Hi All,
I updated our 11.1 server with the latest updates via ‘zypper patch’, and I found that nobody was able to log in due to the error “pam_loginuid(sshd:session): Cannot open /proc/self/loginuid: Read-only file system”. Looking in /etc/mtab, I found:
/dev/sda1 / ext3 rw,acl,user_xattr 0 0
/proc /proc proc rw 0 0
sysfs /sys sysfs rw 0 0
debugfs /sys/kernel/debug debugfs rw 0 0
udev /dev tmpfs rw 0 0
devpts /dev/pts devpts rw,mode=0620,gid=5 0 0
fusectl /sys/fs/fuse/connections fusectl rw 0 0
securityfs /sys/kernel/security securityfs rw 0 0
proc /var/lib/ntp/proc proc ro 0 0
The last line in particular was interesting to me. I disabled ntp, and remounted /proc via ‘mount -no remount /proc’, and users were able to login again.
Restarting the ntp service, I confirmed that the problem returns, and /proc is again mounted read-only.
I’ve already reinstalled all ntp and pam packages.
I’ve done the temporary workaround of commenting out pam_loginuid.so from the necessary /etc/pam.d/ files, but I really would like a proper solution.
Does this maybe have to do with running ntp chrooted?
Any thoughts?
Hmm, you seem to have a missing option in your ntp’s proc mount: bind. Here’s mine, on 11.2.
/proc /var/lib/ntp/proc none ro,bind 0 0
The bind mount is done in /etc/init.d/ntp. You might want to check it. Maybe you’ve stumbled upon an update bug.
Sure enough, here’s what I found in /etc/init.d/ntp:
function prepare_chroot() {
for configfile in /etc/{localtime,ntp.keys} $NTP_CONF $NTPD_CHROOT_FILES; do
test -d ${CHROOT_PREFIX}${configfile%/*} || mkdir -p ${CHROOT_PREFIX}${configfile%/*}
if -r ${configfile} ]
then
cp -auL ${configfile} ${CHROOT_PREFIX}${configfile%/*}
else
echo
echo "Warning: ${configfile} not found or not readable"
fi
mkdir -p ${CHROOT_PREFIX}/proc
mount -t proc -o ro proc ${CHROOT_PREFIX}/proc 2>/dev/null
done
NTPD_OPTIONS="${NTPD_OPTIONS} -i ${CHROOT_PREFIX}"
}
Notice the ‘mount’ command is missing the ‘bind’ option and a slash in front of /proc. Also, the ‘done’ should be above the ‘mount’ command, otherwise /proc gets mounted many times. Changed it to:
done
...
mount -t proc -o ro,bind /proc ${CHROOT_PREFIX}/proc
...
And everything is now working as expected, thanks for your help Ken.
As to how this problem got introduced, I have no idea… It’s on a VPS in which they use some modified config files as a starting point, maybe that has something to do with it.
Might be a 11.1 bug that bit you because of pam_loginuid. Might be worth checking if it’s reported already for 11.1.