Bug #2767
closed
Permissions on /var/rudder/inventories/ prevent inventories being received by Apache when using a strict umask
Description
I had to do :
chmod a+rx /var/rudder/inventories/
to be able to accept inventory.
Before, the POST were rejected by 403. The directory is owned by root:root and were setted with 750 right.
755 fixed the problem.
root@srv00015:~# dpkg -l|grep rudder ii rudder-cfengine-community 2.3.8-squeeze0 Configuration management and audit tool - CFEngine server component ii rudder-inventory-endpoint 2.3.8-squeeze0 Configuration management and audit tool - service to receive inventory data ii rudder-inventory-ldap 2.3.8-squeeze0 Configuration management and audit tool - OpenLDAP ii rudder-jetty 2.3.8-squeeze0 Configuration management and audit tool - Jetty application server ii rudder-policy-templates 2.3.8-squeeze0 Configuration management and audit tool - policy templates ii rudder-reports 2.3.8-squeeze0 Configuration management and audit tool - reports database ii rudder-server-root 2.3.8-squeeze0 Configuration management and audit tool - root server base package ii rudder-webapp 2.3.8-squeeze0 Configuration management and audit tool - webapp
Updated by Nicolas PERRON over 12 years ago
- Category set to 11
- Assignee set to Nicolas PERRON
- Priority changed from N/A to 1 (highest)
- Target version set to 2.3.9
We will try to reproduce it.
Updated by Nicolas PERRON over 12 years ago
- Status changed from New to In progress
Ok, it seems that /var/rudder/inventories/ folder is missing execution right in order to let apache user to access /var/rudder/inventories/incoming
Updated by Nicolas PERRON over 12 years ago
- Status changed from In progress to Pending technical review
- % Done changed from 0 to 100
Applied in changeset commit:ae74cf8a6cb41e18acc7506f8796f85338ee82d5.
Updated by Matthieu CERDA over 12 years ago
Nice work ! Guessing that must have been painful ... Approved.
Updated by Nicolas PERRON about 12 years ago
This issue need some context to explain the fix:
Initially, the folder /var/rudder/inventories/ doesn't have execution permission:
root@orchestrateur-2:~# ls -lah /var/rudder/inventories/ total 24K drwxr-x--- 6 root root 4,0K 17 juil. 19:25 . drwxr-xr-x 12 root root 4,0K 17 juil. 19:06 .. drwxr-x--- 2 root root 4,0K 17 juil. 19:25 debug drwxr-xr-x 3 root root 4,0K 17 juil. 19:25 historical drwxrws--- 2 root www-data 4,0K 19 sept. 11:47 incoming drwxr-xr-x 2 root root 4,0K 19 sept. 11:47 received
Which prevent apache user (here, www-data) to read the folder /var/rudder/inventories/incoming despite the fact that this folder is owned by the group www-data (this is logic):
www-data@orchestrateur-2:~$ ls -lh /var/rudder/inventories/incoming/ ls: cannot access /var/rudder/inventories/incoming/: Permission denied
If a node needs to send to its inventory to the server (here, orchestrateur-2), rudder-agent will use a command like this after creation of inventory:
root@ubuntu-12-04-64:~# curl -f --user rudder:rudder -T /root/ubuntu-12-04-64-2012-09-15-00-21-40.ocs http://orchestrateur-2.labo.normation.com/inventories/ curl: (22) The requested URL returned error: 403
Nevertheless, on the node it result into an "403" HTTP error and on the server side, it lead to this output in /var/log/rudder/apache2/err.log:
root@orchestrateur-2:~# tail -n0 -f /var/log/rudder/apache2/error.log [Wed Sep 19 13:05:15 2012] [crit] [client 192.X.X.X] (13)Permission denied: /var/rudder/inventories/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
After adding execution rights to the folder /var/rudder/inventories/:
root@orchestrateur-2:~# chmod 751 /var/rudder/inventories/
Sending inventory works perfectly, now:
root@ubuntu-12-04-64:~# curl -f -s --user rudder:rudder -T /root/ubuntu-12-04-64-2012-09-15-00-21-40.ocs http://orchestrateur-2.labo.normation.com/inventories/ root@ubuntu-12-04-64:~#
root@orchestrateur-2:~# tail -n0 -f /var/log/rudder/apache2/access.log 192.X.X.X - rudder [19/Sep/2012:13:08:22 +0200] "PUT /inventories/ubuntu-12-04-64-2012-09-15-00-21-40.ocs HTTP/1.1" 204 166 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3"
Updated by Nicolas PERRON about 12 years ago
And an explanation could the this:
We never seen this before because of our laxist umask:
root@orchestrateur-2:~# umask 0022
Why ? Because we didn't manage the rights of the folder before and with the umask set to 0022, the folder /var/rudder/inventories right was set to 755.
If the umask was set to 0027, the folder would be with the right set to 750.
Updated by Jonathan CLARKE about 12 years ago
- Status changed from Pending technical review to Released
OK, then I agree with the change implemented: if we require a certain file mode, we should force it.
Updated by Jonathan CLARKE about 12 years ago
- Subject changed from right issue with 2.3 Debian package to Permissions on /var/rudder/inventories/ prevent inventories being received by Apache when using a strict umask
Updated by Nicolas PERRON almost 12 years ago
- Project changed from Rudder to 34
- Category deleted (
11)
Updated by Benoît PECCATTE over 9 years ago
- Project changed from 34 to Rudder
- Category set to Packaging