Re: Permission denied when chainbuilding packages with mock

[Julian Sikorski <belegdol@gmail.com>]

W dniu 07.11.2021 o 22:49, Jeremy Allison pisze:
> On Sun, Nov 07, 2021 at 01:44:53PM -0800, Jeremy Allison wrote:
>> On Sun, Nov 07, 2021 at 10:10:17PM +0100, Julian Sikorski wrote:
>>>
>>> but it is not really clear _why_ is the access being denied. Any 
>>> ideas where to look? Thanks!
>>
>> What debug log level are you using on th server ? To debug
>> something like this use log level 10.
>>
>> fsync failed: Permission denied
>>
>> is strange. I need to see what access mask the fsp is being
>> opened with. If it's a directory, it might be running into
>> this (from smbd_smb2_flush_send()):
>>
>>        if (!CHECK_WRITE(fsp)) {
>>                bool allow_dir_flush = false;
>>                uint32_t flush_access = FILE_ADD_FILE | 
>> FILE_ADD_SUBDIRECTORY;
>>
>>                if (!fsp->fsp_flags.is_directory) {
>>                        tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
>>                        return tevent_req_post(req, ev);
>>                }
>>
>>                /*
>>                 * Directories are not writable in the conventional
>>                 * sense, but if opened with *either*
>>                 * FILE_ADD_FILE or FILE_ADD_SUBDIRECTORY
>>                 * they can be flushed.
>>                 */
>>
>>                if ((fsp->access_mask & flush_access) != 0) {
>>                        allow_dir_flush = true;
>>                }
>>
>>                if (allow_dir_flush == false) {
>>                        tevent_req_nterror(req, NT_STATUS_ACCESS_DENIED);
>>                        return tevent_req_post(req, ev);
>>                }
>>        }
>>
>> as 'man 2 fsync' on Linux doesn't show EACCES as a possible return
>> error from fsync.
>>
>> If this is the case, then the client redirector is relying on 
>> Linux-specific
>> behavior. From 'man 2 fsync':
>>
>> NOTES
>>       On some UNIX systems (but not Linux), fd must be a writable file 
>> descriptor.
> 
> If this is actually what is happening, Samba is implementing the
> Windows semantics, and not the Linux ones (as we should). From
> the Microsoft MS-SMB2 spec:
> 
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/026984f6-38af-4408-8200-50557eb0a286 
> 
> 
> --------------------------------------------------------------------------
> 3.3.5.11 Receiving an SMB2 FLUSH Request
> 10/04/2021
> 
> When the server receives a request with an SMB2 header with a Command value
> equal to SMB2 FLUSH, message handling proceeds as follows:
> 
> The server MUST locate the session, as specified in section 3.3.5.2.9.
> 
> The server MUST locate the tree connection, as specified in section 
> 3.3.5.2.11.
> 
> Next the server MUST locate the open being flushed by performing
> a lookup in the Session.OpenTable, using the FileId.Volatile of the
> request as the lookup key. If no open is found, or if Open.DurableFileId
> is not equal to FileId.Persistent, the server MUST fail the request
> with STATUS_FILE_CLOSED. Otherwise, the server MUST locate the Request
> in Connection.RequestList for which Request.MessageId matches
> the MessageId value in the SMB2 header, and set Request.Open to the Open.
> 
> If the Open is on a file and Open.GrantedAccess includes neither
> FILE_WRITE_DATA nor FILE_APPEND_DATA, the server MUST fail the
> request with STATUS_ACCESS_DENIED.
> 
> If the Open is on a directory and Open.GrantedAccess includes
> neither FILE_ADD_FILE nor FILE_ADD_SUBDIRECTORY, the server MUST
> fail the request with STATUS_ACCESS_DENIED.
> --------------------------------------------------------------------------

Hi,

thanks for responding. I am using loglevel 10. I have uploaded the logs 
to my dropbox as they are too big to attach:

https://www.dropbox.com/sh/r4b7q7ti2zmtlu9/AACqFY0FW2oW41Vu8l3nLZJSa?dl=0

The problem happens around 15:45:48. Do the logs show what access mask 
the fsp is being opened with you requested?
I am using quite an old samba server (4.9.5+dfsg-5+deb10u1) due to the 
fact that openmediavault is based off debian 10 and there are no samba 
backports available. Having said that, this configuration can work, as 
shown by goffice/goffice-0.10.50-1.fc35.src.rpm rebuild and the fact 
that it was working before for months previously.

Best regards,
Julian