SUMMARY: "Cannot get shelf" from mailtool

From: Steve Simmons (scs@lokkur.dexter.mi.us)
Date: Tue Sep 01 1992 - 02:24:54 CDT


The problem:

>Periodically a machine will get into a state where any use of mailtool
>generates the following error messages in the console:
>
> Selection service couldn't open selection file: Permission denied
> filename: "/tmp/MTc002392"
> Cannot get shelf in /tmp/MTc002392
>
>The file can be seen in /tmp, with correct ownership and rw permission.
>The permission on /tmp is drwxrwsrwt.
>
>The problem occurs on Sun-3s and Sun-4s with 4.1.1 under sunview, on
>dataless nodes, diskless nodes, standalones and servers. A reboot
>clears it. Users report tentatively that logging in and out sometimes
>clears it. Stopping and restarting mailtool does not clear it, but the
>XXXXXX number in /tmp/MTcXXXXXX changes.

The helpers:

Aydin Edguer <edguer@alpha.CES.CWRU.Edu>
Gerhard.Holzer@rcvie.co.at (Gerhard Holzer)
davisson@ida.org (Chuck Davisson)
dkn@gmf.eds.com (Dale K. Newby)
mdl@cypress.com (J. Matt Landrum)
pln@egret1.Stanford.EDU (Patrick L. Nolan)
todd@flex.Eng.McMaster.CA (Todd Pfaff)
Mr T Crummey (DIJ) <tom@sees.bangor.ac.uk>
canuck@masc38.rice.edu (Mike Pearlman)

Special thanks to Todd Pfaff, who supplied the richest set of solutions
(at bottom of this summary).

The cause of the problem:

The problem only occurs when multiple people use sunview on the same
machine, it is not rebooted between users, and their default umasks
do not permit mutually writable files.

In somewhat more detail, selection_svc is started by user A and sometimes
does not exit when user A logs out. User B logs in and starts sunview.
Since selection_svc is already running, it simply continues -- but as
User A. Assume they are in different groups.

User B now attempts to use mailtool. A tempfile is created in /tmp,
owned by user B. At some point selection_svc attempts to access the
file. There is a permission failure, and the error message is generated.

The solutions:

Several folks suggested removing the sticky bit from the /tmp directory.
This solved some but not all problems -- selection_svc could then
remove files owned by other users, but still can't modify existing
files.

It was suggested (in various forms) to set up things such that instead
of doing a straight call to `sunview', `exec sunview' was done instead.
While this does seem to ensure that selection_svc exits properly, it
generates a different problem -- when the user exits sunview, he is
automaticly logged out. This is correct behavior for using exec, but
a number of our users develop products which must run under both sunview
and OW, and like to flip back and forth without having to log out in
between. This also of course only works if your users all use a standard
.cshrc that you can easily modify.

A similar suggestion was made to write a privileged `killsvc' program
and have all users put it into their .login or .logout files. The program
is trivially easy to write with relatively good security and I may do it.
However, it still requires modifying all the .login or .logout files.

Yet another suggestion was to mv sunview to sunview.foo and replace it
with a script that calls sunview.foo. When sunview.foo exits, the
script looks for a running selection_svc and stomps it to death. This
looks the most feasible to me.

Todd Pfaff gave the most detail and the best overall set of solutions;
I've included his response in toto below. Note there appear to be at
least problems with the killsvc program he provides. First, any user
can remote login and kill the selection service while someone else is
using it. Second, if selection_svc is *not* running, it will generate
an error message which will no doubt confuse the naive user.

The first of these problems can be solved by incorporating checks for
interactive login on the console into killsvc.c. I offer the following
code from my own `shutdown.sh.c' program as example:

==================== start of shutdown.sh.c ==============================
/*
 * Command to shut down a system immediately. Only works if you're
 * root and on the console. Suitable to be installed as a shell for
 * a shutdown id, eg,
 * shutdown::0:0:Shutdown System:/:/etc/shutdown.sh
 *
 * Copyright 1990, Inland Sea. You may copy and reuse this program as
 * you see fit provided this copyright notice and the copyright notice
 * in the resulting object are not removed. No warrantee, no guarantee.
 */

#include <stdio.h>

extern char *ttyname() ;

static char copyright[] = "Copyright 1990, Inland Sea" ;

char conditions[] = " To run this command you must be:\n\tlogged in as root (uid 0);\n\tlogged in interactively;\n\tlogged in on the console.\nNo shutdown will be done.\n";

/* ARGSUSED */
main()
{
        char *tty ;

        if ( NULL == ( tty = ttyname( 0 ) ) )
        {
                (void) fputs( "You are not logged in interactively.", stderr );
                (void) fputs( conditions, stderr );
                exit( 0 ) ;
        }
        if ( 0 != strcmp( tty, "/dev/console" ) )
        {
                (void) fputs( "You are not logged in on the console.", stderr );
                (void) fputs( conditions, stderr );
                exit( 0 ) ;
        }
        else if ( 0 != getuid() )
        {
                (void) fputs( "You are not logged in as root.", stderr );
                (void) fputs( conditions, stderr );
                exit( 0 ) ;
        }
#ifdef TEST
        (void) system( "echo Would give command: /etc/shutdown -h now" ) ;
#else
        (void) system( "/etc/shutdown -h now" ) ;
#endif
        /* NOTREACHED */
        exit( 0 ) ;
        return 0 ;
}
===================== end of shutdown.sh.c ===============================

The second can be solved by a better shell script; it is left as an exercise
for the reader.

And now, Todd's note:

Date: Fri, 14 Aug 92 16:32:45 EDT
From: todd@flex.Eng.McMaster.CA (Todd Pfaff)
Message-Id: <9208142032.AA03032@flex1>
To: scs@lokkur.dexter.mi.us
Subject: Re: "Cannot get shelf" from mailtool

Steve,

See the bug description and solution below.

/*
        Kill the SunView selection_svc process (or OpenWindows sv_xv_sel_svc)

        This should be run from .login if the tty is a console:

                if ( `tty` == "/dev/console" ) then
                        killsvc
                endif

        The executable killsvc should be setuid root:

                # chown root killsvc
                # chmod 4755 killsvc

        See included text below for explanation.
*/

main()
{
        setruid(0);
        system("/bin/echo \"(set psnum=\\`ps ax|\
                        grep selection_svc|grep -v grep\\`;\
                        kill \\$psnum[1])\" | /bin/csh -s");
        system("rpcinfo -d 100015 6");
}

/*

OpenWindows (X11/News) uses a different selection service. OpenWindows
selection service (sv_xv_sel_svc) will take over the selection service
RPC port when it starts (it does not kill selection_svc however). When
you exit OpenWindows, the OpenWindows selection service unregisters
itself and exits. The next time someone starts SunView, a new selection_svc
is started (because there is no selection service registered with RPC).
BUT THE ORIGINAL selection_svc is STILL running. ARGHH!

The work around from for this problem (and the mailtool problem) is as
follows:

1) compile killsvc and place in the /usr/bin/sunview1 directory.
        cc -o killsvc killsvc.c
        install -c -m 4755 -o root killsvc /usr/bin/sunview1

2) rename sv_release to sv_release.ORIG
        mv sv_release sv_release.ORIG

3) create a new sv_release with the contents:
        #!/bin/sh
        /usr/bin/sunview1/sv_release.ORIG
        /usr/bin/sunview1/killsvc > /dev/null 2>&1 &

This should automatically kill the selection_svc for anyone when they are
done using sunview.

I am including the note from Sun support here that lists the source to
killsvc.c.

======================== Bug Copy =========================
 Bug Id: 1030932
 Product: sunos
 Category: sunview1
 Release summary: 4.1, 4.0.3, 3.5
 Bug/Rfe: bug
 State: evaluated
 Synopsis: selection_svc permission problem using textsw and umask
 Description:
        when a user uses umask 027 in his environment the selection file
        /tmp/textsw_shelf is created for the textsw package under those
        permissions.
        If the selection_svc process was started by another regular user
        (Usually in a previous session), the selection_svc won't be able
        to work with this file.
        The following message will appear in the console window :
        Selection service couldn't open selection file: Permission denied
        filename: "/tmp/textsw_shelf"
 Work around:
        1. Encourge the usesr to kill the selection service process
            after they exit SunView.
           i.e : a script that grab the selection_svc process number
                  and kill it when exiting SunView
                OR
                  A suid program owned by root to kill this process.
 Suggested fix:
        Create the /tmp/textsw_shelf file ignoring the umask.
        This file is created by the textsw package.
 State triggers:
         Evaluation:
        19-Dec-89 --
        The problem is that the selection service is not killed when sunview
        terminates. This was done to eliminate the need to start the
        selection service each time sunview is started. The fix is to
        save the pid of the selection service **if it is spawned** and kill
        it **if it was spawned** when sunview terminates. If the user
        starts the selection_service before starting sunview, it will not
        be killed.
 Comments:
7/10/90
The work around should be changed. Starting selection_svc as root can
lead to selection_svc using a privilaged port < 1024 then when another
user tries to use the service he/she may get:
Cannot register service, RPC timed out
See bug id 1032415.

 Bug End:
======================== killsvc.doc ======================
MANUALLY -->
1) Use rpcinfo -p to get the program and version number that
   selection_svc is registered under, and use rpcinfo -d to
   unregister the selection_svc with the privileged port.
2) Also "ps ax | egrep selection" and "kill -9 pid_for_selection_svc

*** BETTER ****
A) The program can be called /etc/killsvc and should be setuid-ed as
        root:

                % su
                # chown root /etc/killsvc
                # chmod 4755 /etc/killsvc

B) killsvc.c:
                
        main()
        {
                setruid(0);
                system("/bin/echo \"(set psnum=\\`ps ax|\
                                grep selection_svc|grep -v grep\\`;\
                                kill \\$psnum[1])\" | /bin/csh -s");
                system("rpcinfo -d 100015 6");
        }

C) Then the following should be in your .login:

                if ( `tty` == "/dev/console" ) then
                        echo Killing existing selection service...
                        /etc/killsvc
                endif
======================================================================

*/

--
Todd Pfaff                     \ Internet: todd@flex.eng.mcmaster.ca
Dept. of Mechanical Engineering \   Voice: (416) 525-9140 x2902
McMaster University              \    FAX: (416) 572-7944
1280 Main Street West             \
Hamilton, Ontario, CANADA  L8S 4L7 \



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:06:48 CDT