[Bug 963587] Re: Trousers fails to set tpm permissions properly.
Laurent Blume
l_ubuntu at elanor.org
Wed May 7 07:30:56 UTC 2014
I have the problem in 14.04 as well, I believe I found the root issue at
play here.
FWIW: I noticed that just starting the tcsd daemon directly, with no
option whatsoever, it worked:
# tcsd
# ps -edf | grep tcsd
tss 31805 1 0 09:23 ? 00:00:00 tcsd
# fuser /dev/tpm0
/dev/tpm0: 31805
It appears the issue comes from this lines in the /etc/init.d/trousers
script, which tries too hard to do the right thing::
start-stop-daemon --start --quiet --oknodo --pidfile
/var/run/${NAME}.pid --user ${USER} --chuid ${USER} --exec ${DAEMON} --
${DAEMON_OPTS}
The --chuid ${USER} is redundant to what the daemon does by itself, and
the problem is that it removes its ability to open /dev/tpm0 as root and
change uid afterwards.
After removing just the --chuid, it starts and works:
# /etc/init.d/trousers start
* Starting Trusted Computing daemon tcsd [ OK ]
# tpm_version
TPM 1.2 Version Info:
Chip Version: 1.2.8.28
Spec Level: 2
Errata Revision: 3
TPM Vendor ID: STM
TPM Version: 01010000
Manufacturer Info: 53544d20
That fix seems trivial and implies no change of permission, just letting
upstream's code handle things as it should. Thoughts?
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to trousers in Ubuntu.
https://bugs.launchpad.net/bugs/963587
Title:
Trousers fails to set tpm permissions properly.
Status in “trousers” package in Ubuntu:
Triaged
Bug description:
root at antarus-precise:~# apt-get install trousers
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
trousers
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/138 kB of archives.
After this operation, 431 kB of additional disk space will be used.
Selecting previously unselected package trousers.
(Reading database ... 135516 files and directories currently installed.)
Unpacking trousers (from .../trousers_0.3.7-2ubuntu1_amd64.deb) ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up trousers (0.3.7-2ubuntu1) ...
Adding system user `tss' (UID 115) ...
Adding new group `tss' (GID 126) ...
Adding new user `tss' (UID 115) with group `tss' ...
Not creating home directory `/var/lib/tpm'.
* Starting Trusted Computing daemon tcsd
...fail!
invoke-rc.d: initscript trousers, action "start" failed.
dpkg: error processing trousers (--configure):
subprocess installed post-installation script returned error exit status 137
Errors were encountered while processing:
trousers
E: Sub-process /usr/bin/dpkg returned an error code (1)
In the postinst:
configure)
# Adding tss system user
adduser --system --home /var/lib/tpm --shell /bin/false --no-create-home --group tss
# Setting owner
chown tss:tss /var/lib/tpm -R
chown tss:tss /etc/tcsd.conf
# Setting permissions
chmod 0600 /etc/tcsd.conf
chmod 0700 /var/lib/tpm
# we ship udev rules, so trigger an update
udevadm trigger --subsystem-match=misc --action=change
udevadm settle
;;
However udev seems to not like this:
Mar 24 00:39:14 antarus-precise udevd[31861]: specified user 'tss' unknown
Mar 24 00:39:14 antarus-precise udevd[31861]: specified group 'tss' unknown
root at antarus-precise:~# ls -al /dev/tpm0
crw------- 1 root root 10, 224 Mar 24 00:39 /dev/tpm0
Because the device is not owned correctly, tcsd fails to start and
breaks apt :/
root at antarus-precise:~# lsb_release -rd
Description: Ubuntu precise (development branch)
Release: 12.04
Release: 12.04
root at antarus-precise:~# apt-cache policy trousers
trousers:
Installed: 0.3.7-2ubuntu1
Candidate: 0.3.7-2ubuntu1
I expect the udev rules to take affect, so the daemon can start
properly.
Example:
root at antarus-precise:~# chown tss:tss /dev/tpm0
root at antarus-precise:~# ls -al /dev/tpm0
crw------- 1 tss tss 10, 224 Mar 24 00:39 /dev/tpm0
root at antarus-precise:~# start-stop-daemon --start --user tss --chuid tss --exec /usr/sbin/tcsd
root at antarus-precise:~# ps
PID TTY TIME CMD
4038 pts/6 00:00:00 sudo
4039 pts/6 00:00:00 bash
4686 pts/6 00:00:00 ps
root at antarus-precise:~# ps -u tss
PID TTY TIME CMD
4685 ? 00:00:00 tcsd
What happened instead?
root at antarus-precise:~# apt-get install trousers
Reading package lists... Done
Building dependency tree
Reading state information... Done
trousers is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue [Y/n]? y
Setting up trousers (0.3.7-2ubuntu1) ...
The system user `tss' already exists. Exiting.
* Starting Trusted Computing daemon tcsd
...fail!
invoke-rc.d: initscript trousers, action "start" failed.
dpkg: error processing trousers (--configure):
subprocess installed post-installation script returned error exit status 137
Errors were encountered while processing:
trousers
E: Sub-process /usr/bin/dpkg returned an error code (1)
root at antarus-precise:~# ls -al /dev/tpm0
crw------- 1 root root 10, 224 Mar 24 00:43 /dev/tpm0
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/trousers/+bug/963587/+subscriptions
More information about the foundations-bugs
mailing list