Project

General

Profile

Actions

Bug #18347

closed

Group owner of files under configuration-repository are inconsistent

Added by Félix DALLIDET over 3 years ago. Updated over 3 years ago.

Status:
Released
Priority:
3
Category:
Server components
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
To do
Fix check:
Checked
Regression:

Description

The webapp seems to create/edit files and output them with the group owner root. Which conflicts with the script "/opt/rudder/bin/rudder-fix-repository-permissions" which force the
group owner to be "rudder".

We need to clarify this part and state clearly what should be the perms for the files under the configuration-repository to avoid such conflicting and misleading cases.

The configuration repository after a technique creation:

server:/var/rudder/configuration-repository # find /var/rudder/configuration-repository ! -group rudder
/var/rudder/configuration-repository/directives/ncf_techniques/pkg
/var/rudder/configuration-repository/directives/ncf_techniques/pkg/activeTechniqueSettings.xml
/var/rudder/configuration-repository/directives/ncf_techniques/pkg/7ac318b5-9f6e-416c-98e0-1373b2aa323d.xml
/var/rudder/configuration-repository/groups/SystemGroups
/var/rudder/configuration-repository/groups/SystemGroups/hasPolicyServer-69ef1f5a-4ba3-4bd2-8e77-b65b214a9557.xml
/var/rudder/configuration-repository/groups/9a542f2c-7936-484e-98fb-f1c5b96cf34f.xml
/var/rudder/configuration-repository/ncf
/var/rudder/configuration-repository/ncf/generic_methods.json
/var/rudder/configuration-repository/ncf/ncf_hash_file


Subtasks 1 (0 open1 closed)

Bug #18349: User/Group of user technique files should be rudder:rudderReleasedVincent MEMBRÉActions

Related issues 2 (0 open2 closed)

Related to Rudder - Architecture #18375: Directly generate policies with correct rightsReleasedNicolas CHARLESActions
Related to Rudder - Bug #18592: ncf_hash_file is created with incorrect group permission by system techniquesReleasedAlexis MoussetActions
Actions #1

Updated by François ARMAND over 3 years ago

  • Status changed from New to In progress
  • Assignee set to François ARMAND
Actions #2

Updated by François ARMAND over 3 years ago

  • Target version changed from 6.1.6 to 6.2.0~beta1
Actions #3

Updated by François ARMAND over 3 years ago

We have `/opt/rudder/bin/rudder-fix-repository-configuration` that does:

echo -n "INFO: Correcting permissions on /var/rudder/configuration-repository..." 
# Adjust permissions on /var/rudder/configuration-repository
chgrp -R rudder /var/rudder/configuration-repository

## Add execution permission for ncf-api only on directories and files with user execution permission
chmod -R u+rwX,g+rwX /var/rudder/configuration-repository/.git
chmod -R u+rwX,g+rwX /var/rudder/configuration-repository/techniques

## Add setgid to directories so that all files created here belong to the rudder group
find /var/rudder/configuration-repository/.git /var/rudder/configuration-repository/techniques -type d -exec chmod g+s "{}" \;

echo " Done" 
Actions #4

Updated by Félix DALLIDET over 3 years ago

There are users that are using custom acls to synchronize the repository from different servers, I have seen them using a default acl setup on the repository such as:

setfacl -Rm default:group:rudder:rwx /var/rudder/configuration-repository

Actions #5

Updated by François ARMAND over 3 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Elaad FURREEDAN
  • Pull Request set to https://github.com/Normation/rudder/pull/3275
Actions #6

Updated by François ARMAND over 3 years ago

Actions #7

Updated by François ARMAND over 3 years ago

  • Status changed from Pending technical review to Pending release
Actions #8

Updated by Vincent MEMBRÉ over 3 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 6.2.0~beta1 which was released today.

Actions #9

Updated by François ARMAND over 3 years ago

  • Fix check changed from To do to Error - Blocking

There is still:

-rw-------. 1 root root 44 Nov 17 08:30 /var/rudder/configuration-repository/ncf/ncf_hash_file
Actions #10

Updated by François ARMAND over 3 years ago

  • Related to Bug #18592: ncf_hash_file is created with incorrect group permission by system techniques added
Actions #11

Updated by François ARMAND over 3 years ago

  • Priority changed from N/A to 3
Actions #12

Updated by François ARMAND over 3 years ago

  • Fix check changed from Error - Blocking to Checked
Actions

Also available in: Atom PDF