stripped-down permissions.rules needed for udev-udeb

Bug #204108 reported by Colin Watson on 2008-03-20
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
udev (Ubuntu)
Medium
Scott James Remnant (Canonical)

Bug Description

Binary package hint: udev

(I discussed this with Scott a few days ago on IRC.)

udev-udeb doesn't contain 40-permissions.rules, and can't because that specifies a number of groups that don't exist in d-i. Unfortunately, this means that the permissions on /dev/null and a few other basic device nodes aren't set correctly, which causes problems when the installer's /dev is bind-mounted into /target and other programs run with reduced privilege. The digression in bug 193696 was due to this, as (I think) was bug 203920.

<cjwatson> oh, amusing udev/d-i bug
<cjwatson> mathiaz was talking yesterday about postgresql-8.3 failing to install in d-i due to a busted /dev/null
<cjwatson> and it turns out that this is because 40-permissions.rules is missing in udev-udeb
<cjwatson> which in turn is because most of those groups don't exist, so it wouldn't work properly
<cjwatson> but as well as setting groups, it also sets things like mode 0666 on certain nodes
<cjwatson> perhaps we could split out a permissions-basic.rules and have that deal with stuff like null?
<cjwatson> and then put that in udev-udeb
<Keybuk> hmm
<Keybuk> why is postgres switching to another user in d-i?
<Keybuk> surely that's not going to work either?
<cjwatson> d-i bind-mounts /dev into /target
<Keybuk> it didn't used to?
<cjwatson> postgres is switching to another user in the /target chroot, where switching to another user works fine
<cjwatson> yes, this changed in hardy; getting all the device nodes in order without a bind-mount was becoming too painful
<Keybuk> ah right
<Keybuk> hmm
<Keybuk> yeah, basic permissions seems to be the general right thing there
<Keybuk> which groups do we not have in d-i?
<Keybuk> udev tries to stick to the base-passwd ones
<cjwatson> you don't have any groups in d-i
<cjwatson> /etc/group just has root
<Keybuk> :-/
<Keybuk> trying to work out what *is* a basic permission
<cjwatson> modes only, I'd say
<Keybuk> most modes are meaningless without groups
<cjwatson> the ones that are 0666 clearly aren't
<Keybuk> :-)
<Keybuk> pty* are wird
<Keybuk> tty *and* 666
<cjwatson> TBH I think we'd be fine with null, zero, full, random, urandom, inotify
<Keybuk> yeah
<Keybuk> just the basics
<cjwatson> and maybe the ptys if you can split those lines up
<Keybuk> I wonder whether those ptys are supposed to be 660 or 666
<cjwatson> it only really matters for anything that will be used by package installation in d-i
<Keybuk> KERNEL=="pty*", MODE="0666", GROUP="tty"
<Keybuk> *shrug*
<Keybuk> matches debian
<Keybuk> that seems wrong to me though
<Keybuk> doesn't that mean anybody can write to any tty?

Colin Watson (cjwatson) on 2008-03-20
Changed in udev:
milestone: none → ubuntu-8.04
Steve Langasek (vorlon) on 2008-03-25
Changed in udev:
importance: Undecided → Medium
Colin Watson (cjwatson) on 2008-04-02
Changed in udev:
assignee: nobody → keybuk

Added a 40-basic-permissions.rules that contains mode settings for usb devices, console, ptmx, tty, null, zero, full, random, urandom and inotify

This goes into the udeb and into the initramfs

Changed in udev:
status: New → In Progress
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package udev - 117-5

---------------
udev (117-5) hardy; urgency=low

  * Merge the "volumeid" package back into "udev", there is no particular
    gain to it being a separate binary package and it prevents the upgrade
    from dapper from migrating the fstab to UUID. LP: #209347.

  * debian/patches/00-git-bad-net-rules.patch:
    - Upstream patch from 118 to avoid creating persistent net rules
      which will match any device.
  * debian/patches/01-git-squashfs-lzma.patch:
    - Upstream patch from 118 to detect LZMA-compressed squashfs.
  * debian/patches/02-git-squashfs-endian.patch:
    - Upstream patch from 118 to detect endianness of LZMA squashfs.
  * debian/patches/03-git-vol_id-timeout-once.patch:
    - Upstream patch from 118 to only timeout once for unreadable devices.
      LP: #156184.
  * debian/patches/04-git-multiple-floppy-devices.patch:
    - Upstream patch from 118 to fix create_floppy_devices for more than
      one floppy device. Possibly LP: #132546.
  * debian/patches/05-git-vol_id-probe_all-readable.patch:
    - Upstream patch from 118 to check whether a device is readable before
      probing. Also LP: #156184.
  * debian/patches/00upstream-RUN-for-remove.patch:
    - Rename to 06-git-run-for-remove.patch so its in series with other
      git patches (this is from 119)
  * debian/patches/07-git-unlock-write_net_rules.patch:
    - Upstream patch from 119 to unlock rules after invalid match, correcting
      a bug introduced by 00-git-bad-net-rules.patch
  * debian/patches/08-git-vol_id-uuid-buffer.patch:
    - Upstream patch from 119 to correct UUID raw buffer usage.
  * debian/patches/09-git-update-ext.patch:
    - Upstream patch from 119 to update ext filesystem detection.
  * debian/patches/10-git-match-basename.patch:
    - Upstream patch from 119 to add match on the basename of an interface
      so we can deal with PS3 multiple interfaces with the same MAC.
  * debian/patches/11-git-persistent-change.patch:
    - Upstream patch from 119 to run persistent device rules on change
      events.
  * debian/patches/12-git-serialise-same-devno.patch:
    - Upstream patch from git to serialise multiple events with the same
      device number, fixes a race with serial ttys amongst other things.

  * 20-names.rules:
    - Add missing quotes for infiniband rules. LP: #192552.
    - Change "rdma_ucm" to "rdma_cm" (same bug).
  * 40-permissions.rules, 40-basic-permissions.rules:
    - Split out the most basic permissions into a separate file that can be
      used in the installer and initramfs. LP: #204108.
    - Add rules to place known USB serial devices that need libusb access
      in the dialout group. LP: #198757.
  * 65-persistent-storage.rules, 65-persistent-storage-tape.rules,
    65-persistent-input.rules, 66-persistent-storage-edd.rules:
    - Use upstream rule names for all rules. Also LP: #186686.
    - Add persistent-storage-edd.rules to installer and initramfs.
  * 80-programs.rules:
    - Pass $root/%k to create-floppy-devices, not $tempnode. LP: #132546.

 -- Scott James Remnant <email address hidden> Wed, 02 Apr 2008 18:59:56 +0100

Changed in udev:
status: Fix Committed → Fix Released
LarsIvarIgesund (larsivar) wrote :

I have a VPS with Hardy installed, and updating it I suddenly got

sh: /dev/null: Permission denied

from the Postgres install. From a different ticket it was said that this was the issue, but in that case it should have been fixed in my install too? The most recent udev (according to apt) was installed.

apt-cache show udev
Package: udev
Priority: important
Section: admin
Installed-Size: 844
Maintainer: Scott James Remnant <email address hidden>
Architecture: i386
Version: 117-8ubuntu0.2
Replaces: hotplug, ifrename, initramfs-tools (<< 0.040ubuntu1), libvolumeid0 (<< 093-0ubuntu7), volumeid
Depends: adduser, initramfs-tools (>= 0.40ubuntu30), libc6 (>= 2.4), libselinux1, libvolume-id0 (>= 113-0ubuntu1), module-init-tools (>= 3.2.1-0ubuntu3), procps, uuid-runtime
Conflicts: hotplug, ifrename, libdevmapper1.02 (<< 2:1.02.08-1ubuntu7), volumeid
Filename: pool/main/u/udev/udev_117-8ubuntu0.2_i386.deb
Size: 262096
MD5sum: 14de9f79f3e92bca2fd087747fe2cbe4
SHA1: 5e9eeec89e62398632cc568badfd5ba133fcdecf
SHA256: 5ecdf94cb38dab400841834d73978bf72a657b75014ccd45d06068a14b830be8
Description: rule-based device node and kernel event manager
 udev is a collection of tools and a daemon to manage events received from
 the kernel and deal with them in user-space. Primarily this involves
 creating and removing device nodes in /dev when hardware is discovered or
 removed from the system.
 .
 Events are received via kernel netlink messaged and processed according to
 rules in /etc/udev/rules.d, altering the name of the device node, creating
 additional symlinks or calling other tools and programs including those to
 load kernel modules and initialise the device.
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Origin: Ubuntu
Task: minimal

Package: udev
Priority: important
Section: admin
Installed-Size: 844
Maintainer: Scott James Remnant <email address hidden>
Architecture: i386
Version: 117-8
Replaces: hotplug, ifrename, initramfs-tools (<< 0.040ubuntu1), libvolumeid0 (<< 093-0ubuntu7), volumeid
Depends: adduser, initramfs-tools (>= 0.40ubuntu30), libc6 (>= 2.4), libselinux1, libvolume-id0 (>= 113-0ubuntu1), module-init-tools (>= 3.2.1-0ubuntu3), procps, uuid-runtime
Conflicts: hotplug, ifrename, libdevmapper1.02 (<< 2:1.02.08-1ubuntu7), volumeid
Filename: pool/main/u/udev/udev_117-8_i386.deb
Size: 261890
MD5sum: a30cc31c50ace721da4ded05ed702520
SHA1: 8556c6b24f0cf9166a619f0f38cfc220d6e7837e
SHA256: a17b8b912c3e07243924ecd810bb55d9d3aef85ca75669b29654634ac3cddc62
Description: rule-based device node and kernel event manager
 udev is a collection of tools and a daemon to manage events received from
 the kernel and deal with them in user-space. Primarily this involves
 creating and removing device nodes in /dev when hardware is discovered or
 removed from the system.
 .
 Events are received via kernel netlink messaged and processed according to
 rules in /etc/udev/rules.d, altering the name of the device node, creating
 additional symlinks or calling other tools and programs including those to
 load kernel modules and initialise the device.
Bugs: mailto:<email address hidden>
Origin: Ubuntu
Task: minimal

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers