Permission denied... but not?

Message

funkyFlash · Post by **funkyFlash** » Sat Mar 28, 2009 10:15 pm

Hello folks. I'm trying to spin up a new system by cloning the files from another. From old system, i did:

oldsystem$ tar czvf - / | ssh root@newsysteminliveCD 'tar xpf - -C /mnt/gentoo'

I've managed to iron out most of the kinks, but I need a hand for this one: When I try to emerge anything that requires pulling a distfile, I get the following:

Code: Select all

>>> Emerging (1 of 157) sys-libs/timezone-data-2009b
[Errno 13] Permission denied:
   /bin/bash -c touch "/usr/distfiles/.__portage_test_write__" 2>/dev/null ; rval=$? ; rm -f  "/usr/distfiles/.__portage_test_write__" ; exit $rval
[Errno 13] Permission denied:
   /bin/bash -c touch "/usr/distfiles/.locks/.__portage_test_write__" 2>/dev/null ; rval=$? ; rm -f  "/usr/distfiles/.locks/.__portage_test_write__" ; exit $rval
>>> Downloading 'ftp://gentoo.cites.uiuc.edu/pub/gentoo/distfiles/tzdata2009b.tar.gz'
[Errno 13] Permission denied:
   /usr/bin/wget -t 5 -T 60 --passive-ftp -O /usr/distfiles/tzdata2009b.tar.gz ftp://gentoo.cites.uiuc.edu/pub/gentoo/distfiles/tzdata2009b.tar.gz

Like, whiskey tango foxtrot? I can execute those commands, and they behave as expected. In fact, if I wget the distfile ahead of time, it installs the package just fine. Which is what I had to do to get an x server up and running, so I could post

Back story, I'm using lvm. /usr has it's own LV, /usr/portage has it's own LV, but /usr/portage/distfiles is a symlink to /usr/distfiles so my portage tree can be reiserfs and puny and happy, and my usr can be fat and... not so happy. They're both mounted just fine, I don't have ample disk space, but enough.

Code: Select all

defiant ~ # ls -l /usr/portage/distfiles 
lrwxrwxrwx 1 root root 13 Mar 28 10:30 /usr/portage/distfiles -> ../distfiles/
defiant ~ # ls -ld /usr/distfiles/
drwxrwsr-x 6 root portage 36864 Mar 28 17:01 /usr/distfiles/

I've tried removing and letting it recreate this directory, giving the directory 775 manually (but portage just changes it back immediately), and I even did the emerge -1 system, and reinstalled all of the system packages. I'm stumped. Ayudame por favor?

Please let me know if you need more info.

Post by **NeddySeagoon** » Sat Mar 28, 2009 10:33 pm

funkyFlash,

A few things.

Code: Select all

oldsystem$ tar czvf - / | ssh root@newsysteminliveCD 'tar xpf - -C /mnt/gentoo'

On the input side you apply bzip compression, the z option but not on the output side?
You need to exclude /dev, /proc and /sys in the above as they are not real filesystems or better you do the copy while you run from a liveCD.

touch breaks if /proc is not mounted, so I suspect you have either managed to copy /proc and have real files there, or you have not mounted /proc at /mnt/gentoo/proc

funkyFlash · Post by **funkyFlash** » Sun Mar 29, 2009 3:21 am

The one sided compression was a typo on my part. I also used an excludes file to exclude proc, sys, dev and so on. I have a legit proc mounted, as well as dev and sys (that was one of the kinks - I failed to make a sys, which in turn pissed off udev, which didn't make a device node for my hdd). I did this when both systems were booted from a liveCD, so hopefully the source wasn't in an inconsistent state. I mainly provided the command to give the reader a general idea of what I did.

What I find interesting is that I can emerge just fine (which would strike me as more complicated), but the fetches don't. Once the distfiles are in place, it links, builds, and installs just fine. I figured re-merging system would help, since during the install, it applies proper permissions, so if I had hosed something there, a remerge would make them "as they should be".

Nerevar · Post by **Nerevar** » Sun Mar 29, 2009 3:43 am

Do you have userfetch enabled in FEATURES? If so, you need to set your distfiles directory ownership to portage:portage. See "man make.conf".

funkyFlash · Post by **funkyFlash** » Sun Mar 29, 2009 12:59 pm

Drat. I tried with and without userfetch, and with and without root:portage, and portage:portage. Still no dice. I do have parallel fetch enabled as well, and I tried without that as well.

So, what user does the fetching? Since root can do the fetching, I wonder what user can't?

funkyFlash · Post by **funkyFlash** » Tue Mar 31, 2009 12:07 am

Well, now I'm confused. I really can't execute wget as the portage user:

Code: Select all

defiant distfiles # sudo -u portage  /usr/bin/wget -t 5 -T 60 --passive-ftp -O /usr/distfiles/ImageMagick-6.4.8-3.tar.bz2 ftp://gentoo.cites.uiuc.edu/pub/gentoo/distfiles/ImageMagick-6.4.8-3.tar.bz2
sudo: unable to execute /usr/bin/wget: Permission denied
defiant distfiles # ls -l /usr/bin/wget
-rwxr-xr-x 1 root root 205492 Mar 28 12:03 /usr/bin/wget

Now, how weird is that? I was originally skeptical since portage's shell was /bin/false, and I didn't know if that was legit, but it is on another working gentoo system. Now, the question has morphed into: why wouldn't the portage user be able to execute commands? In particular, wget and touch?

Nerevar · Post by **Nerevar** » Tue Mar 31, 2009 12:46 am

Are you doing that as root? If so, do you have this line in /etc/sudoers?

Code: Select all

root	ALL=(ALL) ALL

Anyhow, compare /etc/sudoers on both systems.

funkyFlash · Post by **funkyFlash** » Tue Mar 31, 2009 12:55 am

Great idea! However, I'm afraid the /etc/sudoers is identical on both systems...

Note: is it bad when I try to tab-complete when doing a forum post?

Nerevar · Post by **Nerevar** » Tue Mar 31, 2009 1:41 am

Have you checked the permissions on /usr and /usr/bin and /usr/bin/sudo? I doubt that's the problem as the first two would break most everything, but I don't see what else it could be at this point.

funkyFlash · Post by **funkyFlash** » Wed Apr 01, 2009 11:11 pm

Code: Select all

defiant Desktop # ls -ld /usr
drwxr-xr-x 20 root root 4096 Mar 29 07:30 /usr
defiant Desktop # ls -ld /usr/bin
drwxr-xr-x 2 root root 69632 Mar 30 19:56 /usr/bin
defiant Desktop # ls -l /usr/bin/sudo
---s--x--x 2 root root 123412 Mar 30 19:56 /usr/bin/sudo

The perms for sudo are interesting, but that's how it is on other boxes.

For the sake of at least bringing my system up to date, can I do the fetches as root somehow?

funkyFlash · Post by **funkyFlash** » Wed Apr 01, 2009 11:32 pm

One interesting thing I noticed: I don't know what this means, but might be relevant:

Code: Select all

defiant Desktop # sudo -l -U portage
Matching Defaults entries for portage on this host:
    env_reset

User portage may run the following commands on this host:
defiant Desktop #

Code: Select all

voyager ~ # sudo -l -U portage
User portage may run the following commands on this host:
voyager ~ #

If you haven't noticed by now, defiant is the b0rken host, and voyager is my working reference point. Wanna take a stab at my computer naming scheme for home?

rlittle · Post by **rlittle** » Sun Apr 05, 2009 8:58 pm

This just started happening to me to. I noticed I was running out of space in my /usr partition, so I tar-ed over /usr/portage to another (much larger) partition and set up a link pointing to it

Code: Select all

# cd /usr 
# ls -l portage
lrwxrwxrwx 1 root root 31 Apr  5 16:47 portage -> /export/archive2/portage/
klatuu usr # ls -ld /export/archive2/portage/
drwxr-xr-x 162 root root 4840 Apr  5 16:30 /export/archive2/portage/

Then I started getting the ".__portage_test_write__': Permission denied" message.

I've updated PORTDIR in /etc/make.conf (plus DISTDIR and PKGDIR) and it's had no effect.

Here's my actual error message:

Code: Select all

usr # emerge -fv xulrunner

These are the packages that would be fetched, in order:

Calculating dependencies... done!
[ebuild   R   ] net-libs/xulrunner-1.9.0.8  USE="dbus gnome startup-notification -custom-optimization -java" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB


>>> Fetching (1 of 1) net-libs/xulrunner-1.9.0.8
rm: cannot remove `/home/rlittle/archive2/portage/distfiles/.__portage_test_write__': Permission denied
rm: cannot remove `/home/rlittle/archive2/portage/distfiles/.locks/.__portage_test_write__': Permission denied
 * xulrunner-1.9.0.8-patches-0.1.tar.bz2 RMD160 SHA1 SHA256 size ;-) ...                                                        [ ok ]
 * xulrunner-1.9.0.8.tar.bz2 RMD160 SHA1 SHA256 size ;-) ...                                                                    [ ok ]
 * checking ebuild checksums ;-) ...                                                                                            [ ok ]
 * checking auxfile checksums ;-) ...                                                                                           [ ok ]
 * checking miscfile checksums ;-) ...                                                                                          [ ok ]

krinn · Post by **krinn** » Sun Apr 05, 2009 9:23 pm

Can you try bind it instead as

Code: Select all

mount /usr/distfiles /usr/portage/distfiles -o bind

and for rlittle it would be

Code: Select all

mount /export/archive2/portage /usr/portage -o bind

poly_poly-man · Post by **poly_poly-man** » Sun Apr 05, 2009 9:26 pm

if you guys still have the original systems around, can you try using the p option on both sides? I believe it's implied on the extract but not the compress?

rlittle · Post by **rlittle** » Sun Apr 05, 2009 9:32 pm

ummm... that worked.

Code: Select all

usr # mkdir /usr/portage
usr # mount /export/archive2/portage/ /usr/portage -o bind
usr # mount | grep portage
/export/archive2/portage on /usr/portage type none (rw,bind)

Code: Select all

usr # emerge -fv xulrunner

These are the packages that would be fetched, in order:

Calculating dependencies... done!
[ebuild   R   ] net-libs/xulrunner-1.9.0.8  USE="dbus gnome startup-notification -custom-optimization -java" 0 kB

Total: 1 package (1 reinstall), Size of downloads: 0 kB


>>> Fetching (1 of 1) net-libs/xulrunner-1.9.0.8
 * xulrunner-1.9.0.8-patches-0.1.tar.bz2 RMD160 SHA1 SHA256 size ;-) ...                                                        [ ok ]
 * xulrunner-1.9.0.8.tar.bz2 RMD160 SHA1 SHA256 size ;-) ...                                                                    [ ok ]
 * checking ebuild checksums ;-) ...                                                                                            [ ok ]
 * checking auxfile checksums ;-) ...                                                                                           [ ok ]
 * checking miscfile checksums ;-) ...

Now I'll have to start reading to figure out why....

Many thanks krinn!

krinn · Post by **krinn** » Sun Apr 05, 2009 10:55 pm

because a symlink is still a special file that could be filtered out easy.
i suppose some code in portage avoid (or handle badly) the symlink, so i was thinking the bind could be a nice solve.

glad it work for you.
edit: fstab version: /export/archive2/portage /usr/portage none bind 0 0

funkyFlash · Post by **funkyFlash** » Mon Apr 06, 2009 12:30 pm

I think mine is worse than /usr/distfiles, i think my sudo is somehow torched:

I'd never tried to do a ssh as a non-root user until now, and I got:

Code: Select all

afunk@excelsior ~ $ ssh afunk@defiant 
Password:  
Last login: Mon Apr  6 07:25:33 CDT 2009 from excelsior.funkyflash.net on ssh
                                          .
      .vir.                                d$b
   .d$$$$$$b.    .cd$$b.     .d$$b.   d$$$$$$$$$$$b  .d$$b.      .d$$b.
   $$$$( )$$$b d$$$()$$$.   d$$$$$$$b Q$$$$$$$P$$$P.$$$$$$$b.  .$$$$$$$b.
   Q$$$$$$$$$$B$$$$$$$$P"  d$$$PQ$$$$b.   $$$$.   .$$$P' `$$$ .$$$P' `$$$
     "$$$$$$$P Q$$$$$$$b  d$$$P   Q$$$$b  $$$$b   $$$$b..d$$$ $$$$b..d$$$
    d$$$$$$P"   "$$$$$$$$ Q$$$     Q$$$$  $$$$$   `Q$$$$$$$P  `Q$$$$$$$P
|  $$$$$$$P       `"""""   ""        ""   Q$$$P     "Q$$$P"     "Q$$$P"
|  `Q$$P"                                  """
+--------------------------------------------------------- l  i  n  u  x  

  Linux Version 2.6.27-gentoo-r8, Compiled #2 SMP Thu Mar 26 07:10:50 CDT 2009
      Two 2.3GHz AMD Athlon 64 Processors, 2GB RAM, 9199.91 Bogomips Total
        Load Average 0.00, 0.00, 0.00, Uptime 4 days 5 hours 22 minutes
                             defiant.funkyflash.net
                                           

/bin/bash: Permission denied
Connection to defiant closed.
afunk@excelsior ~ $

Now, I'm no expert, but that's not good, right?

FYI, I have the symlink setup on all of my other gentoo boxes, but I'll give it a shot. As soon as I can ssh...

Edit: The bind didn't help. I'm pretty sure now that this is a side effect of a greater problem:

Code: Select all

defiant ~ # su - afunk
Cannot execute /bin/bash: Permission denied
defiant ~ # ls -l /bin/bash
-rwxr-xr-x 1 root root 667532 Mar 28 11:22 /bin/bash

I'm going to try re-merging shadow, since that owns su.

PS: I'm so glad I'm doing this on an AMD X2 with two gigs of ram, and not my single P3 system... This is so stinkin fast...

funkyFlash · Post by **funkyFlash** » Mon Apr 06, 2009 12:48 pm

GAH!!!!! Didn't help.

BTW, rlittle, I'm glad your problem got resoled. I never got to say so amongst my whining

Re-merging shadow didn't help. For the sake of getting my system up to date (and hopefully fixing the problem), I'm going to mount another system's distfiles on this guy, and try to update some stinking packages before my box gets hacked. Even though it's not accessible from the outside, it's so out of date that it will somehow get hacked. Through the outlet, I'm sure. It's a new vulnerability in the mplayer package.

Really, the distfiles thing is something I should do anyway, to take some load off of other people's servers.

If that doesn't work, my next shot is to rsync the whole damn box again from the source, making sure to get my permission flags right this time. Trouble is, the source box isn't up right now, and my SSH v0.5 (my wife) isn't home today, so I can't have her power it on. You never set up WoL until you need it, kinda like you never set up backups until your drive dies. I'll putz around with it today, and let you guys know if I get somewhere.

Elsewhere, if you have any ideas, or a direction in which to point me for "can't su" issues, please feel free to post. I'm just shooting in the dark at this point.

Post by **NeddySeagoon** » Mon Apr 06, 2009 6:51 pm

funkyFlash,

Is /bin/bash in /etc/shells ?

funkyFlash · Post by **funkyFlash** » Mon Apr 06, 2009 8:00 pm

Aye, along with /bin/fish

timeBandit · Post by **timeBandit** » Mon Apr 06, 2009 9:07 pm

What are the permissions on your loader libraries?

Code: Select all

bandit@rockchuck ~ $ ll /lib/ld*
-rwxr-xr-x 1 root root 108996 2008-12-24 02:33 /lib/ld-2.6.1.so
lrwxrwxrwx 1 root root     18 2008-12-27 01:48 /lib/ld-linux.so.1 -> ld-linux.so.1.9.11
-rwxr-xr-x 1 root root  22652 2008-12-27 01:48 /lib/ld-linux.so.1.9.11
lrwxrwxrwx 1 root root     11 2008-12-24 02:33 /lib/ld-linux.so.2 -> ld-2.6.1.so

Should look something like that (subject to version differences). If not, do this:

Code: Select all

find /lib -maxdepth 1 -type f -name ld-\* -exec chmod 755 "{}" +

funkyFlash · Post by **funkyFlash** » Tue Apr 07, 2009 11:07 pm

Sorry for the slow response. Nothing ood:

Code: Select all

defiant ~ # ls -l /lib/ld*
-rwxr-xr-x 1 root root 113096 Mar 28 13:30 /lib/ld-2.8.so
lrwxrwxrwx 1 root root      9 Mar 28 13:30 /lib/ld-linux.so.2 -> ld-2.8.so

Do I have too few?

timeBandit · Post by **timeBandit** » Wed Apr 08, 2009 1:56 am

funkyFlash wrote:Do I have too few?

No, not for amd64. AFAICS the ld-linux* libs are provided by sys-libs/lib-compat which is not keyworded for your arch, so you're good.

One more thing to check: as root, run ldd /bin/bash and check the permissions of every library it lists (follow symlinks if necessary). The "permission denied" error could arise if any one of them was not readable/executable by ordinary users.