Project

General

Profile

Bug #12684

Do not create an actual /nonexistent directory

Added by Brett Keller about 3 years ago. Updated 12 months ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
John Hixson
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

FreeNAS Mini

ChangeLog Required:
No

Description

For a user account with "/nonexistent" set as their home directory and "/sbin/nologin" set as the shell, the act of that user connecting to a CIFS share appears to result in the creation of an actual /nonexistent directory that contains user profile dot-files owned by that user. The /nonexistent directory should never actually exist. When it does exist and is owned by a particular user, it can break other FreeNAS functionality that relies on different user accounts. For example, e-mail alerts for cron jobs running as non-root users will fail to send when /nonexistent exists and is owned by a different user.

Steps to reproduce:
  • Configure a FreeNAS server running FreeNAS-9.3-STABLE-201511280648 with two local user accounts, "brett" and "cron_user"
    • Both accounts should have a home directory of "/nonexistent" and a shell of "/sbin/nologin"
    • Make sure cron_user has a valid e-mail address that will receive alerts from cron jobs
  • Configure a CIFS share to which the "brett" user will have access
  • Check that the /nonexistent directory does not exist:
    [root@fallingwater] ~# ls -la /nonexistent
    ls: /nonexistent: No such file or directory
    
  • Setup a test cron job in the web GUI that will run as cron_user and will send e-mail
    • User: cron_user
    • Command: echo "Sample cron output to be e-mailed"
    • Short description: Test cron job with stdout
    • Schedule every one or two minutes
    • Redirect stdout: unchecked
    • Redirect stderr: unchecked
    • Enabled: checked
  • Wait and verify that an e-mail from the cron job arrives as expected
  • On a Windows client, connect to the CIFS share as user "brett"
  • Check /nonexistent and find out that it now exists:
    [root@fallingwater] ~# ls -la /nonexistent
    total 13
    drwxr-xr-x   2 brett  brett   10 Dec  7 13:10 ./
    drwxr-xr-x  20 root   wheel   29 Dec  7 13:10 ../
    -rw-r--r--   1 brett  brett  898 Dec  7 13:10 .cshrc
    -rw-r--r--   1 brett  brett  186 Dec  7 13:10 .login
    -rw-r--r--   1 brett  brett   91 Dec  7 13:10 .login_conf
    -rw-------   1 brett  brett  301 Dec  7 13:10 .mail_aliases
    -rw-r--r--   1 brett  brett  267 Dec  7 13:10 .mailrc
    -rw-r--r--   1 brett  brett  680 Dec  7 13:10 .profile
    -rw-------   1 brett  brett  212 Dec  7 13:10 .rhosts
    -rw-r--r--   1 brett  brett  909 Dec  7 13:10 .shrc
    
  • Wait for the next cron job scheduled time, and note that e-mails have stopped arriving!
  • Check the cron log and note new error messages referencing /nonexistent and permissions:
    [root@fallingwater] ~# tail /var/log/cron
    Dec  7 13:10:00 fallingwater /usr/sbin/cron[4985]: (root) CMD (/usr/libexec/atrun)
    Dec  7 13:10:00 fallingwater /usr/sbin/cron[4984]: (cron_user) CMD (PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/root/bin" echo "Sample cron output to be e-mailed")
    Dec  7 13:11:00 fallingwater /usr/sbin/cron[5018]: (operator) CMD (/usr/libexec/save-entropy)
    Dec  7 13:12:00 fallingwater /usr/sbin/cron[5040]: (cron_user) CMD (PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/root/bin" echo "Sample cron output to be e-mailed")
    Dec  7 13:12:00 fallingwater cron[5040]: _secure_path: /nonexistent/.login_conf is not owned by uid 1002
    Dec  7 13:12:00 fallingwater cron[5041]: _secure_path: /nonexistent/.login_conf is not owned by uid 1002
    Dec  7 13:14:00 fallingwater /usr/sbin/cron[5109]: (cron_user) CMD (PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/root/bin" echo "Sample cron output to be e-mailed")
    Dec  7 13:14:00 fallingwater cron[5109]: _secure_path: /nonexistent/.login_conf is not owned by uid 1002
    Dec  7 13:14:00 fallingwater cron[5110]: _secure_path: /nonexistent/.login_conf is not owned by uid 1002
    
  • Manually delete the /nonexistent directory:
    [root@fallingwater] ~# rm -Rf /nonexistent
    [root@fallingwater] ~# ls -la /nonexistent
    ls: /nonexistent: No such file or directory
    
  • Observe that the cron job e-mails start arriving again starting at the next scheduled time
  • On the Windows client, connect to the CIFS share again as user "brett"
  • Check for /nonexistent again, and see that it has returned:
    [root@fallingwater] ~# ls -la /nonexistent
    total 13
    drwxr-xr-x   2 brett  brett   10 Dec  7 13:30 ./
    drwxr-xr-x  20 root   wheel   29 Dec  7 13:30 ../
    -rw-r--r--   1 brett  brett  898 Dec  7 13:30 .cshrc
    -rw-r--r--   1 brett  brett  186 Dec  7 13:30 .login
    -rw-r--r--   1 brett  brett   91 Dec  7 13:30 .login_conf
    -rw-------   1 brett  brett  301 Dec  7 13:30 .mail_aliases
    -rw-r--r--   1 brett  brett  267 Dec  7 13:30 .mailrc
    -rw-r--r--   1 brett  brett  680 Dec  7 13:30 .profile
    -rw-------   1 brett  brett  212 Dec  7 13:30 .rhosts
    -rw-r--r--   1 brett  brett  909 Dec  7 13:30 .shrc
    
  • Wait for the next cron job time and note that e-mails have again stopped arriving
  • Repeat as necessary...

I've attached a debug log from a server on which I ran the above steps. Please let me know if you need any further information.
Thanks.

patch-pam_mkhomedir.c (549 Bytes) patch-pam_mkhomedir.c Josh Paetzel, 05/25/2016 06:37 AM
patch-pam_mkhomedir.c (552 Bytes) patch-pam_mkhomedir.c Anonymous, 06/07/2016 10:54 PM

Associated revisions

Revision b5b05785 (diff)
Added by John Hixson over 1 year ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

Revision 5ca311d5 (diff)
Added by John Hixson over 1 year ago

Bump port revision

Ticket: #12684

Revision bfce7848 (diff)
Added by John Hixson about 1 year ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

Revision 05a2b7e2 (diff)
Added by John Hixson about 1 year ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

Revision f77c5026 (diff)
Added by John Hixson 8 months ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

Revision 0d4c49d5 (diff)
Added by John Hixson 8 months ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

Revision 1111f0b9 (diff)
Added by John Hixson 8 months ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

Revision 36328df1 (diff)
Added by John Hixson 3 months ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

Revision 0d95d9bb (diff)
Added by John Hixson 3 months ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

Revision e194acad (diff)
Added by John Hixson 3 months ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

Revision 06196c7c (diff)
Added by John Hixson 3 months ago

Don't create /nonexistent directory

- Courtesy of "Anonymous"

Ticket: #12684

History

#1 Updated by Jordan Hubbard about 3 years ago

  • Category changed from 81 to 57
  • Assignee set to John Hixson

#2 Updated by Sean Fagan about 3 years ago

Oh, that's why I have a /noexistent directory...

#3 Updated by John Hixson about 3 years ago

  • Status changed from Unscreened to Screened

So the nonexistent directory is in fact not nonexistent ? I assume the nonexistent directory should be nonexistent ? ;-)

#4 Updated by Jordan Hubbard about 3 years ago

BRB: Seems like the right fix is to remove the pam_mkhomedir hack since home directory should either already exist or if /nonexistant obviously don't want it to exist.

#5 Updated by Jordan Hubbard almost 3 years ago

  • Assignee changed from John Hixson to Jakub Klama

#6 Updated by Jordan Hubbard over 2 years ago

  • Assignee changed from Jakub Klama to Anonymous

See comments about changing the PAM module to special-case "/nonexistent" and not make that directory.

#7 Updated by Anonymous over 2 years ago

While working on fixing this bug, I came across PAM's configuration for SAMBA service in freenas/src/freenas/etc/ix/templates/pam.d/samba.
The use of pam_mkhomedir.so is to automatically create a /home/username diretory if none exists the first time a person tries to access this machine.

Hence, removing 'session required /usr/local/lib/pam_mkhomedir.so' from the file solves the issue of a /nonexistent directory getting created when the user accesses a CIFs share.

Does this work for you?

#8 Updated by Josh Paetzel over 2 years ago

No, that won't work, because there are cases where the home directory needs to get created.

Here's an untested patch to pam_mkhomedir.c that stops it from creating /nonexistant

#9 Updated by Anonymous over 2 years ago

Okay! Where do I add this patch? Also, I need to build freenas from scratch after adding this patch, right?

#10 Updated by Josh Paetzel over 2 years ago

You'll have to copy the entire security/pam_mkhomedir port from the github freebsd ports tree repo to nas_ports in the FreeNAS repo, then add the patch file I provided to nas_ports/security/pam_mkhomedir/files/

Then run make clean-package p=pam_mkhomedir and then rebuild FreeNAS.

#11 Updated by Anonymous over 2 years ago

I applied the patch and rebuilt freenas, it did not solve the issue of a /nonexistent directory getting created.

#12 Updated by Anonymous over 2 years ago

  • Status changed from Screened to Fix In Progress

#13 Updated by Anonymous over 2 years ago

  • Status changed from Fix In Progress to 19

#14 Updated by Josh Paetzel over 2 years ago

I forgot a step which may have caused the old port to get included. You need to increment PORTREVISION in nas_ports/security/pam_mkhomedir/Makefile

#15 Updated by Anonymous over 2 years ago

I added the PORTREVISION variable in the Makefile and set the value to 1. The build failed twice giving out the following logs:

[00:05:44] ====>> [01][00:00:00] Starting build of security/pam_mkhomedir
[00:05:46] ====>> [01][00:00:02] Saved security/pam_mkhomedir wrkdir to: /root/freenas-build/_BE/objs/ports/wrkdirs/ja-p/p/pam_mkhomedir-0.2_1.tbz
[00:05:46] ====>> [01][00:00:02] Finished build of security/pam_mkhomedir: Failed: build
[00:05:46] ====>> Stopping 1 builders
[00:05:52] ====>> No package built, no need to update the repository
[00:05:52] ====>> Committing packages to repository
[00:05:52] ====>> Removing old packages
[00:05:52] ====>> Failed ports: security/pam_mkhomedir:build
[ja-p] [2016-06-07_17h04m42s] [committing:] Queued: 1 Built: 0 Failed: 1 Skipped: 0 Ignored: 0 Tobuild: 0 Time: 00:03:07

#16 Updated by Josh Paetzel over 2 years ago

Somewhere above that will be the poudriere build log directory. Can you attach the pam_mkhomedir log from that directory?

#17 Updated by Anonymous over 2 years ago

Hi Josh, I made slight modifications to the patch file you sent and rebuilt freenas. I have tested the issue and the fix is now working.
Please find attached the modified patch file here.

#18 Updated by Josh Paetzel over 2 years ago

Ok, could you create a pull request that moves the pam_mkhomedir port to security/nas_ports and adds this patch? It would be best to bump PORTREVISION in the port Makefile as well.

#19 Updated by Anonymous over 2 years ago

Yeah, I have pulled a request #169 with the required changes on github.

#20 Avatar?id=14398&size=24x24 Updated by Kris Moore about 2 years ago

  • Assignee changed from Anonymous to Erin Clark
  • Priority changed from No priority to Nice to have
  • Target version set to 9.10.1-U3

#21 Avatar?id=14398&size=24x24 Updated by Kris Moore about 2 years ago

  • Target version changed from 9.10.1-U3 to 9.10.2

#22 Updated by Vaibhav Chauhan about 2 years ago

  • Target version changed from 9.10.2 to 9.10.2-U1

PR was never merged, punting to 9.10.2-U1

#23 Updated by Vaibhav Chauhan almost 2 years ago

  • Target version changed from 9.10.2-U1 to 9.10.2-U2

This will not make into 9.10.2-U1 release

#24 Avatar?id=14398&size=24x24 Updated by Kris Moore almost 2 years ago

  • Target version changed from 9.10.2-U2 to 9.10.3

#25 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Target version changed from 9.10.3 to 9.10.4

#26 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Target version changed from 9.10.4 to 11.1

#27 Updated by Erin Clark over 1 year ago

  • Assignee changed from Erin Clark to John Hixson

I haven't really been working on the middleware stuff lately so I don't know the status of this, passing to John

#28 Updated by John Hixson over 1 year ago

  • Status changed from 19 to Ready For Release

#29 Updated by Dru Lavigne over 1 year ago

  • Subject changed from The "/nonexistent" directory gets created when a user with "/nonexistent" set as their home directory accesses a CIFS share to Do not create an actual /nonexistent directory

#30 Updated by Dru Lavigne about 1 year ago

  • Target version changed from 11.1 to 11.1-BETA1

#31 Updated by Kim Kam about 1 year ago

Until this bug is fixed in 11.1 or for older 9.10 I found a simple workaroud. Create /nonexistant directory manually and clear any permissions on it. Then it will still exists, but nothing will be able to create files there:

as ROOT:
rm -rf /nonexistent
mkdir /nonexistent
chown 000 /nonexistent

[root@freenas] ~# ls la /nonexistent
total 3
d--------
2 root wheel 2 May 24 2016 ./
drwxr-xr-x 21 root wheel 28 Jul 27 10:10 ../

#32 Updated by Dru Lavigne about 1 year ago

  • Status changed from Ready For Release to Resolved

#33 Updated by Joe Maloney about 1 year ago

  • QA Status Test Fails FreeNAS added
  • QA Status deleted (Not Tested)

This directory is still created on my 11.1-RC1 install when creating a new user.

#34 Updated by Dru Lavigne about 1 year ago

  • Status changed from Resolved to 46
  • Target version changed from 11.1-BETA1 to 11.1

John: please review the failed QA test with Joe.

#35 Updated by Nick Wolff about 1 year ago

PR submitted to pull back in commits that got lost between branches.

#36 Updated by John Hixson about 1 year ago

Dru Lavigne wrote:

John: please review the failed QA test with Joe.

Reviewed

#37 Updated by Nick Wolff about 1 year ago

  • Target version changed from 11.1 to 11.1-RC3

#38 Updated by Dru Lavigne about 1 year ago

  • Target version changed from 11.1-RC3 to 11.1

#39 Updated by Dru Lavigne about 1 year ago

  • Status changed from 46 to Ready For Release

#40 Updated by Dru Lavigne about 1 year ago

  • File deleted (debug-fallingwater-20151207133817..tgz)

#41 Updated by Nick Wolff about 1 year ago

  • Needs QA changed from Yes to No
  • QA Status Test Passes FreeNAS added
  • QA Status deleted (Test Fails FreeNAS)

#42 Updated by Dru Lavigne 12 months ago

  • Status changed from Ready For Release to Resolved

Also available in: Atom PDF