Re: "Operation not permitted" error when using su
Sun, 30 Jun 2013 02:09:35 -0400 (EDT), Bob Proulx wrote:
>
> Stephen Powell wrote:
>> ...logged in as root...
>>su barney
>>vi stuff
>>Error: messages not turned on: /dev/pts/0: Operation not permitted
>
> The above is basically a normal result of the current environment. At
> another level it is a bug in nvi. I suggest that you understand it
> and then ignore it. Or jump into the nvi code and fix it.
>
> There are two issues. First is that root needs to protect itself
> against attacks against its smart terminal. Therefore "messages"?
> will be off by default for root. What does that mean? It means the
> ability of processes to send text to the terminal. Processes may be a
> "biff" mail notification program saying "you have mail". Or it may be
> a user trying to "write(1)" (old Unix IM program) to your terminal.
> Or it may be a local user (think student on a multiuser university
> system) trying to crack into your terminal by sending smart terminal
> escape sequences. (Most terminals have those disabled these days for
> security surrounding this issue too. Because even for non-root smart
> terminal attacks is still an issue.)
>
> Non-Root User:
> $ ls -l /dev/pts/23
> crw--w 1 rwp tty 136, 23 Jun 29 19:02 /dev/pts/23
>
> Root User:
> $ ls -l /dev/pts/11
> crw--- 1 root tty 136, 0 Jun 29 19:00 /dev/pts/11
>
> Or in the old days on other systems I recall it being world writable
> by other too. But that may be an incorrect memory.
>
> For root the standard is that no one else can write(1) to the
> terminal. (And probably "talk" and others too.) See the man page for
> mesg(1) for a small amount of additional information. It was common
> in the old days to see "mesg n" in root's dot profile file.
>
> man mesg
>
> So back to your problem... You are starting from a /dev/pts/X that is
> owned by root and is not otherwise writable. That is good. Safe from
> various attacks. That is what you want.
>
> But then the second issue comes into play. You are using su to switch
> user to a non-root user. After you have switched to that user the pty
> hasn't changed. That is intentional due to the security risk nature
> of root. But it means that the non-root user processes can't make
> changes to the tty device.
>
> Now is where the nvi bug/misfeature comes into play. There really
> isn't any reason for nvi to need to touch the pty. In my opinion it
> should do nothing to it by default. Emacs doesn't touch the pty. If
> you try your test case with emacs there will be no error printed. Nor
> with vim. This is only a problem in the nvi program. Why? Because
> it is trying to do too much.
>
> What the nvi program is trying to do is to turn off messages to the
> terminal while it is running. It is trying to prevent other local
> users from using write(1) to you while you are editing.
>
> man nvi
>
>mesg [on]
> Permit messages from other users.
>
> In order to prevent messages from other users it tries to run chmod on
> your pty device. This can be seen with strace.
>
> $ strace -v -e chmod -o /tmp/nvi.strace.out nvi .bashrc
> $ cat /tmp/nvi.strace.out
> chmod("/dev/pts/0", 020620) = -1 EPERM (Operation not permitted)
> chmod("/var/tmp/vi.recover/vi.ryTzPt", 0700) = 0
> chmod("/dev/pts/0", 020600) = -1 EPERM (Operation not%
> permitted)
>
> And those chmod's are the source of the messages that you are seeing.
> The only way to fix this is to patch the nvi source code to avoid the
> chmod calls.
>
> Basically I ignore the errors. The file is edited successfully
> anyway. It is just noise. Annoying. But since I know what is
> happening and I only do that a very few times I just ignore it.
>
> This would be a reasonable issue to submit as a bug against nvi.
> However there are worse problems with nvi. See Bug#497342 which has
> been around for years which is much more annoying. Filing bugs is
> easy but if no one is around to fix them then it doesn't do much
> good. But this is a valid bug in my opinion. Though much less of a
> problem than Bug#497342 which is very annoying. Especially since the
> previous version 1.79 of nvi didn't have it. But that is a different
> story.
>
> Hope this explanation helps!
> Bob
Thank you, Bob, for that detailed explanation. I'm not starting out
as root though. I'm starting out as "fred" (Applications -> Utilities ->
Terminal, in the latest version of Gnome under Jessie, while logged
in to the graphical desktop as "fred"), then doing a direct su to "barney".
(Those user ids were chosen for illustrative purposes only, they are not
the actual user ids that I am using.) The basis of your explanation
is sound though. barney does not have the authority to issue chmod
against a "file" (/dev/pts/0) owned by fred. Even if the file permissions
themselves gave barney permission to write to the file (crw-rw-rw-),
that's different from permission to cha
Re: "Operation not permitted" error when using su
Stephen Powell wrote:
> ...logged in as root...
>su barney
>vi stuff
>Error: messages not turned on: /dev/pts/0: Operation not permitted
The above is basically a normal result of the current environment. At
another level it is a bug in nvi. I suggest that you understand it
and then ignore it. Or jump into the nvi code and fix it.
There are two issues. First is that root needs to protect itself
against attacks against its smart terminal. Therefore "messages"?
will be off by default for root. What does that mean? It means the
ability of processes to send text to the terminal. Processes may be a
"biff" mail notification program saying "you have mail". Or it may be
a user trying to "write(1)" (old Unix IM program) to your terminal.
Or it may be a local user (think student on a multiuser university
system) trying to crack into your terminal by sending smart terminal
escape sequences. (Most terminals have those disabled these days for
security surrounding this issue too. Because even for non-root smart
terminal attacks is still an issue.)
Non-Root User:
$ ls -l /dev/pts/23
crw--w 1 rwp tty 136, 23 Jun 29 19:02 /dev/pts/23
Root User:
$ ls -l /dev/pts/11
crw--- 1 root tty 136, 0 Jun 29 19:00 /dev/pts/11
Or in the old days on other systems I recall it being world writable
by other too. But that may be an incorrect memory.
For root the standard is that no one else can write(1) to the
terminal. (And probably "talk" and others too.) See the man page for
mesg(1) for a small amount of additional information. It was common
in the old days to see "mesg n" in root's dot profile file.
man mesg
So back to your problem... You are starting from a /dev/pts/X that is
owned by root and is not otherwise writable. That is good. Safe from
various attacks. That is what you want.
But then the second issue comes into play. You are using su to switch
user to a non-root user. After you have switched to that user the pty
hasn't changed. That is intentional due to the security risk nature
of root. But it means that the non-root user processes can't make
changes to the tty device.
Now is where the nvi bug/misfeature comes into play. There really
isn't any reason for nvi to need to touch the pty. In my opinion it
should do nothing to it by default. Emacs doesn't touch the pty. If
you try your test case with emacs there will be no error printed. Nor
with vim. This is only a problem in the nvi program. Why? Because
it is trying to do too much.
What the nvi program is trying to do is to turn off messages to the
terminal while it is running. It is trying to prevent other local
users from using write(1) to you while you are editing.
man nvi
mesg [on]
Permit messages from other users.
In order to prevent messages from other users it tries to run chmod on
your pty device. This can be seen with strace.
$ strace -v -e chmod -o /tmp/nvi.strace.out nvi .bashrc
$ cat /tmp/nvi.strace.out
chmod("/dev/pts/0", 020620) = -1 EPERM (Operation not permitted)
chmod("/var/tmp/vi.recover/vi.ryTzPt", 0700) = 0
chmod("/dev/pts/0", 020600) = -1 EPERM (Operation not% permitted)
And those chmod's are the source of the messages that you are seeing.
The only way to fix this is to patch the nvi source code to avoid the
chmod calls.
Basically I ignore the errors. The file is edited successfully
anyway. It is just noise. Annoying. But since I know what is
happening and I only do that a very few times I just ignore it.
This would be a reasonable issue to submit as a bug against nvi.
However there are worse problems with nvi. See Bug#497342 which has
been around for years which is much more annoying. Filing bugs is
easy but if no one is around to fix them then it doesn't do much
good. But this is a valid bug in my opinion. Though much less of a
problem than Bug#497342 which is very annoying. Especially since the
previous version 1.79 of nvi didn't have it. But that is a different
story.
Hope this explanation helps!
Bob
signature.asc
Description: Digital signature
Re: "Operation not permitted" error when using su
On Sat, 29 Jun 2013 18:39:32 -0400 (EDT), Chris Bannister wrote: > > Is there a difference if you " su - barney" ? No, there is no difference. I still get the same error. -- .''`. Stephen Powell : :' : `. `'` `- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1462006945.1948292.1372547161473.javamail.r...@md01.wow.synacor.com
Re: "Operation not permitted" error when using su
On Sat, Jun 29, 2013 at 04:00:41PM -0400, Stephen Powell wrote: > I have discovered a problem recently when using su to switch to a user > other than root on a Gnome Terminal session. Let's say I login to the > graphical desktop using a userid of "fred". When I launch a Gnome > Terminal session, I'm automatically logged in as "fred". Now, let's > suppose I switch to user "barney" by using > >su barney > > After entering the password for user "barney", my userid changes to > "barney" in that session. (whoami reports "barney".) I then change > to barney's home directory with "cd", issued with no operands. Now, > certain commands will cause error messages to the terminal. For example, > if I issue > >vi stuff > > Then exit vi with :q, I am back to another shell prompt, but there is an > error message on the screen which looks like this: > >Error: messages not turned on: /dev/pts/0: Operation not permitted Is there a difference if you " su - barney" ? -- "If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing." --- Malcolm X -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130629223932.GB1790@tal
Re: "Operation not permitted" error when using su
On Sat, 29 Jun 2013 16:26:56 -0400 (EDT), David Guntner wrote: > > No, it won't output a message when you set it y or n. Not sure I > understand why vi is doing something that needs a messages channel > turned on. And it's kind of hard to guess without seeing actual output. :-) > > You said you had done some su commands before invoking vi, if I recall > correctly. Did you try doing the "mesg y" command at the initial login > point, before su'ing to the user where you're trying to run vi? Yes, I tried that too. No difference. -- .''`. Stephen Powell : :' : `. `'` `- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/7449658.1947240.1372538833179.javamail.r...@md01.wow.synacor.com
Re: "Operation not permitted" error when using su
Stephen Powell grabbed a keyboard and wrote: > On Sat, 29 Jun 2013 16:07:54 -0400 (EDT), David Guntner wrote: >> >> Stephen Powell grabbed a keyboard and wrote: >>> >>>Error: messages not turned on: /dev/pts/0: Operation not permitted >>> >>> (vi is actually nvi on my system.) >>> This problem does not occur in a virtual terminal (vt1-vt6). It also >>> does not occur if I switch to root, instead of a non-root user. >>> >>> A search of the internet seemed to suggest that the problem was the >>> presence of "biff y" in a bash profile. However, I have looked, and >>> I cannot find "biff y" specified in any bash-related file. (I am running >>> jessie.) In fact, the biff package is not even installed. Ideas anyone? >> >> Since it's complaining about messages not being turned on, try "mesg y" >> and see if that helps. > > I just tried that. "mesg y" produced no output and no error messages, but > a subsequent execution of vi produced the same error on exit as before. No, it won't output a message when you set it y or n. Not sure I understand why vi is doing something that needs a messages channel turned on. And it's kind of hard to guess without seeing actual output. :-) You said you had done some su commands before invoking vi, if I recall correctly. Did you try doing the "mesg y" command at the initial login point, before su'ing to the user where you're trying to run vi? --Dave smime.p7s Description: S/MIME Cryptographic Signature
Re: "Operation not permitted" error when using su
On Sat, 29 Jun 2013 16:07:54 -0400 (EDT), David Guntner wrote: > > Stephen Powell grabbed a keyboard and wrote: >> >>Error: messages not turned on: /dev/pts/0: Operation not permitted >> >> (vi is actually nvi on my system.) >> This problem does not occur in a virtual terminal (vt1-vt6). It also >> does not occur if I switch to root, instead of a non-root user. >> >> A search of the internet seemed to suggest that the problem was the >> presence of "biff y" in a bash profile. However, I have looked, and >> I cannot find "biff y" specified in any bash-related file. (I am running >> jessie.) In fact, the biff package is not even installed. Ideas anyone? > > Since it's complaining about messages not being turned on, try "mesg y" > and see if that helps. I just tried that. "mesg y" produced no output and no error messages, but a subsequent execution of vi produced the same error on exit as before. -- .''`. Stephen Powell : :' : `. `'` `- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/644172295.1946934.1372537018465.javamail.r...@md01.wow.synacor.com
Re: "Operation not permitted" error when using su
Stephen Powell grabbed a keyboard and wrote: >Error: messages not turned on: /dev/pts/0: Operation not permitted > > (vi is actually nvi on my system.) > This problem does not occur in a virtual terminal (vt1-vt6). It also > does not occur if I switch to root, instead of a non-root user. > > A search of the internet seemed to suggest that the problem was the > presence of "biff y" in a bash profile. However, I have looked, and > I cannot find "biff y" specified in any bash-related file. (I am running > jessie.) In fact, the biff package is not even installed. Ideas anyone? Since it's complaining about messages not being turned on, try "mesg y" and see if that helps. --Dave smime.p7s Description: S/MIME Cryptographic Signature
"Operation not permitted" error when using su
I have discovered a problem recently when using su to switch to a user other than root on a Gnome Terminal session. Let's say I login to the graphical desktop using a userid of "fred". When I launch a Gnome Terminal session, I'm automatically logged in as "fred". Now, let's suppose I switch to user "barney" by using su barney After entering the password for user "barney", my userid changes to "barney" in that session. (whoami reports "barney".) I then change to barney's home directory with "cd", issued with no operands. Now, certain commands will cause error messages to the terminal. For example, if I issue vi stuff Then exit vi with :q, I am back to another shell prompt, but there is an error message on the screen which looks like this: Error: messages not turned on: /dev/pts/0: Operation not permitted (vi is actually nvi on my system.) This problem does not occur in a virtual terminal (vt1-vt6). It also does not occur if I switch to root, instead of a non-root user. A search of the internet seemed to suggest that the problem was the presence of "biff y" in a bash profile. However, I have looked, and I cannot find "biff y" specified in any bash-related file. (I am running jessie.) In fact, the biff package is not even installed. Ideas anyone? -- .''`. Stephen Powell : :' : `. `'` `- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/402356644.1946777.1372536041381.javamail.r...@md01.wow.synacor.com
