[systemd-devel] systemd-nspawn/LXC containers & pam login failure

Daniel P. Berrange berrange at redhat.com
Thu May 9 06:38:50 PDT 2013


On Thu, May 09, 2013 at 03:32:09PM +0200, Lennart Poettering wrote:
> On Thu, 09.05.13 11:38, Daniel P. Berrange (berrange at redhat.com) wrote:
> 
> > Following the suggestion in the systemd-nspawn manpage I populated
> > a mini Fedora 19 chroot, on a Fedora 19 host
> > 
> >   # yum -y --releasever=19 --nogpg --installroot=/srv/mycontainer \
> >         --disablerepo='*' --enablerepo=fedora \
> >         install systemd passwd yum fedora-release vim-minimal
> >   # chroot /srv/mycontainer passwd
> >   # systemd-nspawn -bD /srv/mycontainer
> > 
> > Systemd boots up nicely & presents a login prompt, but it is impossible
> > to actually login, PAM always denying the attempts.
> 
> Yeah, this is a known problem. We generally suggest to turn off audit
> by booting with audit=0 on the kernel cmdline for now:
> 
> https://fedoraproject.org/wiki/Features/SystemdLightweightContainers
> 
> I guess I should add a comment about this to nspawn's man page too.
> 
> The audit folks are working on adding container awareness to the audit
> subsystem in the kernel (which basically means that audit messages carry
> the outside PID of PID1 of the container, so that auditd can track this
> properly). Currently audit is completely confused by PID
> namespacing. Also, we want them to fix for us that opening a PID
> namespace resets loginuid in the container to -1. We have discussed this
> several times with them, and they wanted to something about it, but so
> far nothing happened. But we'll have another meeting about this next
> week, so I can put some pressure on this.

Did you file any BZs against the kernel for this ?  If not I'll sort
out some BZs to track these problems.

> >  2. The audit_log_acct_message() method which is called by pretty
> >     much any PAM module returns EPERM
> > 
> >     There is no actual syscall returning EPERM here. The EPERM
> >     appears to be coming back inside the netlink reply message
> >     from the kernel audit subsystem. Since pretty much every PAM
> >     module sends audit messages, this causes them all to return
> >     fatal errors, failing the login attempt
> > 
> >     The _pam_audit_writelog() method does have code to ignore
> >     EPERM, but it only does so if  'getuid() != 0'. The container
> >     login process has uid == 0, so EPERM is treated as fatal. The
> >     "easy" (but not neccessarily correct) fix is to change
> > 
> >     diff -rup Linux-PAM-1.1.6.orig/libpam/pam_audit.c Linux-PAM-1.1.6.new/libpam/pam_audit.c
> >     --- Linux-PAM-1.1.6.orig/libpam/pam_audit.c     2012-08-15 12:08:43.000000000 +0100
> >     +++ Linux-PAM-1.1.6.new/libpam/pam_audit.c      2013-05-09 10:17:48.679403471 +0100
> >     @@ -46,7 +46,7 @@ _pam_audit_writelog(pam_handle_t *pamh,
> >        pamh->audit_state |= PAMAUDIT_LOGGED;
> > 
> >        if (rc < 0) {
> >     -      if (rc == -EPERM && getuid() != 0)
> >     +      if (rc == -EPERM)
> >                return 0;
> >            if (errno != old_errno) {
> >                old_errno = errno;
> 
> I tried to get a patch like this into PAM actually, but Steve (of
> course) said nononono! He's really married to the idea that audit breaks
> everything on any kind of error... This is kinda sad though, as
> otherwise this would have allowed us to turn off auditing in the
> container completely by removing CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE
> of the container...

I feared that might be the response from PAM maintainers :-(

> I guess libvirt-lxc is in a slightly better situation here regarding
> audit, since it never tries to spawn a container as child of a login
> session, hence loginuid will not be sealed off yet...

If libvirtd has been started from systemd then yes. Of course during
development I just run libvirtd from my source tree directly, so
still hit the problem :-)

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


More information about the systemd-devel mailing list