s390-tools: missing ts-shell

Bug #1567473 reported by bugproxy
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Fix Released
Medium
Unassigned
s390-tools (Ubuntu)
Fix Released
Medium
Dimitri John Ledkov
Xenial
Fix Released
Medium
Unassigned

Bug Description

[Impact]

 * /var/log/ts-shell has wrong permissions, and thus prevents ts-shell operation.

[Test Case]

 * /var/log/ts-shell should be:
drwxrws--T 2 root ts-shell

==

s390-tools: missing ts-shell

ts-shell is part of the s390-tools package (see here http://www.ibm.com/developerworks/linux/linux390/s390-tools-overview.html)

ts-shell is a terminal server shell to authorize and control IUCV terminal connections for individual Linux users. It is currently still missing in the Ubuntu Beta version (4.4.0-15-generic #31-Ubuntu SMP Fri Mar 18 19:07:12 UTC 2016 s390x).

The preferred integration of ts-shell is through a subpackage. The ts-shell is required on a particular Linux instance only, that it is the terminal server. Other Linux instances might not need to install ts-shell.

Apart from the installing ts-shell, further configuration files and steps are required:

1. Install and package these configuration files:

/etc/iucvterm/ts-audit-systems.conf
/etc/iucvterm/ts-authorization.conf
/etc/iucvterm/ts-shell.conf
/etc/iucvterm/unrestricted.conf

2. Install additional documentation files for the ts-shell, that are included in the "iucvterm/doc/ts-shell" in the s390-tools source directory.

3. System configuration for ts-shell.

- (optional) Register ts-shell as shell by adding it to /etc/shells.
- Create a ts-shell group.
- Ensure the configuration files from 1. are readable by the ts-shell group.
- Create the /var/log/ts-shell directory to store audit logs; the ts-shell group should have read/write access to this directory, implemented as set-group-ID

4. Optional. The ts-shell subpackage must depend on s390-tools because it requires iucvconn. Further, the subpackage should add a Recommends to either Term::ReadLine::Gnu or Term::ReadLine::Perl.

Below is an excpert from the README.ts-shell to create ts-shell user accounts. These information should help to better understand the configuration steps above:

Setup considerations for the terminal server shell (ts-shell)
-------------------------------------------------------------
Adding new ts-shell users
~~~~~~~~~~~~~~~~~~~~~~~~~
The ts-shell installation creates a system group ts-shell.
If you intend to use ts-shell as a login shell for users, ensure that
these users are all members of ts-shell. To add existing users to
group ts-shell, use +usermod -G ts-shell 'username'+.

The ts-shell configuration files and `/var/log/ts-shell` are
readable only by members of the *ts-shell* group.

Enabling terminal session transcripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ts-shell(1) can be configured to create transcripts of terminal sessions
to particular z/VM guest virtual machines. The transcripts are written
to log files in the `/var/log/ts-shell` directory.

NOTE: The `/var/log/ts-shell` directory permission has the
        set-group-ID bit set. Sub-directories that are created by
        different users will inherit the group ownership of the
        `/var/log/ts-shell` directory.

See the ts-shell(1) manual page for more information about terminal
session transcripts.

For further details, see http://public.dhe.ibm.com/software/dw/linux390/docu/l4n0ht01.pdf

bugproxy (bugproxy)
tags: added: architecture-s39064 bugnameltc-139838 severity-medium targetmilestone-inin1604
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
Luciano Chavez (lnx1138)
affects: ubuntu → s390-tools (Ubuntu)
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Hello,

When filing bug reports against a package, please include the version of the package. E.g. most of the requested things are provided in s390-tools package since 1.34.0-0ubuntu3, which was released a day before this bug was filed.

So the missing bits I think are just these postinst stanzas:
    if ! getent group ts-shell >/dev/null; then
        addgroup --system ts-shell
    fi
    chown root:ts-shell /etc/iucvterm/*.conf
    chmod 0640 /etc/iucvterm/*.conf
    mkdir -p 3770 /var/log/ts-shell
    chmod g+s /var/log/ts-shell
    chgrp -R ts-shell /var/log/ts-shell >/dev/null 2>&1 || true
    chmod 0660 /var/log/ts-shell/* >/dev/null 2>&1 || true

I shall add them to the package, and then I think this bug report will be complete. This will not register ts-shell in /etc/shells.
Hopefully the above postinst commands are all correct and sufficient for ts-shell integration on Ubuntu.

Changed in s390-tools (Ubuntu):
status: New → In Progress
Changed in ubuntu-z-systems:
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 1.34.0-0ubuntu8

---------------
s390-tools (1.34.0-0ubuntu8) xenial; urgency=medium

  * Ship dumpconf legacy init script, and sysconfig file. LP: #1564690
  * Integrate ts-shell. LP: #1567473
  * Recommend statd package, and mention it by mon_statd name too to aid
    discovery.

 -- Dimitri John Ledkov <email address hidden> Thu, 14 Apr 2016 14:26:16 +0100

Changed in s390-tools (Ubuntu):
status: In Progress → Fix Released
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
dann frazier (dannf)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-05-02 12:32 EDT-------
While trying to verify this bug, I found the following issue:

I have three users: root, tsuser (member of group ts-shell) and test

tsuser@s8330003:/var/log/ts-shell$ groups tsuser test
tsuser : tsuser ts-shell

test@s8330003:/var/log/ts-shell$ groups test
test : test

The issue is: User tsuser is not allowed to write to /var/log/ts-shell

tsuser@s8330003:/var/log/ts-shell$ echo created_TS > /var/log/ts-shell/created_by_tsuser
-bash: /var/log/ts-shell/created_by_tsuser: Permission denied

This is caused by an improper permission setting during creation of the directory /var/log/ts-shell. mkdir -p 3770 /var/log/ts-shell creates a _directory_ 3770 (!) under /var/log and does NOT set the permissions. If I delete the 3770 and ts-shell directory and execute
mkdir -m 3770 /var/log/ts-shell
instead, it looks fine and works as expected. So this must be fixed in /var/lib/dpkg/info/s390-tools.postinst.

Reopening this bug.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

bah, yes thank you.

Changed in s390-tools (Ubuntu):
status: Fix Released → Triaged
assignee: Skipper Bug Screeners (skipper-screen-team) → Dimitri John Ledkov (xnox)
Changed in ubuntu-z-systems:
status: Fix Released → Triaged
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
importance: Undecided → Medium
Changed in s390-tools (Ubuntu):
status: Triaged → In Progress
Changed in s390-tools (Ubuntu Xenial):
status: New → In Progress
Changed in s390-tools (Ubuntu):
importance: Undecided → Medium
Changed in s390-tools (Ubuntu Xenial):
importance: Undecided → Medium
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 1.34.0-0ubuntu10

---------------
s390-tools (1.34.0-0ubuntu10) yakkety; urgency=medium

  * Fix ts-shell maintainer scripts LP: #1567473:
    - create /var/log/ts-shell directory with the right permissions
    - remove errorous directory
  * Install iuctty-login@.service systemd unit, with a correct path LP:
    #1580226

 -- Dimitri John Ledkov <email address hidden> Mon, 06 Jun 2016 12:37:33 +0100

Changed in s390-tools (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Please validate the correct behavior on yakkety (16.10), prior to stable release update for xenial (16.04).

description: updated
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello bugproxy, or anyone else affected,

Accepted s390-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/s390-tools/1.34.0-0ubuntu8.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in s390-tools (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: In Progress → Fix Committed
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Verified maintainer scripts are fixed.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package s390-tools - 1.34.0-0ubuntu8.1

---------------
s390-tools (1.34.0-0ubuntu8.1) xenial; urgency=medium

  * Fix ts-shell maintainer scripts LP: #1567473:
    - create /var/log/ts-shell directory with the right permissions
    - remove errorous directory
  * Install iuctty-login@.service systemd unit, with a correct path LP:
    #1580226
  * Cherrypick upstream fix for buffer overflow in dasdfmt. LP: #1582728

 -- Dimitri John Ledkov <email address hidden> Mon, 06 Jun 2016 11:51:16 +0100

Changed in s390-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote : Update Released

The verification of the Stable Release Update for s390-tools has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Frank Heimes (fheimes)
Changed in ubuntu-z-systems:
status: Fix Committed → Fix Released
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2016-06-28 05:36 EDT-------
Verfication was successful. All permissions now are set correctly.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.