Unix & Linux Asked by isarandi on February 9, 2021
I have an issue reading man pages that live on an NFS mount. I managed to isolate it to the following minimal example. The man page file is on an NFS mount /data
and its path is /data/program.1
I can print the file to the console with cat /data/program.1
so I definitely have read permissions (755 on the directories involved and 644 on the file, with nothing else like ACL or sticky bits etc.)
However, man -l /data/program.1
does not work in general.
But mysteriously enough, immediately after reading the file or its metadata (e.g. a successful ls /data/program.1
) suddenly man -l /data/program.1
does work for a short while (~30 seconds), looks related to some cache. Although it still seems nondeterministic (after the ls, it mostly works but if I do it repeatedly, some attempts do not work, then works again back and forth)
However, strangely enough, the whole problem only exists on some client machines, on other client machines of the same NFS server (with identical mount options) there is no issue whatsoever.
When it "doesn’t work" it outputs man: /data/program.1: Permission denied
Using strace man -l /data/program.1
I see the following relevant line:
stat("/data/program.1", 0x7ffe5ac9c9e0) = -1 EACCES (Permission denied)
And if I just run man program
(with the appropriate MANPATH), I see:
access("/data/program.1", R_OK) = -1 EACCES (Permission denied)
I therefore thought the access
call cannot be done, but when I compile my own C program to call it, it works (prints 0):
#include <unistd.h>
#include <stdio.h>
int main(){
printf("%d", access("/data/program.1", R_OK));
}
What could be the issue here?
I looked at the source code of man and perhaps it has something to do with this line (https://git.savannah.gnu.org/cgit/man-db.git/tree/src/man.c#n3746) drop_effective_privs()
? Otherwise I cannot explain why everything has access to the file (cat, head, my own C program etc.), but man
doesn’t (except when another program has recently read the metadata).
Ubuntu 18.04 is installed both on the clients and the server. The mount looks like this:
x.x.x.x:/srv/nfs/data on /data type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.x,fsc,local_lock=none,addr=x.x.x.x)
Ubuntu 18.04 has AppArmor enabled by default and it blocks network access from man
, including accessing files over NFS.
To allow network/NFS access for man
, add the following to /etc/apparmor.d/local/usr.bin.man
:
# TCP/UDP network access for NFS
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
Then run systemctl reload apparmor
.
Alternatively, disable AppArmor, e.g. by setting the apparmor=0
kernel parameter.
Answered by isarandi on February 9, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP