Broken pipe with loginfo in a chroot jail
Maarten de Boer
I am running a CVS server in a chroot jail, and everything is working
okay, apart from one thing. We have been using a commitinfo script
for a long time with no problems, and now I wanted to add a loginfo
script as well. This however fails with a broken pipe.
If I run the same script from commitinfo, it works, and if I run the cvs
server normally (not in a jail), it also works. To test the later, I run
cvs on the cvs server itself (after I noticed that it failed running
through ssh): with the module i am testing checked out in the cvs-jail:
$ echo "some change" >> /cvs-jail/TestModule/test.txt
$ cvs -d /cvs-jail/mnt/cvsroot commit -m" " /cvs-jail/TestModule
cvs commit: Examining /cvs-jail/TestModule
Checking in /cvs-jail/TestModule/test.txt;
/cvs-jail/mnt/cvsroot/TestModule/test.txt,v <-- test.txt
new revision: 1.49; previous revision: 1.48
done
$ echo "some change" >> /cvs-jail/TestModule/test.txt
$ chroot /cvs-jail/ cvs -d /mnt/cvsroot commit -m" " TestModule
cvs commit: Examining TestModule
Checking in TestModule/test.txt;
/mnt/cvsroot/TestModule/test.txt,v <-- test.txt
new revision: 1.51; previous revision: 1.50
done
cvs [commit aborted]: received broken pipe signal
I have googled for this error, and I have found several mentions
of it, but no solution.
I can provide you with more information (running cvs with trace
output for example) if that would help.
Kind regards,
Maarten
Paul Sander
and the second process exits before it consumes its standard input.
The loginfo interface pipes a message into the program spawned by
the loginfo file entry, so if your loginfo script ignores its
standard input then you'll see this error.
The commitinfo interface doesn't feature this pipe, which is why
your script works in that context.
--- Forwarded mail from mde...@iua.upf.es
--- End of forwarded message from mde...@iua.upf.es
Maarten De Boer
> The loginfo interface pipes a message into the program spawned by
> the loginfo file entry, so if your loginfo script ignores its
> standard input then you'll see this error.
My loginfo script (well, not really a script, but an application written
in C) does not ignore the standard input: I read the stdin while (fgets(...)).
I also tried cat > /dev/null
And besides, it _does_ work when not using the chroot jail. Everything
really points to some problem running the loginfo in a chroot jail..
Maarten
Larry Jones
>
> I am running a CVS server in a chroot jail, and everything is working
> okay, apart from one thing. We have been using a commitinfo script
> for a long time with no problems, and now I wanted to add a loginfo
> script as well. This however fails with a broken pipe.
Most likely, the problem is that some command your script uses doesn't
exist in your chroot jail -- perhaps even the script's interpreter. I'd
suggest running CVS with tracing enabled to see if that tells you
anything, although I don't think it will. If not, add an echo into a
file as the very first thing in the script to see if it's being run at
all. If it is, you can add more echos to see where it dies. You could
also try running the script manually inside the chroot jail.
-Larry Jones
What better way to spend one's freedom than eating chocolate
cereal and watching cartoons! -- Calvin
Maarten De Boer
> Most likely, the problem is that some command your script uses doesn't
> exist in your chroot jail -- perhaps even the script's interpreter. I'd
It's not a script, it's a small executable - written in c.
> suggest running CVS with tracing enabled to see if that tells you
> anything, although I don't think it will.
Tried that. Does not tell me anything helpful...
> If not, add an echo into a
> file as the very first thing in the script to see if it's being run at
> all.
Tried fopen, fprintf, fclose. To no avail...
> If it is, you can add more echos to see where it dies. You could
> also try running the script manually inside the chroot jail.
Tried that. It works.
Has anybody here run loginfo's with a chrooted cvs server succesfully?
And could people with a chrooted cvs server test this behaviour?
Maarten
Geoff Beier
> > Most likely, the problem is that some command your script uses doesn't
> > exist in your chroot jail -- perhaps even the script's interpreter. I'd
>
> It's not a script, it's a small executable - written in c.
>
Sorry if this is a silly question, but have you put a shell in your jail?
http://tiefighter.et.tudelft.nl/~arthur/cvsd/faq.html#cvsscripts
HTH,
Geoff
Maarten de Boer
> Sorry if this is a silly question, but have you put a shell in your jail?
> http://tiefighter.et.tudelft.nl/~arthur/cvsd/faq.html#cvsscripts
No, I haven't, but why would I? What I execute from loginfo is a standalone
application, it should not need a shell at all.
Maarten
Jim.Hyslop
> Sorry if this is a silly question, but have you put a shell
> in your jail?
--
Jim Hyslop
Senior Software Designer
Leitch Technology International Inc. (http://www.leitch.com)
Columnist, C/C++ Users Journal (http://www.cuj.com/experts)
Geoff Beier
> > Sorry if this is a silly question, but have you put a shell in your jail?
>
> No, I haven't, but why would I? What I execute from loginfo is a standalone
> application, it should not need a shell at all.
>
Sorry... I thought the link made it clear enough. When you run cvs with the -t
flag, you see a line like the following when loginfo is processed:
-> run_popen( yourLogProgram )
If you look at the cvs sources, you can see on line 396 of run.c that, as its
name would imply, run_popen() uses the popen() call to invoke your "standalone
application":
return (popen (cmd, mode));
Even though yourLogProgram is "standalone", a quick trip to popen(3) reveals:
DESCRIPTION
The popen() function ``opens'' a process by creating a pipe, forking, and
invoking the shell. Since a pipe is by definition unidirectional, the
type argument may specify only reading or writing, not both; the result-
ing stream is correspondingly read-only or write-only.
Notice that the "invoking the shell" part is not optional. Therefore, to use
popen() in a chroot jail (which is required for loginfo) you require a shell.
HTH,
Geoff
Schrum, Allan (Allan)
Does your program use any shared libraries? They may no longer be accessible
after the chroot. You may need statically linked programs.
-Allan
-----Original Message-----
From: Maarten de Boer [mailto:mde...@iua.upf.es]
Sent: Friday, November 07, 2003 4:05 AM
To: Geoff Beier
Cc: info...@gnu.org
Subject: Re: Broken pipe with loginfo in a chroot jail
> Sorry if this is a silly question, but have you put a shell in your jail?
> http://tiefighter.et.tudelft.nl/~arthur/cvsd/faq.html#cvsscripts
No, I haven't, but why would I? What I execute from loginfo is a standalone
application, it should not need a shell at all.
Maarten
_______________________________________________
Info-cvs mailing list
Info...@gnu.org
http://mail.gnu.org/mailman/listinfo/info-cvs
Geoff Beier
> OK, here's an even sillier question - what is a "chroot jail"?
>
It's a means of restricting the operations of an application (on UNIX-like
systems) to a particular area of a disk. Here's a pretty good explanation:
http://www.linux-mag.com/2002-12/chroot_01.html
Regards,
Geoff
Maarten de Boer
> popen() in a chroot jail (which is required for loginfo) you require a shell.
Ah. That would explain a lot... Which shell would that be? /bin/sh?
Having a shell in the chroot jail is of course far from ideal.. Is there some
way aroudn this? Could I use some shell that allows nothing?
Maarten
Donald Sharp
attempts to severly limit/restrict access to a machine, hence
the term 'jail'.
donald
On Fri, Nov 07, 2003 at 09:28:57AM -0500, Jim.Hyslop wrote:
> Geoff Beier [mailto:ge...@caradas.com] wrote:
> > Sorry if this is a silly question, but have you put a shell
> > in your jail?
> OK, here's an even sillier question - what is a "chroot jail"?
>
> --
> Jim Hyslop
> Senior Software Designer
> Leitch Technology International Inc. (http://www.leitch.com)
> Columnist, C/C++ Users Journal (http://www.cuj.com/experts)
>
>
Geoff Beier
Bourne-compatible, but I really doubt that matters in your situation. If I had
to make loginfo work in a jail, I'd break my task into two pieces:
1. Get it working using the ash shell... its tiny, mostly bourne- and
POSIX-compliant, and can easily be statically linked.
2. Once that is working reliably, attempt to customize smrsh, rcsh or a
similar restricted shell for my setup.
HTH,
Geoff
Maarten de Boer
> way aroudn this? Could I use some shell that allows nothing?
Okay, I found the answer to this question.
If can simply rename the application that I want to run on loginfo to
/bin/sh in the chroot jail. That's it! And I could even use argv[2] to use
different functionality (here is passed what you specify in the loginfo
file). This way I want compromise my chroot jail with a full shell.
Thanks a lot for the help and the answers.
Maarten
Larry Jones
> From IMCEAX400-c=US+3Ba=+20+3Bp=EDS+3Bo=Cypress+3Bdda+3ASMTP=info-cvs-bounces+2Blawrence+2Ejones=eds+2Ecom+40...@ugs.com Fri Nov 7 05:46:49 2003
> Received: by ypnefprocess.pl
> Received: from tyr.sdrc.com (mailhub-cvg.sdrc.com [146.122.142.31])
> by thor.sdrc.com (8.11.6/8.10.1) with ESMTP id hA7AkmY06104
> for <scj...@thor.sdrc.com>; Fri, 7 Nov 2003 05:46:48 -0500 (EST)
> Received: from cvgexsrv1.sdrc.com (cvgexsrv1.sdrc.com [146.122.145.23])
> by tyr.sdrc.com (8.8.6 (PHNE_17190)/8.8.5) with ESMTP id FAA14731
> for <larry...@sdrc.com>; Fri, 7 Nov 2003 05:46:46 -0500 (EST)
> Received: from stlntx2.plms-eds.com ([134.244.32.21]) by cvgexsrv1.sdrc.com with Microsoft SMTPSVC(5.0.2195.5329);
> Fri, 7 Nov 2003 05:46:46 -0500
> Received: by stlntx2 with Internet Mail Service (5.5.2656.59)
> id <WM62FVG3>; Fri, 7 Nov 2003 04:45:52 -0600
> Received: from plmler7.mail.eds.com ([199.228.142.67]) by cypntx.plms-eds.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2656.59)
> id WLXM4L3N; Fri, 7 Nov 2003 01:12:05 -0800
> Received: from plmlir3.mail.eds.com (plmlir3-2.mail.eds.com [199.228.142.133])
> by plmler7.mail.eds.com (8.12.10/8.12.9) with ESMTP id hA79C7Ci019600
> for <lawrenc...@plms-eds.com>; Fri, 7 Nov 2003 04:12:07 -0500
> Received: from plmlir3.mail.eds.com (localhost [127.0.0.1])
> by plmlir3.mail.eds.com (8.11.6p3/8.11.6) with ESMTP id hA79C6H02928
> for <lawrenc...@plms-eds.com>; Fri, 7 Nov 2003 04:12:06 -0500
> Received: from usplm101.exsc01.exch.eds.com (USPLM101.txpln.us.eds.com [198.132.135.14])
> by plmlir3.mail.eds.com (8.11.6p3/8.11.6) with ESMTP id hA79C6g02924
> for <lawrenc...@plms-eds.com>; Fri, 7 Nov 2003 04:12:06 -0500
> Received: by USPLM101.txpln.us.eds.com with Internet Mail Service (5.5.2657.72)
> id <WJGNA32P>; Fri, 7 Nov 2003 03:12:02 -0600
> Received: from plmlir1.mail.eds.com ([205.191.22.41]) by usplm102.exsc01.exch.eds.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72)
> id WKBXVB7C; Fri, 7 Nov 2003 03:11:59 -0600
> Received: from plmler3.mail.eds.com (localhost [127.0.0.1])
> by plmlir1.mail.eds.com (8.11.6p3/8.11.6) with ESMTP id hA79C3b15437
> for <lawrenc...@eds.com>; Fri, 7 Nov 2003 04:12:03 -0500
> Received: from plmler3.mail.eds.com (localhost [127.0.0.1])
> by plmler3.mail.eds.com (8.12.10/8.12.9) with ESMTP id hA79Acq9021740
> for <lawrenc...@eds.com>; Fri, 7 Nov 2003 03:10:38 -0600
> Received: from monty-python.gnu.org (monty-python.gnu.org [199.232.76.173])
> by plmler3.mail.eds.com (8.12.9/8.12.9) with ESMTP id hA79Ac0p021736
> for <lawrenc...@eds.com>; Fri, 7 Nov 2003 03:10:38 -0600
> Received: from localhost ([127.0.0.1] helo=monty-python.gnu.org)
> by monty-python.gnu.org with esmtp (Exim 4.24)
> id 1AI2ca-0006Ha-F5
> for lawrenc...@eds.com; Fri, 07 Nov 2003 04:09:36 -0500
> Received: from list by monty-python.gnu.org with tmda-scanned (Exim 4.24)
> id 1AI2Zl-0004PR-5t
> for info...@gnu.org; Fri, 07 Nov 2003 04:06:41 -0500
> Received: from mail by monty-python.gnu.org with spam-scanned (Exim 4.24)
> id 1AI2ZD-0003rc-MO
> for info...@gnu.org; Fri, 07 Nov 2003 04:06:38 -0500
> Received: from [193.145.55.10] (helo=iua-mail.upf.es)
> by monty-python.gnu.org with esmtp (Exim 4.24) id 1AI2Yu-0003aY-Oc
> for info...@gnu.org; Fri, 07 Nov 2003 04:05:49 -0500
> Received: from mtg62.upf.es ([193.145.55.62] helo=localhost.upf.es)
> by iua-mail.upf.es with smtp (Exim 3.35 #1 (Debian))
> id 1AI2bO-0006Wi-00; Fri, 07 Nov 2003 10:08:22 +0100
> Date: Fri, 7 Nov 2003 10:05:10 +0100
> From: Maarten de Boer <mde...@iua.upf.es>
> To: "Geoff Beier" <ge...@caradas.com>
> Message-Id: <20031107100510....@iua.upf.es>
> In-Reply-To: <2003110705...@caradas.com>
> References: <200311062243...@thor.sdrc.com>
> <Pine.LNX.4.44.031107...@iua-mail.upf.es>
> <2003110705...@caradas.com>
> Organization: IUA
> X-Mailer: Sylpheed version 0.9.5-gtk2-20030906 (GTK+ 2.2.4; i386-pc-linux-gnu)
> X-Face: #AF_uwd1lP*AOzp4)IlS4<F~{kOi>jBI4){\,
> aLiwl<~_}TN7\d_2r*/!ZEGf3sX/uirHf)p]E7b@tB?[q$8M#a}Q,
> )H(Rb&'+9)R^TT5YOTulm!tdEY~>_=`v>/(m)Go
> Mime-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII
> content-transfer-encoding: -SUGGEST
> X-MailScanner-Information: Please contact postm...@iua.upf.es for more
> information
> X-MTG-MailScanner: Found to be clean
> X-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=0,
> required 5)> X-BeenThere: info...@gnu.org
> X-Mailman-Version: 2.1.2
> Precedence: list
> List-Id: Announcements and discussions for the CVS version control system
> <info-cvs.gnu.org>
> List-Unsubscribe: <http://mail.gnu.org/mailman/listinfo/info-cvs>,
> <mailto:info-cvs...@gnu.org?subject=unsubscribe>
> List-Archive: <http://mail.gnu.org/pipermail/info-cvs>
> List-Post: <mailto:info...@gnu.org>
> List-Help: <mailto:info-cvs...@gnu.org?subject=help>
> List-Subscribe: <http://mail.gnu.org/mailman/listinfo/info-cvs>,
> <mailto:info-cvs...@gnu.org?subject=subscribe>
> Sender: info-cvs-bounces+lawrence.jones=eds...@gnu.org
> Errors-To: info-cvs-bounces+lawrence.jones=eds...@gnu.org
> X-Brightmail-Flag: NO
> X-Spam-Status: No, hits=-2.0 required=5.0
> tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES
> version=2.55
> X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
> X-Spam-Report: This mail has been scanned in order to control spam.
> The results are given below in the "Content Analysis" line.
> If the number of "points" is greater than "required",
> then this mail is very probably spam.
> See http://antispam.mail.eds.com for more details.
> Content Analysis: (-2.00 points, 5 required)
> REFERENCES (-0.5 points) Has a valid-looking References header
> IN_REP_TO (-0.5 points) Has a In-Reply-To header
> QUOTED_EMAIL_TEXT (-0.5 points) BODY: Contains what looks like a quoted email text
> REPLY_WITH_QUOTES (-0.5 points) Reply with quoted text
> X-Spam-Flag: NO
> X-Envelope-Trace: plmler3.hA79Acq9021740
> X-Envelope-From: <info-cvs-bounces+lawrence.jones=eds...@gnu.org>
> X-OriginalArrivalTime: 07 Nov 2003 10:46:46.0717 (UTC) FILETIME=[70D4D6D0:01C3A51C]
> X-Bogosity: No, tests=bogofilter, spamicity=0.000000, version=0.13.7.2
>
>
> > Sorry if this is a silly question, but have you put a shell in your jail?
>
> No, I haven't, but why would I? What I execute from loginfo is a standalone
> application, it should not need a shell at all.
>
> Maarten
>
>
Larry Jones
>
> No, I haven't, but why would I? What I execute from loginfo is a standalone
> application, it should not need a shell at all.
But CVS doesn't have any way to know that. The administrative files
contain command lines, so CVS passes them to the shell for parsing and
execution. If you don't have a shell, that isn't going to work.
-Larry Jones
Nobody knows how to pamper like a Mom. -- Calvin