https://jira.whamcloud.com This file is an XML representation of an issue en-us 9.4.14 940014 05-12-2023 https://jira.whamcloud.com/browse/LU-10444 Lustre <p>We change the permissions of /sys/kernel/debug to 755. But it kept revering to 700.</p> <p>Using systemtap script</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">#!/usr/bin/env stap probe kernel.function(<span class="code-quote">"debug_mount"</span>) { printf(<span class="code-quote">"mounting "</span>) printf(<span class="code-quote">"pid %i %s %s %s \n"</span>, pid(),execname(), cmdline_str(), caller()) print_backtrace() } probe kernel.function(<span class="code-quote">"debugfs_remount"</span>) { printf(<span class="code-quote">"remounting "</span>) printf(<span class="code-quote">"pid %i %s %s %s \n"</span>, pid(),execname(), cmdline_str(), caller()) print_backtrace() } </pre> </div></div> <p>I tracked this down to l_getidentity. Specificly cfs_get_param_paths keeps remounting /sys/kernel/debug.</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"># mount -o remount,mode=755 /sys/kernel/debug debugfs on /sys/kernel/debug type debugfs (rw,relatime,mode=755) </pre> </div></div> <p>Here is the output from the systemtap</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java">nbp1-mds ~ # stap -v debug_mount.stp Pass 1: parsed user script and 468 library scripts using 122940virt/39548res/3192shr/36448data kb, in 340usr/20sys/351real ms. Pass 2: analyzed script: 2 probes, 22 functions, 5 embeds, 0 globals using 161632virt/79356res/4388shr/75140data kb, in 580usr/80sys/665real ms. Pass 3: translated to C into <span class="code-quote">"/tmp/stapYTzkIl/stap_6d34b35e04d11e38ae0c8b364ac253de_10487_src.c"</span> using 162160virt/80148res/4692shr/75668data kb, in 340usr/10sys/353real ms. Pass 4: compiled C into <span class="code-quote">"stap_6d34b35e04d11e38ae0c8b364ac253de_10487.ko"</span> in 5660usr/860sys/5857real ms. Pass 5: starting run. mounting pid 9739 l_getidentity <span class="code-quote">"" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span>" mount_fs 0xffffffff811fec69 0xffffffff81289120 : debug_mount+0x0/0x20 [kernel] 0xffffffff811fec69 : mount_fs+0x39/0x1b0 [kernel] 0xffffffff8121b5c7 : vfs_kern_mount+0x67/0x110 [kernel] 0xffffffff8121dad3 : do_mount+0x233/0xaf0 [kernel] 0xffffffff8121e716 : SyS_mount+0x96/0xf0 [kernel] 0xffffffff81695b89 : system_call_fastpath+0x16/0x1b [kernel] remounting pid 9739 l_getidentity <span class="code-quote">"" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span>" do_remount_sb 0xffffffff811fe7c2 0xffffffff81289330 : debugfs_remount+0x0/0x50 [kernel] 0xffffffff811fe7c2 : do_remount_sb+0x72/0x200 [kernel] 0xffffffff811feb07 : mount_single+0x57/0xc0 [kernel] 0xffffffff81289138 : debug_mount+0x18/0x20 [kernel] 0xffffffff811fec69 : mount_fs+0x39/0x1b0 [kernel] 0xffffffff8121b5c7 : vfs_kern_mount+0x67/0x110 [kernel] 0xffffffff8121dad3 : do_mount+0x233/0xaf0 [kernel] 0xffffffff8121e716 : SyS_mount+0x96/0xf0 [kernel] 0xffffffff81695b89 : system_call_fastpath+0x16/0x1b [kernel] mounting pid 9779 l_getidentity <span class="code-quote">"" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span>" mount_fs 0xffffffff811fec69 0xffffffff81289120 : debug_mount+0x0/0x20 [kernel] 0xffffffff811fec69 : mount_fs+0x39/0x1b0 [kernel] 0xffffffff8121b5c7 : vfs_kern_mount+0x67/0x110 [kernel] 0xffffffff8121dad3 : do_mount+0x233/0xaf0 [kernel] 0xffffffff8121e716 : SyS_mount+0x96/0xf0 [kernel] 0xffffffff81695b89 : system_call_fastpath+0x16/0x1b [kernel] remounting pid 9779 l_getidentity <span class="code-quote">"" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span><span class="code-quote">" "</span>" do_remount_sb 0xffffffff811fe7c2 0xffffffff81289330 : debugfs_remount+0x0/0x50 [kernel] 0xffffffff811fe7c2 : do_remount_sb+0x72/0x200 [kernel] 0xffffffff811feb07 : mount_single+0x57/0xc0 [kernel] 0xffffffff81289138 : debug_mount+0x18/0x20 [kernel] 0xffffffff811fec69 : mount_fs+0x39/0x1b0 [kernel] 0xffffffff8121b5c7 : vfs_kern_mount+0x67/0x110 [kernel] 0xffffffff8121dad3 : do_mount+0x233/0xaf0 [kernel] 0xffffffff8121e716 : SyS_mount+0x96/0xf0 [kernel] 0xffffffff81695b89 : system_call_fastpath+0x16/0x1b [kernel] </pre> </div></div> LU-10444

l_getidentity keeps remount /sys/kernel/debug and reverting permissions.

Bug Major Resolved Fixed Oleg Drokin Mahmoud Hanafi Fri, 29 Dec 2017 07:32:58 +0000 Fri, 9 Feb 2018 21:57:43 +0000 Sun, 14 Jan 2018 15:39:17 +0000 Lustre 2.10.1 Lustre 2.11.0 Lustre 2.10.4 0 10 <p>hm.. Yes, this is a bug in this patch <a href="https://review.whamcloud.com/25182.-" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/25182.-</a> we really should be checking if the fs is mounted before trying to mount it as the first step.</p> <p>Let me see if I can make a simple patch.</p> <p>Oleg Drokin (oleg.drokin@intel.com) uploaded a new patch: <a href="https://review.whamcloud.com/30675" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/30675</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-10444" title="l_getidentity keeps remount /sys/kernel/debug and reverting permissions." class="issue-link" data-issue-key="LU-10444"><del>LU-10444</del></a> utils: Don't remount debugfs every time<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: 1<br/> Commit: 64e656deebdc977593c6d43e7a5ee50c045803dc</p> <p>That is really strange. You would think it would return -EBUSY in that case instead of remounting.</p> <p>The only reason we needed to change  permissions on /sys/kernel/debug was, user level access need for  '/sys/kernel/debug/lustre/devices.' Why was this file moved from /proc/sys/fs/lustre/devices to /sys/kernel/debug/lustre/devices. Is this the correct place for this file? We think relocating this file should be considered.</p> <p>-Mahmoud</p> <p> </p> <p>James, is it possible to create the <tt>devices</tt> file with 755 permissions from the start?</p> <p>Andreas yes you can change the permissions with the mount() function by using the last parameter and passing in the mode value. The question is this a good thing. The problem is so much devices but the debugfs mount point itself. Its mounted for root access only by default. Their is a reason debugfs is not accessible to non-root users. I do understand what the problem is now. I still think Oleg's approach is better.</p> <p>Mahmoud the file was moved due to a requirement from the linux kernel maintainers. All special files in /proc are in the process of being  moved into /sysfs in the linux kernel. In the case of "devices" it breaks the one item per file rule for sysfs so it has to be placed into debugfs. Now what you are doing is not the best idea for security reasons but I see why you are doing it. The question is do non root users really/ need to access "devices" or the other case stat files in debugfs? Other than that all the other files look administrative.</p> <p>Mahmoud are you using lctl device_list or directly accessing /proc. The reason I ask is that lctl device_list will attempt to access the debugfs file first and if it fails call an ioctl. If lctl device_list doesn't work for you then its really broken.</p> <p>Mahmoud are you using lctl device_list or directly accessing /proc. The reason I ask is that lctl device_list will attempt to access the </p> <p>We have nagios monitoring scripts that read the file directly. The script ran as a regular usr. I guess we could scan /proc/fs/lustre to get the same info.</p> <p>Can you tell me if lctl device_list works for you? You shouldn't be reading procfs/sysfs/debugfs files directly <img class="emoticon" src="https://jira.whamcloud.com/images/icons/emoticons/smile.png" height="16" width="16" align="absmiddle" alt="" border="0"/></p> <p>/proc/fs/lustre is going away, so don't depend on it being there for a long time.</p> <p>The content is moving to /sys/fs/lustre for simple one file per value cases, everything else is removed or moved to debugfs.</p> <p>Janes, I was thinking that it would be possible to change the permission of only the <tt>devices</tt> file at create time, like is possible for files in /proc and /sys. If the permission is for the whole filesystem then I agree it might be more problematic. </p> <p>That said, read access shouldn't be a huge problem. What files are currently in debugfs?</p> <p>default permissions of root of mounted debugfs is hard coded to be DEBUGFS_DEFAULT_MODE (0700),</p> <p>It's most definitely possible to change default permission of files in debugfs, but /sys/kernel/debug itself is 700 and we cannot really do anything about it from Lustre</p> <p>you can change the permissions via systemd.</p> <p>/etc/systemd/system/sys-kernel-debug.mount.</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"># $id:$ # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it # under the terms of the GNU Lesser General Public License as published by # the Free Software Foundation; either version 2.1 of the License, or # (at your option) any later version. [Unit] Description=Debug File <span class="code-object">System</span> Documentation=https:<span class="code-comment">//www.kernel.org/doc/Documentation/filesystems/debugfs.txt </span>Documentation=http:<span class="code-comment">//www.freedesktop.org/wiki/Software/systemd/APIFileSystems </span>DefaultDependencies=no ConditionPathExists=/sys/kernel/debug ConditionCapability=CAP_SYS_RAWIO Before=sysinit.target [Mount] What=debugfs Where=/sys/kernel/debug Type=debugfs Options=mode=755 </pre> </div></div> <p>From security point of view this could be an issue.</p> <p>Well we could in theory remount it with 644 permission using the mount() function which will give us what we have today with proc but that requires root privileges to start with <img class="emoticon" src="https://jira.whamcloud.com/images/icons/emoticons/sad.png" height="16" width="16" align="absmiddle" alt="" border="0"/>  Its kind of fluke we give normal users full read access to all tunables. I never heard of our users every looking at /proc entries. I fact I doubt they even know if the lctl get_param option exist. I did test lctl devices_list locally and found also the ioctl to get the obd device list also only works with root access.</p> <p>So the reason for this ticket is that Mahmoud attempted to access the "devices" file as a non-root user. Is this kosher?</p> <p>Mahmoud is the only reason for changing debugfs root permissions is the device file?</p> <p>Correct the only reason we needed to change permissions was the device file, because our tools broke when it was moved. For now I wrote a work around to scan the /proc/fs/lustre and build the device list.</p> <p>I think the patch here does the job by persevering existing mount options. </p> <p>Typically our monitoring tools run as non-root so having read access to /proc/ is critical</p> <p>-Mahmoud</p> <p>Can post which lustre proc files you monitor. I'm working on a patch to restore lctl device_list as non-root.</p> <p>I don't think it is ok to allow read access only to specific files. That means the monitoring tools need to run as root, which some sites would prefer to avoid. Also, some lfs commands may need to be able to read the /proc files as well. I don't think there is a security issue for reading most of the files, but we used to have individual permissions for each file and that would need to be reviewed. </p> <p>Oleg Drokin (oleg.drokin@intel.com) merged in patch <a href="https://review.whamcloud.com/30675/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/30675/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-10444" title="l_getidentity keeps remount /sys/kernel/debug and reverting permissions." class="issue-link" data-issue-key="LU-10444"><del>LU-10444</del></a> utils: Don't remount debugfs every time<br/> Project: fs/lustre-release<br/> Branch: master<br/> Current Patch Set: <br/> Commit: 767f03b161ae44bd9d33dae7e03e71e73852813f</p> <p>Landed for 2.11</p> <p>Minh Diep (minh.diep@intel.com) uploaded a new patch: <a href="https://review.whamcloud.com/30900" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/30900</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-10444" title="l_getidentity keeps remount /sys/kernel/debug and reverting permissions." class="issue-link" data-issue-key="LU-10444"><del>LU-10444</del></a> utils: Don't remount debugfs every time<br/> Project: fs/lustre-release<br/> Branch: b2_10<br/> Current Patch Set: 1<br/> Commit: 4a567792a13668d1872481c36f365912253f751e</p> <p>John L. Hammond (john.hammond@intel.com) merged in patch <a href="https://review.whamcloud.com/30900/" class="external-link" target="_blank" rel="nofollow noopener">https://review.whamcloud.com/30900/</a><br/> Subject: <a href="https://jira.whamcloud.com/browse/LU-10444" title="l_getidentity keeps remount /sys/kernel/debug and reverting permissions." class="issue-link" data-issue-key="LU-10444"><del>LU-10444</del></a> utils: Don't remount debugfs every time<br/> Project: fs/lustre-release<br/> Branch: b2_10<br/> Current Patch Set: <br/> Commit: 82bf22a4200ba657465302daf6a77b9ebd6b7853</p> Related Development Rank 1|hzzq8n: Rank (Obsolete) 9223372036854775807 Severity