Project

General

Profile

Bug #33576

Handle permission error more gracefully when creating local user

Added by Steve Scotter 11 months ago. Updated 10 months ago.

Status:
Done
Priority:
No priority
Assignee:
William Grzybowski
Category:
Middleware
Target version:
Seen in:
Severity:
Med High
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

N/A

ChangeLog Required:
No

Description

We've had a problem for a few months (and updated twice in an effort to resolve it to no effect) where when we create new users (or edit existing users) via the WebGUI we get the following error

Exception Type: ClientException
Exception Value:
[Errno 1] Operation not permitted: '/mnt/vol_dozer1/homes/firstname.lastname/.ssh'
Exception Location: /usr/local/lib/python3.6/site-packages/middlewared/client/client.py in call, line 394
Server time: Tue, 15 May 2018 10:31:50 +0100

The user is created, the home directory is created, but the .ssh is still owned by root.

root@dozer:~ # ll /mnt/vol_dozer1/homes/firstname.lastname/
total 33
-rwxrwxr-x+ 1 firstname.lastname techies 983 May 15 11:21 .cshrc*
-rwxrwxr-x+ 1 firstname.lastname techies 182 May 15 11:21 .login*
-rwxrwxr-x+ 1 firstname.lastname techies 91 May 15 11:21 .login_conf*
-rwxrwxr-x+ 1 firstname.lastname techies 301 May 15 11:21 .mail_aliases*
-rwxrwxr-x+ 1 firstname.lastname techies 267 May 15 11:21 .mailrc*
-rwxrwxr-x+ 1 firstname.lastname techies 728 May 15 11:21 .profile*
-rwxrwxr-x+ 1 firstname.lastname techies 212 May 15 11:21 .rhosts*
-rwxrwxr-x+ 1 firstname.lastname techies 780 May 15 11:21 .shrc*
drwxrwxr-x+ 2 root techies 2 May 15 11:21 .ssh/

Users only access the NAS via SMB so SSH access is not required. Adding a valid SSH key to the new user form doesn't bypass the error.

I feel the issue is related to permissions, but I've been unable to find a resolution on my own.

PS. Initally reported via https://forums.freenas.org/index.php?threads/clientexception-when-creating-local-user.63726/ but was advised to rasie a bug report here.

2018-05-17 11_57_48-dozer - FreeNAS-11.1-U4 (89e3d93bc).png (20 KB) 2018-05-17 11_57_48-dozer - FreeNAS-11.1-U4 (89e3d93bc).png Screenshot of Change Permissions form for /mnt/vol_dozer1/homes Steve Scotter, 05/17/2018 03:58 AM
17490

Associated revisions

Revision 61c0876e (diff)
Added by William Grzybowski 11 months ago

feat(middlewared/account): handle permission error more gracefully

Ticket: #33576

Revision e3c18003 (diff)
Added by William Grzybowski 11 months ago

feat(middlewared/account): handle permission error more gracefully

Ticket: #33576

History

#1 Updated by Dru Lavigne 11 months ago

  • Private changed from No to Yes

Steve: please attach a debug (System -> Advanced -> Save Debug) to this ticket.

#2 Updated by Steve Scotter 11 months ago

  • File debug-dozer-20180516141449.tgz added

As requested, please find attached debug dump.

Grepping for "Exception while calling user" in middlewared.log find you the occasions it's happened.

According to the log it first started happening in January (which ties in with what I recall) and had quite a few yesterday while setting up two new users.

#3 Updated by Dru Lavigne 11 months ago

  • Category changed from GUI (new) to Middleware
  • Assignee changed from Release Council to William Grzybowski

#4 Updated by William Grzybowski 11 months ago

  • Status changed from Unscreened to Blocked
  • Target version changed from Backlog to 11.2-RC2
  • Reason for Blocked set to Waiting for feedback

I cannot reproduce the issue.

Is /mnt/vol_dozer1/homes managed with Windows ACL?

Can you get me permissions of that directory?

#5 Updated by Steve Scotter 11 months ago

17490

Yeap.

root@dozer:~ # ll /mnt/vol_dozer1/
total 68
drwxrwxr-x+ 44 root  wheel      45 May 15 11:29 homes/
drwxrwx---+ 32 root  itsupport  39 May 15 15:21 itsupport/
drwxr-xr-x   2 root  wheel       2 Oct 25  2017 jails/
drwxrwxr-x+ 76 root  techies    82 May 16 10:44 shared/
root@dozer:~ # getfacl /mnt/vol_dozer1/homes/
# file: /mnt/vol_dozer1/homes/
# owner: root
# group: wheel
         user:root:rwxpDdaARWcCos:fd-----:allow
            owner@:rwxpDdaARWcCos:fd-----:allow
            group@:rwxpDdaARWcCos:fd-----:allow
         everyone@:r-x---a-R-c---:fd-----:allow

I made changes to the default permissions when I setup the box up Sept last year as I wanted all users to have their primary group as Techies, but not be able to read each other's home directories. I I removed "group" and "everyone". I didn't have any problems adding users until January. In an attempt to resolve the problem in February I added back the "group" and "everyone" to no avail. I then went a step further and added root (as django is running as root) to no avail.

Looking at my home directory (created Sept 2017) I don't have a .ssh directory so I presume some functionality within middleware changed at some point between Sept 2017 and Jan 2018.

I do not have a .ssh in my skel directory

root@dozer:~ # ll /usr/share/skel/
total 10
-rw-r--r--  1 root  wheel  983 May 15 10:59 dot.cshrc
-rw-r--r--  1 root  wheel  182 May 15 10:59 dot.login
-rw-r--r--  1 root  wheel   91 May 15 10:59 dot.login_conf
-rw-------  1 root  wheel  301 May 15 10:59 dot.mail_aliases
-rw-r--r--  1 root  wheel  267 May 15 10:59 dot.mailrc
-rw-r--r--  1 root  wheel  728 May 15 10:59 dot.profile
-rw-------  1 root  wheel  212 May 15 10:59 dot.rhosts
-rw-r--r--  1 root  wheel  780 May 15 10:59 dot.shrc

#6 Updated by Steve Scotter 11 months ago

Further information which may be helpful.

I've looked at our internal tickets and can see I created two users between Sept 2017 and Dec 2017 without incident.

Ross Bingham 09/11/2017
Andy Gill 09/11/2017

I've checked their home directories and neither have a .ssh directory in their home directory.

I created two users in January 2018.

Thomas Smith 02/01/2018
Muhaimin Dzulfakar 02/01/2018

Both have a .ssh directory in their home directory and both users are mentioned in the middleware.log I sent yesterday.

--

We patched the machine to "FreeNAS-11.1-RELEASE" 17th December. Unfortunately I don't have good patching records before this so we can not be certain which version we were running prior to then.

A verbatim copy of the "Update Available" email received from the box is below.

A new update is available for the FreeNAS-11-STABLE train.
Version: FreeNAS-11.1-RELEASE
Changelog:
12684     Do not create an actual /nonexistent directory
21336   Add ability to attach smaller disk to a larger one
23197   Try to validate certificate before importing it
24000     Improve FHA locality control for NFS read/write requests
24942     Register mDNS on all interfaces
25037   Fix AWS-SNS Alert Service
25236   Add Docker section to Guide
25966   Update module that reports ARC Hit Ratio
26470   Allow interfaces to be selected from netcli
26509     Autostart at boot iocage jails that have property boot=on
26531   Make sure mDNS starts
26663   Fix disk attach/detach of boot pool
26800     Fork netatalk
26990   Fix regression that prevented VNC connection
26993     Allow special characters in grub-bhyve password
27001   Fix mDNS traceback
27018   Don't create iocage datasets if no jails exist
27088   Fix iocage logging
27097   Avoid exception when number of maximum swap mirrors is reached
27098   Fix destroying system datasets on migrate
27099   Fix traceback on cloud credentials
27124   Fixes to address OpenSSL SA 17:12
27128   Do not destroy volume if wizard import fails

#7 Updated by William Grzybowski 11 months ago

  • Status changed from Blocked to Not Started
  • Reason for Blocked deleted (Waiting for feedback)

#8 Updated by William Grzybowski 11 months ago

  • Status changed from Not Started to In Progress

#9 Updated by William Grzybowski 11 months ago

  • Status changed from In Progress to Ready for Testing
  • Target version changed from 11.2-RC2 to 11.2-BETA1
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#10 Updated by Steve Scotter 11 months ago

Newbie question.

Status : Ready for Testing

Testing by me or you?
We're currently running 11.1, upgrading to 11.2 doesn't seem possible via the WebGUI, unless maybe I need to go to HEAD-Nightlies? I'd be reluctant to do that on a production system.

Thanks for your efforts on this and working so quickly to get it resolved, wish I'd have reported it sooner!

#11 Updated by William Grzybowski 11 months ago

Steve Scotter wrote:

Newbie question.

Status : Ready for Testing

Testing by me or you?
We're currently running 11.1, upgrading to 11.2 doesn't seem possible via the WebGUI, unless maybe I need to go to HEAD-Nightlies? I'd be reluctant to do that on a production system.

Thanks for your efforts on this and working so quickly to get it resolved, wish I'd have reported it sooner!

That is for us.

Thank you.

#12 Updated by Dru Lavigne 11 months ago

  • Subject changed from ClientException when creating local user to Handle permission error more gracefully when creating local user
  • Private changed from Yes to No

#13 Updated by Dru Lavigne 11 months ago

  • File deleted (debug-dozer-20180516141449.tgz)

#14 Updated by Michael Reynolds 10 months ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

#15 Updated by Dru Lavigne 10 months ago

  • Status changed from Passed Testing to Done

Also available in: Atom PDF