Hello,
I've got strange problem with centos (as well as rhel btw) chrooted environment.
First of all I created simple directory with only the libs for 'bash' and 'id' tools:
---- # chroot testcase/ bash-3.1# id uid=0 gid=0 groups=0,1,2,3,4,6,10 ----
Yes, I even do not have /etc/ directory inside testcase/ , but id shows groups from the _host_ root account.
I tried to create full chroot with all the libs and tools based on debian testing, but the same result:
# id uid=0 gid=0 groups=0,1,2,3,4,6,10
but if I do # ls /etc/shadow /etc/passwd /etc/group /etc/group /etc/passwd /etc/shadow
then # id uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp)
Args, quite strange for me.
I tried to use strace to identify where is the problem, and only one thing I found is 530 error on read() : [cut] open("/etc/group", O_RDONLY|0x80000) = -530 getgroups32(0, NULL) = 7 getgroups32(7, [0, 1, 2, 3, 4, 6, 10]) = 7 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 write(1, "uid=0 gid=0 groups=0,1,2,3,4,6,1"..., 34) = 34 [cut]
530 is EIOCBRETRY according to errno.h, but, honestly, I do not know what does it mean and what I can do with it.
SElinux - disabled via /etc/selinux/config.
CentOS release 4.4 (Final) с ядром 2.6.9-67.ELsmp. as well as Red Hat Enterprise Linux Server release 5.1 (Tikanga) 2.6.18-53.1.4.el5
Could anyone please explain what is going on and what have I done wrong?
Thanks a lot for your time and sorry for my english.
On Dec 17, 2007 9:47 AM, Maxim Soldatov makc@makc.name wrote:
I've got strange problem with centos (as well as rhel btw) chrooted environment.
That's the behaviour that chroot is supposed to have.
Yes, I even do not have /etc/ directory inside testcase/ , but id shows groups from the _host_ root account.
I see you saying "host" (as opposed to "guest"), but chroot is not a VM environment. When you chroot to a jail, you user id, group id, and additional groups will be still the same as they were before. They're inherited.
The issue with it showing the id's as numbers or names is that if the files in /etc/ are not present in the chroot, it won't be able to look them up, then it will show the numbers only.
If you need some different id's, maybe you should su before/after chrooting. Or maybe what you need is actually a VM environment, in that case you should try Xen.
Regards, Filipe
Filipe,
Thanks a lot for your reply.
On Mon, Dec 17, 2007 at 09:59:52AM -0500, Filipe Brandenburger wrote:
On Dec 17, 2007 9:47 AM, Maxim Soldatov makc@makc.name wrote:
That's the behaviour that chroot is supposed to have.
Do not think so. I've been using chroot for a while and on a different system, but this behavior is definitely strange (at least for me).
I see you saying "host" (as opposed to "guest"), but chroot is not a VM environment. When you chroot to a jail, you user id, group id, and additional groups will be still the same as they were before. They're inherited.
Yes, you're right about inherited, my fault.
So lets change for a little this. 1. chroot 2. su - then I see that I have chrooted uid/git. This is correct.
But stranginess in the following (after su - in the chroot): # id uid=0(root) gid=0(root) groups=0(root),11(wheel)
[ few minutes ]
# id uid=0 gid=0 groups=0,11 # ls /etc/shadow /etc/group /etc/passwd /etc/group /etc/passwd /etc/shadow # id uid=0(root) gid=0(root) groups=0(root),11(wheel)
if I run strace on id i see 530 when open(): open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530 open("/etc/group", O_RDONLY|0x80000) = -530
The issue with it showing the id's as numbers or names is that if the files in /etc/ are not present in the chroot, it won't be able to look them up, then it will show the numbers only.
If you need some different id's, maybe you should su before/after chrooting. Or maybe what you need is actually a VM environment, in that case you should try Xen.
Yes, I understand my mistake with su. Thank you for the explanation.
Regards, Filipe
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Filipe Brandenburger -
Maxim Soldatov