s390-tools: missing ts-shell

Bug #1567473 reported by bugproxy on 2016-04-07
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Medium
Unassigned
s390-tools (Ubuntu)
Medium
Dimitri John Ledkov
Xenial
Medium
Unassigned

Bug Description

[Impact]

 * /var/log/ts-shell has wrong permissions, and thus prevents ts-shell operation.

[Test Case]

 * /var/log/ts-shell should be:
drwxrws--T 2 root ts-shell

==

s390-tools: missing ts-shell

ts-shell is part of the s390-tools package (see here http://www.ibm.com/developerworks/linux/linux390/s390-tools-overview.html)

ts-shell is a terminal server shell to authorize and control IUCV terminal connections for individual Linux users. It is currently still missing in the Ubuntu Beta version (4.4.0-15-generic #31-Ubuntu SMP Fri Mar 18 19:07:12 UTC 2016 s390x).

The preferred integration of ts-shell is through a subpackage. The ts-shell is required on a particular Linux instance only, that it is the terminal server. Other Linux instances might not need to install ts-shell.

Apart from the installing ts-shell, further configuration files and steps are required:

1. Install and package these configuration files:

/etc/iucvterm/ts-audit-systems.conf
/etc/iucvterm/ts-authorization.conf
/etc/iucvterm/ts-shell.conf
/etc/iucvterm/unrestricted.conf

2. Install additional documentation files for the ts-shell, that are included in the "iucvterm/doc/ts-shell" in the s390-tools source directory.

3. System configuration for ts-shell.

- (optional) Register ts-shell as shell by adding it to /etc/shells.
- Create a ts-shell group.
- Ensure the configuration files from 1. are readable by the ts-shell group.
- Create the /var/log/ts-shell directory to store audit logs; the ts-shell group should have read/write access to this directory, implemented as set-group-ID

4. Optional. The ts-shell subpackage must depend on s390-tools because it requires iucvconn. Further, the subpackage should add a Recommends to either Term::ReadLine::Gnu or Term::ReadLine::Perl.

Below is an excpert from the README.ts-shell to create ts-shell user accounts. These information should help to better understand the configuration steps above:

Setup considerations for the terminal server shell (ts-shell)
-------------------------------------------------------------
Adding new ts-shell users
~~~~~~~~~~~~~~~~~~~~~~~~~
The ts-shell installation creates a system group ts-shell.
If you intend to use ts-shell as a login shell for users, ensure that
these users are all members of ts-shell. To add existing users to
group ts-shell, use +usermod -G ts-shell 'username'+.

The ts-shell configuration files and `/var/log/ts-shell` are
readable only by members of the *ts-shell* group.

Enabling terminal session transcripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ts-shell(1) can be configured to create transcripts of terminal sessions
to particular z/VM guest virtual machines. The transcripts are written
to log files in the `/var/log/ts-shell` directory.

NOTE: The `/var/log/ts-shell` directory permission has the
        set-group-ID bit set. Sub-directories that are created by
        different users will inherit the group ownership of the
        `/var/log/ts-shell` directory.

See the ts-shell(1) manual page for more information about terminal
session transcripts.

For further details, see http://public.dhe.ibm.com/software/dw/linux390/docu/l4n0ht01.pdf

bugproxy (bugproxy) on 2016-04-07
tags: added: architecture-s39064 bugnameltc-139838 severity-medium targetmilestone-inin1604
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Luciano Chavez (lnx1138) on 2016-04-07
affects: ubuntu → s390-tools (Ubuntu)
Dimitri John Ledkov (xnox) wrote :

Hello,

When filing bug reports against a package, please include the version of the package. E.g. most of the requested things are provided in s390-tools package since 1.34.0-0ubuntu3, which was released a day before this bug was filed.

So the missing bits I think are just these postinst stanzas:
    if ! getent group ts-shell >/dev/null; then
        addgroup --system ts-shell
    fi
    chown root:ts-shell /etc/iucvterm/*.conf
    chmod 0640 /etc/iucvterm/*.conf
    mkdir -p 3770 /var/log/ts-shell
    chmod g+s /var/log/ts-shell
    chgrp -R ts-shell /var/log/ts-shell >/dev/null 2>&1 || true
    chmod 0660 /var/log/ts-shell/* >/dev/null 2>&1 || true

I shall add them to the package, and then I think this bug report will be complete. This will not register ts-shell in /etc/shells.
Hopefully the above postinst commands are all correct and sufficient for ts-shell integration on Ubuntu.

Changed in s390-tools (Ubuntu):
status: New → In Progress
Changed in ubuntu-z-systems:
status: New → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 1.34.0-0ubuntu8

---------------
s390-tools (1.34.0-0ubuntu8) xenial; urgency=medium

  * Ship dumpconf legacy init script, and sysconfig file. LP: #1564690
  * Integrate ts-shell. LP: #1567473
  * Recommend statd package, and mention it by mon_statd name too to aid
    discovery.

 -- Dimitri John Ledkov <email address hidden> Thu, 14 Apr 2016 14:26:16 +0100

Changed in s390-tools (Ubuntu):
status: In Progress → Fix Released
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
dann frazier (dannf) on 2016-04-26
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released

------- Comment From <email address hidden> 2016-05-02 12:32 EDT-------
While trying to verify this bug, I found the following issue:

I have three users: root, tsuser (member of group ts-shell) and test

tsuser@s8330003:/var/log/ts-shell$ groups tsuser test
tsuser : tsuser ts-shell

test@s8330003:/var/log/ts-shell$ groups test
test : test

The issue is: User tsuser is not allowed to write to /var/log/ts-shell

tsuser@s8330003:/var/log/ts-shell$ echo created_TS > /var/log/ts-shell/created_by_tsuser
-bash: /var/log/ts-shell/created_by_tsuser: Permission denied

This is caused by an improper permission setting during creation of the directory /var/log/ts-shell. mkdir -p 3770 /var/log/ts-shell creates a _directory_ 3770 (!) under /var/log and does NOT set the permissions. If I delete the 3770 and ts-shell directory and execute
mkdir -m 3770 /var/log/ts-shell
instead, it looks fine and works as expected. So this must be fixed in /var/lib/dpkg/info/s390-tools.postinst.

Reopening this bug.

Dimitri John Ledkov (xnox) wrote :

bah, yes thank you.

Changed in s390-tools (Ubuntu):
status: Fix Released → Triaged
assignee: Skipper Bug Screeners (skipper-screen-team) → Dimitri John Ledkov (xnox)
Changed in ubuntu-z-systems:
status: Fix Released → Triaged
Changed in ubuntu-z-systems:
importance: Undecided → Medium
Changed in s390-tools (Ubuntu):
status: Triaged → In Progress
Changed in s390-tools (Ubuntu Xenial):
status: New → In Progress
Changed in s390-tools (Ubuntu):
importance: Undecided → Medium
Changed in s390-tools (Ubuntu Xenial):
importance: Undecided → Medium
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 1.34.0-0ubuntu10

---------------
s390-tools (1.34.0-0ubuntu10) yakkety; urgency=medium

  * Fix ts-shell maintainer scripts LP: #1567473:
    - create /var/log/ts-shell directory with the right permissions
    - remove errorous directory
  * Install iuctty-login@.service systemd unit, with a correct path LP:
    #1580226

 -- Dimitri John Ledkov <email address hidden> Mon, 06 Jun 2016 12:37:33 +0100

Changed in s390-tools (Ubuntu):
status: In Progress → Fix Released
Dimitri John Ledkov (xnox) wrote :

Please validate the correct behavior on yakkety (16.10), prior to stable release update for xenial (16.04).

description: updated

Hello bugproxy, or anyone else affected,

Accepted s390-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/1.34.0-0ubuntu8.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in s390-tools (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Dimitri John Ledkov (xnox) wrote :

Verified maintainer scripts are fixed.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 1.34.0-0ubuntu8.1

---------------
s390-tools (1.34.0-0ubuntu8.1) xenial; urgency=medium

  * Fix ts-shell maintainer scripts LP: #1567473:
    - create /var/log/ts-shell directory with the right permissions
    - remove errorous directory
  * Install iuctty-login@.service systemd unit, with a correct path LP:
    #1580226
  * Cherrypick upstream fix for buffer overflow in dasdfmt. LP: #1582728

 -- Dimitri John Ledkov <email address hidden> Mon, 06 Jun 2016 11:51:16 +0100

Changed in s390-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for s390-tools has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released

------- Comment From <email address hidden> 2016-06-28 05:36 EDT-------
Verfication was successful. All permissions now are set correctly.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers