[Freeipa-users] stickybits and freeipa

Simo Sorce simo at redhat.com
Tue Jun 16 13:01:02 UTC 2015 

On Tue, 2015-06-16 at 14:50 +0200, richard wrote:
> Hi,
> 
> I have made a trace with gdb, and this is the output from that.
> So it looks like the suid user isnt found.

Hi Richard,
this looks like a bug in the application you are using, as a failure to
lookup a user (if that is the case), should never end up with a
segfault.

I would contact that application developer and file a bug with them.

Simo.

> Program received signal SIGSEGV, Segmentation fault.
> 0x08518f44 in utilcuti_GetUsrid(void) ()
> Missing separate debuginfos, use: debuginfo-install 
> atk-2.10.0-1.fc20.i686 bzip2-libs-1.0.6-9.fc20.i686 
> cairo-1.13.1-0.1.git337ab1f.fc20.i686 expat-2.1.0-7.fc20.i686 
> fontconfig-2.11.0-2.fc20.i686 freetype-2.5.0-5.fc20.i686 
> gdk-pixbuf2-2.30.3-1.fc20.i686 glib2-2.38.2-2.fc20.i686 
> glibc-2.18-16.fc20.i686 gtk2-2.24.24-2.fc20.i686 
> harfbuzz-0.9.27-1.fc20.i686 jbigkit-libs-2.0-10.fc20.i686 
> libX11-1.6.1-1.fc20.i686 libXau-1.0.8-2.fc20.i686 
> libXcomposite-0.4.4-4.fc20.i686 libXcursor-1.1.14-2.fc20.i686 
> libXdamage-1.1.4-4.fc20.i686 libXext-1.3.2-2.fc20.i686 
> libXfixes-5.0.1-2.fc20.i686 libXi-1.7.4-1.fc20.i686 
> libXinerama-1.1.3-2.fc20.i686 libXrandr-1.4.1-2.fc20.i686 
> libXrender-0.9.8-2.fc20.i686 libXxf86vm-1.1.3-2.fc20.i686 
> libdrm-2.4.58-1.fc20.i686 libffi-3.0.13-5.fc20.i686 
> libgcc-4.8.3-7.fc20.i686 libjpeg-turbo-1.3.1-2.fc20.i686 
> libpng-1.6.6-3.fc20.i686 libpng12-1.2.50-6.fc20.i686 
> libselinux-2.2.1-6.fc20.i686 libwayland-client-1.2.0-3.fc20.i686 
> libwayland-server-1.2.0-3.fc20.i686 libxcb-1.9.1-3.fc20.i686 
> mesa-libEGL-10.3.3-1.20141110.fc20.i686 
> mesa-libGL-10.3.3-1.20141110.fc20.i686 
> mesa-libgbm-10.3.3-1.20141110.fc20.i686 
> mesa-libglapi-10.3.3-1.20141110.fc20.i686 pango-1.36.1-3.fc20.i686 
> pcre-8.33-7.fc20.i686 pixman-0.30.0-5.fc20.i686 
> xz-libs-5.1.2-12alpha.fc20.i686 zlib-1.2.8-3.fc20.i686
> (gdb) bt
> #0  0x08518f44 in utilcuti_GetUsrid(void) ()
> #1  0x0839b8a5 in BuildLockInfo(char const *, char, char *, char const 
> *, char *, char const *) ()
> #2  0x0839dc51 in lock_LockFile(char const *, char, short, char *, char 
> const *, char const *, char const *, char const *, char *, char const *, 
> char *) ()
> #3  0x083a02c3 in FILE_RESOURCE::DAVLock(JSTRING const &, int) ()
> #4  0x083c1e34 in ARCHIVE_RESOURCE::Lock(JSTRING const &, int) ()
> #5  0x0839fd20 in FILE_RESOURCE::DAVDelete(void) ()
> #6  0x083c17d4 in ARCHIVE_RESOURCE::Delete(void) ()
> #7  0x083b3854 in Document::Delete(void) ()
> #8  0x083bdf93 in TMP_OSBUFF::~TMP_OSBUFF(void) ()
> #9  0x083be1e1 in EXCOML_BUFFER_CHANNEL::~EXCOML_BUFFER_CHANNEL(void) ()
> #10 0x083ca4db in TEXT_FORMAT_PARSER::~TEXT_FORMAT_PARSER(void) ()
> #11 0x085270a4 in READ_CHANNEL::READER_NODE::~READER_NODE(void) ()
> #12 0x085271ab in READ_CHANNEL::~READ_CHANNEL(void) ()
> #13 0x083bf754 in DOCUMENT_READER::~DOCUMENT_READER(void) ()
> #14 0x08378100 in TREE_FROM_DOC::~TREE_FROM_DOC(void) ()
> #15 0x081b2aee in EXECUTECMD::File(PSTRING const &, PSTRING const &) ()
> #16 0x081b3a4e in EXECUTECMD::Link(PSTRING const &, PSTRING const &) ()
> #17 0x0825d010 in ECL_COMMAND::OtherExecute(void) ()
> #18 0x08267be4 in ECL_COMMAND::Execute(EXPR_DICT *) ()
> #19 0x08247d0e in ECL_REPEAT::Execute(EXPR_DICT *) ()
> #20 0x082472ed in lang_TreeExecute(ECL_TREE *, EXPR_DICT *) ()
> #21 0x081af72b in KEY_T::Execute(void) ()
> #22 0x081b3f26 in EXECUTECMD::Function(PSTRING const &, PSTRING const &, 
> int, JSTRING const &) ()
> #23 0x08059106 in EXCO::Initiate(void) ()
> #24 0x0805a355 in EXCO::Edit(void) ()
> #25 0x080544f5 in main ()
> 
> // Richard
> 
> 2015-06-15 15:34 skrev Simo Sorce:
> > On Sun, 2015-06-14 at 20:53 +0200, richard wrote:
> >> Hi,
> >> 
> >> We are about to implement freeipa in our environment.
> >> During some test so have we discovered problems when we are trying to
> >> run scripts with the suid bit set.
> >> It looks like the system is trying to authenticate the suid user 
> >> against
> >> freeipa, but since suid user doesnt have a valid ticket, so will the
> >> script not run.
> >> I would need some help to get around this problem.
> >> 
> >> Is it possible to configure a keytab for the suid user so that this 
> >> user
> >> always have a valid ticket?
> > 
> > Hi Richard,
> > it is unclear to me what problem you are having.
> > 
> > Can you provide some log or output you receive when running commands
> > that do not work as you expect ?
> > 
> > The kernel doesn't really care (nor try) to authenticate users when the
> > suid bit is set, so there must be some other component involved that is
> > causing you trouble.
> > 
> > Simo.


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list