Re: [Vchanger-users] 'update slots' missing?!

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Yes. Vchanger, by default, will not run as root. It changes user and 
group to that set by the User and Group configuration variables assigned 
in vchanger.conf. If not specified in vchanger.conf, then the default of 
bacula:tape is used. Vchanger must be forced to run as root by setting 
User=root and Group=root in vchanger.conf or by specifying the -u and -g 
flags in the vchanger command line. See man vchanger.

udev does run as root. Because the bconsole calls made by vchanger for 
the REFRESH command may take longer than the udev documentation says it 
should, the udev rules for vchanger execute a very short launcher script 
that simply launches vchanger in the background as a separate process, 
then exits. That lets udev continue without waiting for vchanger and 
prevents any udev problem. The vchanger instance in the background loads 
its config file and normally drops root privileges and su's to the 
bacula:tape user (or whatever user:group is defined in the vchanger 
config file).

Whether vchanger is launched by udev or by a terminal logged in as root, 
it will switch user:group to that defined in the vchanger.conf file. 
When launched by the bacula-sd process, it will normally run as the same 
user:group that bacula-sd runs as. This is because bacula-sd usually 
does not run as root, so usually cannot switch user to bacula:tape. This 
is why vchanger defaults to bacula:tape, the user:group that bacula-sd 
defaults to on most OSs.

The user:group that bacula-sd runs as is set in /etc/defaults/bacula-sd, 
or /etc/sysconfig/bacula-sd on RHEL systems. The USer and Group settings 
in vchanger.conf should match the bacula-sd user:group settings. 
Permissions for all files and directories touched by vchanger,or 
bacula-sd must be set accordingly. vchanger and bacula-sd must have 
read/write access for the vchanger work directory, log file, magazine 
disk directories/mount points, and the volume files on them.

Also, the vchanger.conf file must be readable by the bacula:tape user, 
since vchanger will normally be launched by bacula-sd.

On 9/12/22 08:50, Marco Gaiarin wrote:
> Mandi! Marco Gaiarin
>    In chel di` si favelave...
>
>> with execvp(), but i can go any further...
> OK, it is not bacula-sd that do a bconsole run, but the udev scripts when an
> RDX get inserted, that do a 'vchanger <conffile> refresh'.
>
> The strange things is that udev is run by root, and with the suggestion of
> some friend i've tried to 'strace' it:
>
> 	root@sdpve2:~# strace -f -o /tmp/vchanger.strace /usr/bin/vchanger --force /etc/vchanger/SDPVE2RDX.conf refresh
>
> obviously by root. result:
>
>   30533 execve("/usr/bin/vchanger", ["/usr/bin/vchanger", "--force", "/etc/vchanger/SDPVE2RDX.conf", "refresh"], 0x7ffc292bdc20 /* 20 vars */) = 0
>   [...]
>   30533 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f43d8e37a90) = 30534
>   30534 execve("/usr/sbin/bconsole", ["/usr/sbin/bconsole", "-n", "-u", "30"], 0x7ffc3a659bc0 /* 20 vars */) = 0
>   [...]
>   30534 openat(AT_FDCWD, "/etc/bacula/bconsole.conf", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
>   30534 openat(AT_FDCWD, "/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
>   30534 openat(AT_FDCWD, "/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
>   30534 openat(AT_FDCWD, "/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
>   30534 openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
>   30534 openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
>   30534 openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
>   30534 fstat(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
>   30534 write(1, "bconsole: ERROR TERMINATION at p"..., 135) = 135
>   30534 openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
>   30534 fstat(4, {st_mode=S_IFREG|0644, st_size=2692, ...}) = 0
>   30534 fstat(4, {st_mode=S_IFREG|0644, st_size=2692, ...}) = 0
>   30534 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\7\0\0\0\0"..., 3072) = 2692
>   30534 lseek(4, -1719, SEEK_CUR)         = 973
>   30534 read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\10\0\0\0\10\0\0\0\0"..., 3072) = 1719
>   30534 close(4)                          = 0
>   30534 write(1, "12-Sep 13:10 bconsole: ERROR TER"..., 148) = 148
>   30534 exit_group(1)                     = ?
>   30534 +++ exited with 1 +++
>
>
> Very strange. Note that vchanger and bconsole are not suid:
>
>   root@sdpve2:~# ls -la /usr/bin/vchanger /usr/sbin/bconsole
>   -rwxr-xr-x 1 root root 142960 May  4 18:12 /usr/bin/vchanger
>   -rwxr-xr-x 1 root root  53072 Aug 30  2020 /usr/sbin/bconsole
>
> and conf file permission seems good:
>
>   root@sdpve2:~# ls -la /etc/bacula/
>   total 62
>   drwxr-xr-x  3 root   root     11 Jul 18 09:49 .
>   drwxr-xr-x 93 root   root    191 Sep 11 01:22 ..
>   -rw-r-----  1 root   bacula 1135 Jul 18 09:49 bacula-fd.conf
>   -rw-r-----  1 root   root   1120 Jul 18 09:44 bacula-fd.conf~
>   -rw-r-----  1 root   root   1120 Jul 18 09:44 bacula-fd.conf.dist
>   -rw-r-----  1 bacula bacula 3905 Jul 15 12:39 bacula-sd.conf
>   -rw-r-----  1 root   root   9999 Jul 12 15:55 bacula-sd.conf.dist
>   -rw-r-----  1 root   bacula  271 Jul 12 15:40 bconsole.conf
>   -rw-r-----  1 root   root    266 Jul 12 15:39 bconsole.conf.dist
>   -rw-------  1 root   root    500 Jul 12 15:36 common_default_passwords
>   drwxr-xr-x  2 root   root      8 Jul 12 15:36 scripts
>
>
> Note that if i explicitly set bconsole config file adding in /etc/vchanger/SDPVE2RDX.conf
> the row:
> 	bconsole config = /etc/bacula/bconsole.conf
> 	
> vchanger fail early:
>   14655 openat(AT_FDCWD, "/var/log/vchanger/SDPVE2RDX.log", O_WRONLY|O_CREAT|O_APPEND, 0666) = 3
>   14655 lseek(3, 0, SEEK_END)             = 5962
>   14655 access("/var/spool/vchanger/SDPVE2RDX", W_OK) = 0
>   14655 access("/etc/bacula/bconsole.conf", R_OK) = -1 EACCES (Permission denied)
>
>
> Summoning it: 'vchanger', even run by root, seems not able (EACCES,
> permission Denied) to access bconsole config file.
>
>
> WHY?!
>