Trousers fails to set tpm permissions properly.

Bug #963587 reported by Alec Warner on 2012-03-24
68
This bug affects 12 people
Affects Status Importance Assigned to Milestone
trousers (Ubuntu)
High
Unassigned

Bug Description

root@antarus-precise:~# apt-get install trousers
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  trousers
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/138 kB of archives.
After this operation, 431 kB of additional disk space will be used.
Selecting previously unselected package trousers.
(Reading database ... 135516 files and directories currently installed.)
Unpacking trousers (from .../trousers_0.3.7-2ubuntu1_amd64.deb) ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up trousers (0.3.7-2ubuntu1) ...
Adding system user `tss' (UID 115) ...
Adding new group `tss' (GID 126) ...
Adding new user `tss' (UID 115) with group `tss' ...
Not creating home directory `/var/lib/tpm'.
 * Starting Trusted Computing daemon tcsd
   ...fail!
invoke-rc.d: initscript trousers, action "start" failed.
dpkg: error processing trousers (--configure):
 subprocess installed post-installation script returned error exit status 137
Errors were encountered while processing:
 trousers
E: Sub-process /usr/bin/dpkg returned an error code (1)

In the postinst:

        configure)
                # Adding tss system user
                adduser --system --home /var/lib/tpm --shell /bin/false --no-create-home --group tss

                # Setting owner
                chown tss:tss /var/lib/tpm -R
                chown tss:tss /etc/tcsd.conf

                # Setting permissions
                chmod 0600 /etc/tcsd.conf
                chmod 0700 /var/lib/tpm

                # we ship udev rules, so trigger an update
                udevadm trigger --subsystem-match=misc --action=change
                udevadm settle

                ;;

However udev seems to not like this:

Mar 24 00:39:14 antarus-precise udevd[31861]: specified user 'tss' unknown
Mar 24 00:39:14 antarus-precise udevd[31861]: specified group 'tss' unknown

root@antarus-precise:~# ls -al /dev/tpm0
crw------- 1 root root 10, 224 Mar 24 00:39 /dev/tpm0

Because the device is not owned correctly, tcsd fails to start and breaks apt :/

root@antarus-precise:~# lsb_release -rd
Description: Ubuntu precise (development branch)
Release: 12.04

Release: 12.04
root@antarus-precise:~# apt-cache policy trousers
trousers:
  Installed: 0.3.7-2ubuntu1
  Candidate: 0.3.7-2ubuntu1

I expect the udev rules to take affect, so the daemon can start properly.

Example:
root@antarus-precise:~# chown tss:tss /dev/tpm0
root@antarus-precise:~# ls -al /dev/tpm0
crw------- 1 tss tss 10, 224 Mar 24 00:39 /dev/tpm0
root@antarus-precise:~# start-stop-daemon --start --user tss --chuid tss --exec /usr/sbin/tcsd
root@antarus-precise:~# ps
  PID TTY TIME CMD
 4038 pts/6 00:00:00 sudo
 4039 pts/6 00:00:00 bash
 4686 pts/6 00:00:00 ps
root@antarus-precise:~# ps -u tss
  PID TTY TIME CMD
 4685 ? 00:00:00 tcsd

What happened instead?
root@antarus-precise:~# apt-get install trousers
Reading package lists... Done
Building dependency tree
Reading state information... Done
trousers is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue [Y/n]? y
Setting up trousers (0.3.7-2ubuntu1) ...
The system user `tss' already exists. Exiting.
 * Starting Trusted Computing daemon tcsd
   ...fail!
invoke-rc.d: initscript trousers, action "start" failed.
dpkg: error processing trousers (--configure):
 subprocess installed post-installation script returned error exit status 137
Errors were encountered while processing:
 trousers
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@antarus-precise:~# ls -al /dev/tpm0
crw------- 1 root root 10, 224 Mar 24 00:43 /dev/tpm0

Dave Gilbert (ubuntu-treblig) wrote :

Triaged because he seems to have found the cause (although the udev interaction may need a bit of a dig)
'Prevents the application or any dependencies from functioning correctly at all' -> High

It's possible 959795, 963587 and 995666 are the same thing.

Changed in trousers (Ubuntu):
importance: Undecided → High
status: New → Triaged
kimj (emailadhoc) wrote :

this bug seems to be still present on ubuntu 13.10 as of today, and it breaks apt/dpkg when trying to install 'trousers'.

the initscript tries to start tcsd under the 'tss' user:

execve("/sbin/start-stop-daemon", ["start-stop-daemon", "--start", "--quiet", "--oknodo", "--pidfile", "/var/run/tcsd.pid", "--user", "tss", "--chuid", "tss", "--exec", "/usr/sbin/tcsd", "--"], [/* 4 vars */]) = 0

but /dev/tpm0 is only accessible by root:

crw------- 1 root root 10, 224 dic 23 10:43 /dev/tpm0

and tcsd fails to start:
open("/dev/tpm0", O_RDWR) = -1 EACCES (Permission denied)
returning error code 137.

after changing /dev/tpm0 ownership to 'tss:tss;, tcsd still fails to start because of (other) permission problems:
open("/var/lib/tpm/system.data", O_RDWR|O_CREAT, 0600) = -1 EACCES (Permission denied)

kimj (emailadhoc) wrote :

as a temporary workaround, I hacked trousers' init script:

        start)
                log_daemon_msg "Starting $DESC" "$NAME"

                if [ ! -e /dev/tpm* ]
                then
                        log_warning_msg "device driver not loaded, skipping."
                        exit 0
                fi
                chown tss:tss /dev/tpm*
                chown -R tss:tss /var/lib/tpm
                start-stop-daemon --start --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --chuid ${USER} --exec ${DAEMON} -- ${DAEMON_OPTS}
                RETVAL="$?"
                log_end_msg $RETVAL
                [ "$RETVAL" = 0 ] && pidof $DAEMON > /var/run/${NAME}.pid
                exit $RETVAL
                ;;

I simply added:

                chown tss:tss /dev/tpm*
                chown -R tss:tss /var/lib/tpm

and now the daemon starts. The change of ownership of /var/lib/tpm should however be done by the package postinst script, and the change of ownership on the tpm device via udev; a permissions check should still be added to the init script, and maybe some 'form' of temporary remediation too

Laurent B (l-ubuntu-r) wrote :

I have the problem in 14.04 as well, I believe I found the root issue at play here.

FWIW: I noticed that just starting the tcsd daemon directly, with no option whatsoever, it worked:

# tcsd

# ps -edf | grep tcsd
tss 31805 1 0 09:23 ? 00:00:00 tcsd

# fuser /dev/tpm0
/dev/tpm0: 31805

It appears the issue comes from this lines in the /etc/init.d/trousers script, which tries too hard to do the right thing::

start-stop-daemon --start --quiet --oknodo --pidfile /var/run/${NAME}.pid --user ${USER} --chuid ${USER} --exec ${DAEMON} -- ${DAEMON_OPTS}

The --chuid ${USER} is redundant to what the daemon does by itself, and the problem is that it removes its ability to open /dev/tpm0 as root and change uid afterwards.

After removing just the --chuid, it starts and works:

# /etc/init.d/trousers start
* Starting Trusted Computing daemon tcsd [ OK ]

# tpm_version
  TPM 1.2 Version Info:
  Chip Version: 1.2.8.28
  Spec Level: 2
  Errata Revision: 3
  TPM Vendor ID: STM
  TPM Version: 01010000
  Manufacturer Info: 53544d20

That fix seems trivial and implies no change of permission, just letting upstream's code handle things as it should. Thoughts?

Laurent B (l-ubuntu-r) wrote :

Trivial patch attached.

tags: added: patch

The attachment "trousers_init_remove_chuid.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers