?

-Stefan

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243

[signature.asc (application/pgp-signature, attachment)]

Message #20 received at 1145@bugs.x2go.org (full text, mbox, reply):

From: Nable <nable.maininbox@googlemail.com>

To: Stefan Baur <X2Go-ML-1@baur-itcs.de>

Cc: 1145@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#1145: x2godbadmin + postgres + non-existent home directory = wrong ownerships

Date: Wed, 8 Feb 2017 04:32:52 +0300

> Are you aware of anything that does that and that we could call?
I think that setup with absent homedir && non-configured pam_mkhomedir
is broken anyway and one can only fail gracefully with a good error
message.
Other variants (homedir already exists and/or pam_mkhomedir is
configured) can be covered by calling `su' or `sudo' with appropriate
options (e.g. su -c /bin/true "${user_to_add}").
This would fail if homedir (either existing or not) is located on a
network or encrypted FS (where local root can't do anything without
knowing user's password) but this is a separate issue.

I've also seen posts (e.g.[1]) about `oddjob-mkhomedir' (and I've
already seen it in Debian repos) but I wonder if this way is
production-ready. And this way seems to be more complex.

[1] https://access.redhat.com/discussions/903523

Message #25 received at 1145@bugs.x2go.org (full text, mbox, reply):

From: Walid MOGHRABI <w.moghrabi@servicemagic.eu>

To: Nable <nable.maininbox@googlemail.com>, 1145@bugs.x2go.org

Cc: Stefan Baur <X2Go-ML-1@baur-itcs.de>

Subject: Re: [X2Go-Dev] Bug#1145: Bug#1145: x2godbadmin + postgres + non-existent home directory = wrong ownerships

Date: Wed, 8 Feb 2017 09:52:48 +0100 (CET)

Hi,

To add my 2 cents, I workarounded this by creating a small helper script for provisionning my accounts which does the x2godbadmin --adduser stuff + a few other things (provisionning the /etc/skel content, setting right user perms, ...)

I don't think it is mandatory to expand these features inside the script but creating good documentation about those script (and I include scripts such as x2golistsession, x2goterminatesession, ...) and good error reporting would be great because it's very hard o know what they do unless you tap directly inside the code itself (which I did at then end).


Regards,
Walid Moghrabi

TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3

----- Mail original ----- 

De: "Nable" <nable.maininbox@googlemail.com> 
À: "Stefan Baur" <X2Go-ML-1@baur-itcs.de> 
Cc: 1145@bugs.x2go.org 
Envoyé: Mercredi 8 Février 2017 02:32:52 
Objet: [X2Go-Dev] Bug#1145: Bug#1145: x2godbadmin + postgres + non-existent home directory = wrong ownerships 

> Are you aware of anything that does that and that we could call? 
I think that setup with absent homedir && non-configured pam_mkhomedir 
is broken anyway and one can only fail gracefully with a good error 
message. 
Other variants (homedir already exists and/or pam_mkhomedir is 
configured) can be covered by calling `su' or `sudo' with appropriate 
options (e.g. su -c /bin/true "${user_to_add}"). 
This would fail if homedir (either existing or not) is located on a 
network or encrypted FS (where local root can't do anything without 
knowing user's password) but this is a separate issue. 

I've also seen posts (e.g.[1]) about `oddjob-mkhomedir' (and I've 
already seen it in Debian repos) but I wonder if this way is 
production-ready. And this way seems to be more complex. 

[1] https://access.redhat.com/discussions/903523 
_______________________________________________ 
x2go-dev mailing list 
x2go-dev@lists.x2go.org 
http://lists.x2go.org/listinfo/x2go-dev
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you

Message #30 received at 1145@bugs.x2go.org (full text, mbox, reply):

From: Stefan Baur <X2Go-ML-1@baur-itcs.de>

To: x2go-dev@lists.x2go.org, 1145@bugs.x2go.org, Nable 80 <nable.maininbox@googlemail.com>, Walid MOGHRABI <w.moghrabi@servicemagic.eu>

Subject: Re: [X2Go-Dev] Bug#1145: Bug#1145: x2godbadmin + postgres + non-existent home directory = wrong ownerships

Date: Wed, 8 Feb 2017 14:24:54 +0100

[Message part 1 (text/plain, inline)]

Am 07.02.2017 um 23:41 schrieb Stefan Baur:
> x2godbadmin, however, needs to be run
> - on the x2goserver
> - by root
> - before the user logs in
> 
> -> chicken and egg.

Ha, I think I found a way to "hatch the egg"!

As root, do:

su <username> -s /bin/true # this triggers pam_mkhomedir for <username>
x2godbadmin --adduser <username>

We *might* consider adding that inside x2godbadmin, but would have to
make sure it is only used if pam_mkhomedir is in use/users are non-local
users (because it won't do the trick if it's a local user account that
doesn't have a homedirectory yet).

-Stefan

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243

[signature.asc (application/pgp-signature, attachment)]

Message #35 received at 1145@bugs.x2go.org (full text, mbox, reply):

From: Nable <nable.maininbox@googlemail.com>

To: Stefan Baur <X2Go-ML-1@baur-itcs.de>

Cc: x2go-dev@lists.x2go.org, 1145@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#1145: Bug#1145: x2godbadmin + postgres + non-existent home directory = wrong ownerships

Date: Thu, 9 Feb 2017 00:40:12 +0300

On 2/8/17, Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
> Ha, I think I found a way to "hatch the egg"!
> [...]
Did you receive my previous message? Calling `su' was exactly what
I've suggested there. There were also some additional notes there that
you may find interesting.
Here it is: http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1145#20

Message #40 received at 1145@bugs.x2go.org (full text, mbox, reply):

From: alaachehayeb@p3plcpnl0410.prod.phx3.secureserver.net

To: 1145@bugs.x2go.org

Subject: We have delivery problems with your parcel #9739167

Date: Fri, 24 Mar 2017 03:28:55 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

This is to confirm that your item has been shipped at March 23.

Please check the attachment for complete details!

Thanks,
Marvin Newton,
UPS Delivery Agent.

[UPS-Package-9739167.zip (application/zip, attachment)]

Message #45 received at 1145@bugs.x2go.org (full text, mbox, reply):

From: annie.winfield@btinternet.com

To: 1145@bugs.x2go.org

Subject: Delivery Status Notification

Date: Wed, 31 May 2017 17:57:11 +0000

[Message part 1 (text/plain, inline)]

Dear Customer,

Please check your package delivery details attached!

FedEx

-----BEGIN PGP PUBLIC KEY BLOCK-----

/p6xd6jO85LPc2U99WS5g7LUl3G37UKJQqL1UFLulr5zhC5byZIE1gJZaWuqCq32V7avmxmWOi7g
5SnwCBGVVlAMynudSaljL6CvUxUhVmAymFmXr3s3i5sVPyO5MahJsW7uubg1qLvgynjVzc5wNgBS
PCUKz+Wdk6fACPW7yby0+NhQGib/l0kxsvJQk9gzLTmFr5Vu7PJFXWKh0Lf24mtbEkZAPYzhxV+R
/eT6z8Fh8adH0v81DkSkX3AktLhWj3VUqt54H+5u6ebHiiy+yB18fDgGRm+ddBUlLi+6sRqopx4+
INXyekhhgE8xC0c8fue7kF+2wGoKSlGhV7Ci/oXoMTkY5PSa6XGciPozIRjmT8g4nnHiqQlOcY6J
97QM3uTpWbuuHDqPR8A7pa3meFUvTrFc7HAqT84aC9hTV+zoU1hQt6WDmdzlZ+TFumZbo5zDClBs
dqZdHCVoU1knxY/ahm2ySSd7O5zTC5OVtH4MdFV8v77LAHTcIUHWAAIoCbsmt1HXIT/8ErUiy+lq
47h8M7Q0Vyi49HJIWaSaU4yRIrwAtTcmWvejlPopde4dcC+PEtx2DBbAr6fw6O7qWi0ULS1xNdN8
xqFdGsmO0PBBsdt3Q/QNlL7HJQ7jzK1hYqxmks5Hpvk1iNPXH/AQvluRBTg6AQxlAau8bsYgFPWq
PxuP9kKNXiSAAoSH47Vd1L1iJOylvE80pO0KYz85XQq1jlAJkGTqjD5Zd9adTOcXT3TkNjEe23Iu
AYZGT1Ri/+2TVu2pj8fzAmk/fosf/hnEYbCDOo7S1M/o5Y8c1Vv5hdA+BQLDgxUG00VaMY4t6ltL
B4TlVSVf65w2fgD3MTHvNWvOqQM1a+tpyyDY+QdFGC/w+kTDEME42jI+9XpLk2OZimUatr9N+/Yp
KvWvvdVHw5IiPC/RJQLawGdG37gAV1d6tHGqWkGRsM0/Tm8MWz1SKTEpSAU3cRn/CXnxV3IKTLHr
Z4NbtTRvMqgs2oYduZB8AYRzhDbx/+elELfQ9X/nMW7xOWQjzw3nozkKh/WgNUZaqZIxh+LIzDSU
8WpEATdEGORKT1R/A6dhd7nGxqzx1/qGuQ82vHI19X1WZKazhupweyxIihk/6mq853D1uU1l8eA2
WDhSPZ5W3YCxmTqEzXtNHKhzeuwiRqxn+PPfK77ZLFuGmUamx9o7ey8D41KS9WeR1dGbMszQGaUo
uShRu0aHNSimjcYwoWNw7om2vTcgF0kzKN9fAdyjwcNMyhOfgI5Gom3Z6V8HHsKXEpxSDFoqPJPg
s+Go5gMRMjnsCAvrdxC/9ZoTCdWS5OYAVboyze1zwg==


-----END PGP PUBLIC KEY BLOCK-----

[FedEx-Delivery-Details-ID-HKN1IXHO.doc.html (text/html, attachment)]

Send a report that this bug log contains spam.