Ubuntu
schroot package

schroot will not allow multiple user login to chroot

Bug #637597 reported by scott lorberbaum
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
schroot (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: schroot

A schroot is setup for multiple users with the users=user1,user2,user3 as well as groups=group1,group2,group3.
When the schroot is started in a session. the session will not recognize the other users who are allowed to login, and PAM disallows their usage of schroot with an error message and report to syslog.

configuration file is as follows:
[lucid-i386]
description=Ubuntu
directory=/srv/chroot/lucid-i386
personality=linux32
root-users=scott,lwhitney
type=directory
users=lwhitney,scott,coboluser
groups=cobolusers

schroot -i -v -c lucid-i386-session --debug=info

D(2): Getting keyfile group=lucid-i386, key=type
D(2): Getting keyfile group=lucid-i386, key=active
D(2): Getting keyfile group=lucid-i386, key=run-setup-scripts
D(2): Getting keyfile group=lucid-i386, key=run-session-scripts
D(2): Getting keyfile group=lucid-i386, key=run-exec-scripts
D(2): Getting keyfile group=lucid-i386, key=script-config
D(2): Getting keyfile group=lucid-i386, key=priority
D(2): Getting keyfile group=lucid-i386, key=aliases
D(2): Getting keyfile group=lucid-i386, key=environment-filter
D(2): Getting keyfile group=lucid-i386, key=description
D(2): Getting keyfile group=lucid-i386, key=users
D(2): Getting keyfile group=lucid-i386, key=groups
D(2): Getting keyfile group=lucid-i386, key=root-users
D(2): Getting keyfile group=lucid-i386, key=root-groups
D(2): Getting keyfile group=lucid-i386, key=mount-location
D(2): Getting keyfile group=lucid-i386, key=name
D(2): Getting keyfile group=lucid-i386, key=command-prefix
D(2): Getting keyfile group=lucid-i386, key=directory
D(2): Getting keyfile group=lucid-i386, key=location
D(2): Getting keyfile group=lucid-i386, key=personality
D(2): Getting keyfile group=lucid-i386, key=union-type
D(2): Getting keyfile group=lucid-i386, key=union-mount-options
D(2): Getting keyfile group=lucid-i386, key=union-overlay-directory
D(2): Getting keyfile group=lucid-i386, key=union-underlay-directory
D(2): Getting keyfile group=lucid-i386-session, key=type
D(2): Cloned session dummy-session-name
D(2): Getting keyfile group=lucid-i386-session, key=active
D(2): Getting keyfile group=lucid-i386-session, key=run-setup-scripts
D(2): Getting keyfile group=lucid-i386-session, key=run-session-scripts
D(2): Getting keyfile group=lucid-i386-session, key=run-exec-scripts
D(2): Getting keyfile group=lucid-i386-session, key=script-config
D(2): Getting keyfile group=lucid-i386-session, key=priority
D(2): Getting keyfile group=lucid-i386-session, key=aliases
D(2): Getting keyfile group=lucid-i386-session, key=environment-filter
D(2): Getting keyfile group=lucid-i386-session, key=description
D(2): Getting keyfile group=lucid-i386-session, key=users
D(2): Getting keyfile group=lucid-i386-session, key=groups
D(2): Getting keyfile group=lucid-i386-session, key=root-users
D(2): Getting keyfile group=lucid-i386-session, key=root-groups
D(2): Getting keyfile group=lucid-i386-session, key=mount-location
D(2): Getting keyfile group=lucid-i386-session, key=name
D(2): Getting keyfile group=lucid-i386-session, key=command-prefix
D(2): Getting keyfile group=lucid-i386-session, key=directory
D(2): Getting keyfile group=lucid-i386-session, key=location
D(2): Getting keyfile group=lucid-i386-session, key=personality
D(2): Getting keyfile group=lucid-i386-session, key=union-type
D(2): Getting keyfile group=lucid-i386-session, key=union-mount-options
D(2): Getting keyfile group=lucid-i386-session, key=union-overlay-directory
D(2): Getting keyfile group=lucid-i386-session, key=union-underlay-directory
D(2): Getting keyfile group=lucid-i386-session, key=active
D(2): Getting keyfile group=lucid-i386-session, key=source-users
D(2): Getting keyfile group=lucid-i386-session, key=source-groups
D(2): Getting keyfile group=lucid-i386-session, key=source-root-users
D(2): Getting keyfile group=lucid-i386-session, key=source-root-groups
D(2): format_detail: added name "Name"
D(2): format_detail: added name "Description"
D(2): format_detail: added name "Type"
D(2): format_detail: added name "Priority"
D(2): format_detail: added name "Users"
D(2): format_detail: added name "Groups"
D(2): format_detail: added name "Root Users"
D(2): format_detail: added name "Root Groups"
D(2): format_detail: added name "Aliases"
D(2): format_detail: added name "Environment Filter"
D(2): format_detail: added name "Run Setup Scripts"
D(2): format_detail: added name "Script Configuration"
D(2): format_detail: added name "Session Managed"
D(2): format_detail: added name "Session Cloned"
D(2): format_detail: added name "Session Purged"
D(2): format_detail: added name "Mount Location"
D(2): format_detail: added name "Path"
D(2): format_detail: added name "Directory"
D(2): format_detail: added name "Personality"
D(2): format_detail: added name "Filesystem union type"
D(2): format_detail: added name "Session ID"
  ─── Session ───
  Name lucid-i386-session
  Description Ubuntu (session chroot)
  Type directory
  Priority 0
  Users
  Groups
  Root Users scott
  Root Groups
  Aliases
  Environment Filter ^(BASH_ENV|CDPATH|ENV|HOSTALIASES|IFS|KRB5_CONFIG|KRBCONFDIR|KRBTKFILE|KRB_CONF|LD_.*|LOCALDOMAIN|NLSPATH|PATH_LOCALE|RES_OPTIONS|TERMINFO|TERMINFO_DIRS|TERMPATH)$
  Run Setup Scripts true
  Script Configuration script-defaults
  Session Managed false
  Session Cloned false
  Session Purged false
  Mount Location /var/lib/schroot/mount/lucid-i386-session
  Path /var/lib/schroot/mount/lucid-i386-session
  Directory /srv/chroot/lucid-i386
  Personality linux32
  Filesystem union type none
  Session ID lucid-i386-session

i've tried multiple ways, with the -p flag, with the -u flag... I can -u root, but that isn't what is needed. I've tried executing with sudo, and tried it from inside an init script. i've tried it as normal users as well...
 Schroot, or PAM, seems to only allow the user who starts schroot to chroot into it.. I looked inside the PAM setup and it "appears".

It seems that schroot doesn't set the users and groups up properly like seen in the examples in the man pages.

The version of schroot is:

schroot (Debian sbuild) 1.4.0 (16 Jan 2010)
Written by Roger Leigh

Copyright © 2004–2010 Roger Leigh
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Configured features:
  DEVLOCK Device locking
  PAM Pluggable Authentication Modules
  PERSONALITY Linux kernel Application Binary Interface switching
  UNION Support for filesystem unioning

Available chroot types:
  BLOCKDEV Support for ‘block-device’ chroots
  DIRECTORY Support for ‘directory’ chroots
  FILE Support for ‘file’ chroots
  LOOPBACK Support for ‘loopback’ chroots
  LVMSNAP Support for ‘lvm-snapshot’ chroots
  PLAIN Support for ‘plain’ chroots

Is this possible? am I doing something wrong? I feel like this is supposed to work....

Revision history for this message
Roger Leigh (rleigh) wrote :

The chroot definition contains these lines for access control:

root-users=scott,lwhitney
users=lwhitney,scott,coboluser
groups=cobolusers

These control who is permitted to /start/ a session. So, if user "scott" starts a new session,
then they will become the owner of that session. In the session file, you'll just get something like

root-users=scott
users=
groups=
root-groups=

This is intended to give a measure of privacy between session users, and prevent users from deleting each other's sessions.
In the future, I'd like to give session owners the ability to grant others access to their sessions (effectively, to modify the above lines in the session file). However, I'm not yet sure of the best "interface" for doing that, be it new command-line options or some other mechanism. Any suggestions would be helpful.

Regards,
Roger

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.