Hi.

I had a chroot with debian sarge that I had to dist-upgrade to
debian etch. I have backups and everying. But the problem is
that now I try to change a user's password and I cannot.
What could be the problem? What am I not aware of (regarding
this issue)?

CHROOT> passwd userx
passwd: You may not view or modify password information for userx.

Regards,
Nelson·-

--
http://arhuaco.org
http://emQbit.com

On 2/23/07, Andy Smith <andy@lug.org.uk> wrote:
> On Fri, Feb 23, 2007 at 04:35:18PM -0500, Nelson Castillo wrote:
> > CHROOT> passwd userx
> > passwd: You may not view or modify password information for userx.
>
> Er, you ARE doing that as root, right?

Yes The only special thing is that I'm inside a chroot. The "host"
is a Fedora C5 server running Linux 2.6.16. And that I dist-upgraded from
sarge to etch.

Regards.

--
http://arhuaco.org
http://emQbit.com


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, Feb 23, 2007 at 04:35:18PM -0500, Nelson Castillo wrote:
> CHROOT> passwd userx
> passwd: You may not view or modify password information for userx.

Er, you ARE doing that as root, right?

Cheers,
Andy

--
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFF37IEIJm2TL8VSQsRAtQ8AKCz5/7y9iTquZ53MQpKV3hcEvm+qwCfQJuh
adj71azSidCSyO3SxNl4fEE=
=Y6Nj
-----END PGP SIGNATURE-----

Hi,

>
> I had a chroot with debian sarge that I had to dist-upgrade to
> debian etch. I have backups and everying. But the problem is
> that now I try to change a user's password and I cannot.
> What could be the problem? What am I not aware of (regarding
> this issue)?
>
> CHROOT> passwd userx
> passwd: You may not view or modify password information for userx.
>

Try remounting with the "dev" option

# mount /debian -o remount,rw,dev


--
- Shashishekhar S
Consultant - Debian GNU/Linux
Remote Administration, Deployments
Mail Services, Tips and Tricks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Do you have different users for your normal and chroot environments? The next thing to check is the permissions on the /etc directory - does it have the 'x' bit set so you can see what's in that directory? Remember that chroot does not switch the entire system - libraries loaded continue to run (and other software like the kernel itself and the original init) but all running software will invoke the new libraries when they need to load a module. It's a pretty messy environment. You just substitute the old root directory for a new one - in fact when you exit that environment you're back to the original.




--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Fri, Feb 23, 2007 at 10:36:16PM -0500, Nelson Castillo wrote:
> On 2/23/07, Andy Smith <andy@lug.org.uk> wrote:
> >On Fri, Feb 23, 2007 at 04:35:18PM -0500, Nelson Castillo wrote:
> >> CHROOT> passwd userx
> >> passwd: You may not view or modify password information for userx.
> >
> >Er, you ARE doing that as root, right?
>
> Yes The only special thing is that I'm inside a chroot. The "host"
> is a Fedora C5 server running Linux 2.6.16. And that I dist-upgraded from
> sarge to etch.

Sorry, had to ask

That is very odd. Could you strace the passwd command inside the
chroot and post a link to the results? (-o to send output to a file)

Cheers,
Andy

--
http://bitfolk.com/ -- No-nonsense VPS hosting
Encrypted mail welcome - keyid 0x604DE5DB

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFF4TKEIJm2TL8VSQsRAvxKAKDfFAfV9vxJqAg9At9Yrc S5AxaEFwCgw1ud
L0qk7BB1l7v3dR8/XhN91V0=
=H3tA
-----END PGP SIGNATURE-----

On 2/25/07, Andy Smith <andy@lug.org.uk> wrote:
> On Fri, Feb 23, 2007 at 10:36:16PM -0500, Nelson Castillo wrote:
> > On 2/23/07, Andy Smith <andy@lug.org.uk> wrote:
> > >On Fri, Feb 23, 2007 at 04:35:18PM -0500, Nelson Castillo wrote:
> > >> CHROOT> passwd userx
> > >> passwd: You may not view or modify password information for userx.
> > >
> > >Er, you ARE doing that as root, right?
> >
> > Yes The only special thing is that I'm inside a chroot. The "host"
> > is a Fedora C5 server running Linux 2.6.16. And that I dist-upgraded from
> > sarge to etch.
>
> Sorry, had to ask
>
> That is very odd. Could you strace the passwd command inside the
> chroot and post a link to the results? (-o to send output to a file)


The partition in which the chroot is is not mounted with the nodev option.
It's mounted with ext3,defaults, just as / is.

This is the strace I got:

http://wiki.superservicios.gov.co:81/~n/strace.txt

Thanks.

--
http://arhuaco.org
http://emQbit.com


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

> I'd suggest disabling SELinux and seeing if that fixes it, if it
> does then I guess you get to learn more about using it than I
> wish to right now

Same here.

Well, disabling SELinux in the host is not an option, but I can live with root
not being able to run "passwd user" as long as I can edit /etc/passwd and
/etc/shadow with vipw.

Thanks for your ,
N.-


--
http://arhuaco.org
http://emQbit.com


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, Feb 25, 2007 at 10:07:48PM -0500, Nelson Castillo wrote:

> The partition in which the chroot is is not mounted with the nodev option.
> It's mounted with ext3,defaults, just as / is.
>
> This is the strace I got:
>
> http://wiki.superservicios.gov.co:81/~n/strace.txt

Looking that over this appears to be a SELinux thing.

The code obviously reads the current permissions of your
user:

open("/proc/self/task/25770/attr/current", O_RDONLY|O_LARGEFILE) = 4
read(4, "user_u:system_r:unconfined_t:s0-"..., 4095) = 43
close(4) = 0

I'm not sure what that means..

Later there are two file accesses which fail:

open("/selinux/access", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such file or directory)
open("/selinux/enforce", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)

I'd suggest disabling SELinux and seeing if that fixes it, if it
does then I guess you get to learn more about using it than I
wish to right now

Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Feb 26, 2007 at 03:12:44AM +0000, Steve Kemp wrote:
> On Sun, Feb 25, 2007 at 10:07:48PM -0500, Nelson Castillo wrote:
>
> > The partition in which the chroot is is not mounted with the nodev option.
> > It's mounted with ext3,defaults, just as / is.
> >
> > This is the strace I got:
> >
> > http://wiki.superservicios.gov.co:81/~n/strace.txt
>
> Looking that over this appears to be a SELinux thing.
Both FC and Debian have SELinux support. AFAIK, FC has it active by
default('enforcing mode') while Debian does not. On my sid system, I
have have SELinux active but not in 'enforce' mode. This means it does
not stop anything, but logs it if would.
>
> The code obviously reads the current permissions of your
> user:
>
> open("/proc/self/task/25770/attr/current", O_RDONLY|O_LARGEFILE) = 4
> read(4, "user_u:system_r:unconfined_t:s0-"..., 4095) = 43
> close(4) = 0
'unconfined' means that it is not a restricted in what it can do, thus
is only limited by regualr unix permisions, which are check first
anyway.
>
> I'm not sure what that means..
>
> Later there are two file accesses which fail:
>
> open("/selinux/access", O_RDWR|O_LARGEFILE) = -1 ENOENT (No such fileor directory)
> open("/selinux/enforce", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
>
> I'd suggest disabling SELinux and seeing if that fixes it, if it
> does then I guess you get to learn more about using it than I
> wish to right now
SElinux uses a virtual filesystem, that is set in /etc/fstab, for
displaying and setting options like /proc. These are saying that this
virtual filesystem is not there.

From my gut, it doesn't seem like SELinux is getting in the way. I'd see
if FC has option to turn off SELinux as a kernel option or at least to
turn off enforcing mode by using /selinux or chaning the policy.
--
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keysever: subkeys.pgp.net | my NPO: cfsg.org |

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFF4mp3v8UcC1qRZVMRAnCfAJ46gNPCTgo1I9zm4uyYPV IHHKNF5ACbBdyV
cDY3ESnVImCFT2GpUeoqAfM=
=ox5A
-----END PGP SIGNATURE-----

On 2/26/07, root <kevin.mark@verizon.net> wrote:
> On Mon, Feb 26, 2007 at 03:12:44AM +0000, Steve Kemp wrote:
(cut)
> From my gut, it doesn't seem like SELinux is getting in the way. I'd see
> if FC has option to turn off SELinux as a kernel option or at least to
> turn off enforcing mode by using /selinux or chaning the policy.

Hey,

I did "mount -t selinuxfs none /selinux" inside of the chroot, and now
it works. It's the first time this happens to me

http://wiki.superservicios.gov.co:81...th-selinux.txt

Thanks,
Nelson.-

--
http://arhuaco.org
http://emQbit.com


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Mon, Feb 26, 2007 at 12:17:26AM -0500, Nelson Castillo wrote:
> On 2/26/07, root <kevin.mark@verizon.net> wrote:
> >On Mon, Feb 26, 2007 at 03:12:44AM +0000, Steve Kemp wrote:
> (cut)
> >From my gut, it doesn't seem like SELinux is getting in the way. I'd see
> >if FC has option to turn off SELinux as a kernel option or at least to
> >turn off enforcing mode by using /selinux or chaning the policy.
>
> Hey,
>
> I did "mount -t selinuxfs none /selinux" inside of the chroot, and now
> it works. It's the first time this happens to me
>
> http://wiki.superservicios.gov.co:81...th-selinux.txt
>
> Thanks,
Cool. It seems since FC has 'enforcing mode' on, it expects any chroot
to SELinux too? So that you had 'unix' permission to create the chroot
and issue the passwd command but you needed the rest of the SELinux
infrastrure for SELinux to allow you to do it.
Hmm.

--
| .''`. == Debian GNU/Linux == | my web site: |
| : :' : The Universal |mysite.verizon.net/kevin.mark/|
| `. `' Operating System | go to counter.li.org and |
| `- http://www.debian.org/ | be counted! #238656 |
| my keysever: subkeys.pgp.net | my NPO: cfsg.org |

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFF4t7ov8UcC1qRZVMRAocuAJwKWcCKyvI+6N2wN0C0ak PVLR/7AgCePaCk
6uBXdjbQ/sTQOUEJf57Cy7w=
=y8ec
-----END PGP SIGNATURE-----