[pulseaudio-discuss] Failed to create secure directory with ACL

Thu Apr 17 04:15:42 PDT 2014

On Mon, 2014-04-07 at 14:11 +0200, Prunk Dump wrote:
> Hello !
> 
> The home folders of my users are shared through a CIFS server that
> support Access Control Lists. Pulse audio won't start in those folders
> complaining "Failed to create secure directory: Permission denied".
> 
> $strace -v pulseaudio
> ...
> mkdir("/home/teachers/pellegrb/.pulse", 0700) = 0
> umask(022)                              = 077
> open("/home/teachers/pellegrb/.pulse",
> O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = 4
> fstat(4, {st_mode=S_IFDIR|0775, st_size=0, ...}) = 0
> getuid()                                = 3000137
> getgid()                                = 3000038
> fchown(4, 3000137, 3000038)             = 0
> fchmod(4, 0700)                         = 0
> close(4)                                = 0
> lstat("/home/teachers/pellegrb/.pulse", {st_dev=makedev(0, 19),
> st_ino=6293841, st_mode=S_IFDIR|0770, st_nlink=2, st_uid=3000137,
> st_gid=3000038, st_blksize=16384, st_blocks=0, st_size=0,
> st_atime=2014/04/07-13:40:13, st_mtime=2014/04/07-13:40:13,
> st_ctime=2014/04/07-13:55:15}) = 0
> rmdir("/home/teachers/pellegrb/.pulse") = 0
> ...
> 
> As I understand, the UID and GID are correct but Pulseaudio think the
> mode 0770 is problematic. In core-util.c, this test fail :
> 
> if (!S_ISDIR(st.st_mode) ||
>         (st.st_uid != uid) ||
>         (st.st_gid != gid) ||
>         ((st.st_mode & 0777) != m)) {
>         errno = EACCES;
>         goto fail;
>     }
> 
> 
> But the following commands in terminal :
> 
> $mkdir /home/teachers/pellegrb/.pulse
> $chown 3000137:3000038 /home/teachers/pellegrb/.pulse
> $chmod 0700 /home/teachers/pellegrb/.pulse
> $ls -al /home/teachers/pellegrb
> 
> drwxrwx---+  2 pellegrb teachers     0 avril  7 14:02 .pulse

So the file system ignores the mode that is given to mkdir and chmod. Is
the result same if you pass --mode=0700 to mkdir?

I'm not sure what would be the best fix. Maybe pa_make_secure_dir()
could take another mode parameter that says what are the minimum
permissions needed, and then instead of the "(st.st_mode & 0777) != m"
check at the end, we'd use "(st.st_mode & min_permissions) !=
min_permissions".

-- 
Tanu