Bug #18347
closed
Group owner of files under configuration-repository are inconsistent
Description
The webapp seems to create/edit files and output them with the group owner root. Which conflicts with the script "/opt/rudder/bin/rudder-fix-repository-permissions" which force the
group owner to be "rudder".
We need to clarify this part and state clearly what should be the perms for the files under the configuration-repository to avoid such conflicting and misleading cases.
The configuration repository after a technique creation:
server:/var/rudder/configuration-repository # find /var/rudder/configuration-repository ! -group rudder /var/rudder/configuration-repository/directives/ncf_techniques/pkg /var/rudder/configuration-repository/directives/ncf_techniques/pkg/activeTechniqueSettings.xml /var/rudder/configuration-repository/directives/ncf_techniques/pkg/7ac318b5-9f6e-416c-98e0-1373b2aa323d.xml /var/rudder/configuration-repository/groups/SystemGroups /var/rudder/configuration-repository/groups/SystemGroups/hasPolicyServer-69ef1f5a-4ba3-4bd2-8e77-b65b214a9557.xml /var/rudder/configuration-repository/groups/9a542f2c-7936-484e-98fb-f1c5b96cf34f.xml /var/rudder/configuration-repository/ncf /var/rudder/configuration-repository/ncf/generic_methods.json /var/rudder/configuration-repository/ncf/ncf_hash_file
Updated by François ARMAND about 4 years ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND about 4 years ago
- Target version changed from 6.1.6 to 6.2.0~beta1
Updated by François ARMAND about 4 years ago
We have `/opt/rudder/bin/rudder-fix-repository-configuration` that does:
echo -n "INFO: Correcting permissions on /var/rudder/configuration-repository..."
# Adjust permissions on /var/rudder/configuration-repository
chgrp -R rudder /var/rudder/configuration-repository
## Add execution permission for ncf-api only on directories and files with user execution permission
chmod -R u+rwX,g+rwX /var/rudder/configuration-repository/.git
chmod -R u+rwX,g+rwX /var/rudder/configuration-repository/techniques
## Add setgid to directories so that all files created here belong to the rudder group
find /var/rudder/configuration-repository/.git /var/rudder/configuration-repository/techniques -type d -exec chmod g+s "{}" \;
echo " Done"
Updated by Félix DALLIDET about 4 years ago
There are users that are using custom acls to synchronize the repository from different servers, I have seen them using a default acl setup on the repository such as:
setfacl -Rm default:group:rudder:rwx /var/rudder/configuration-repository
Updated by François ARMAND about 4 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Elaad FURREEDAN
- Pull Request set to https://github.com/Normation/rudder/pull/3275
Updated by François ARMAND about 4 years ago
- Related to Architecture #18375: Directly generate policies with correct rights added
Updated by François ARMAND about 4 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|a3ddfaf5c5e323176c2102f3ed5012581d747c1b.
Updated by Vincent MEMBRÉ about 4 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 6.2.0~beta1 which was released today.
Updated by François ARMAND about 4 years ago
- Fix check changed from To do to Error - Blocking
There is still:
-rw-------. 1 root root 44 Nov 17 08:30 /var/rudder/configuration-repository/ncf/ncf_hash_file
Updated by François ARMAND about 4 years ago
- Related to Bug #18592: ncf_hash_file is created with incorrect group permission by system techniques added
Updated by François ARMAND about 4 years ago
- Fix check changed from Error - Blocking to Checked