Project

General

Profile

Actions

Bug #5172

closed

ncf-api does not run as root and cannot use command to read/write promises

Added by Vincent MEMBRÉ almost 8 years ago. Updated almost 8 years ago.

Status:
Released
Priority:
N/A
Category:
System integration
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:

Description

ncf-api cannot write or read completetly data from techniques:

Since it's run as apache user you can't run cf-promises from /var/rudder/cfengine-community/bin, not run as root hooks from ncf-hooks.d

Several ways:

  • run the app as root
  • add commands in path and use sudo, modify sudoer so that user apache can use it

Subtasks 7 (0 open7 closed)

Bug #5194: correct permission on /var/rudder/configuration-repository so ncf-builder can write/delete techniquesReleasedJonathan CLARKE2014-07-03Actions
Bug #5209: Some issues on perms still persists even with shared repositoryReleasedVincent MEMBRÉ2014-07-03Actions
Bug #5220: The package rudder-webapp enforce mode of all files/folder under /var/rudder/configuration-files into '2775'ReleasedJonathan CLARKE2014-07-04Actions
Bug #5212: The group 'rudder' can't be added on SLES or RHEL during installation of rudder-webappReleasedJonathan CLARKE2016-11-14Actions
Bug #9674: Wrong group parameter during installation of rudder-webappReleasedAlexis Mousset2016-11-14Actions
Bug #5229: ncf-api needs to adjust permissions on .git ReleasedJonathan CLARKE2014-07-07Actions
Bug #5227: rudder-webapp fails with chmod in its postinst as bashism does not workReleasedJonathan CLARKE2014-07-07Actions
Actions #1

Updated by Vincent MEMBRÉ almost 8 years ago

  • Description updated (diff)

We can't run a wsgi application as root.

We need to find a way to run cf-promises as apache without being root

Is it possible to force running a program as root ?

About ncf hooks, We could set a group rudder on /var/rudder/configuration-repository, and add apache user in rudder group

Actions #2

Updated by Matthieu CERDA almost 8 years ago

  • Project changed from 41 to 34
  • Status changed from New to In progress
  • Assignee changed from Vincent MEMBRÉ to Matthieu CERDA
Actions #3

Updated by Matthieu CERDA almost 8 years ago

  • Target version set to 2.11.0~beta2

We are going to make the api wsgi run as user ncf, to eventually add it to a rudder group, having the access rights to the necessary directories :)

Actions #4

Updated by Matthieu CERDA almost 8 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Matthieu CERDA to Jonathan CLARKE
  • % Done changed from 0 to 100
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/422

PR is ready !

Actions #5

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 2.11.0~beta2 to 2.11.0~rc1
Actions #6

Updated by Matthieu CERDA almost 8 years ago

  • Status changed from Pending technical review to Pending release

Applied in changeset commit:a6e277e97ff1889fc0dfbe92a08f9358e5f2a991.

Actions #7

Updated by Jonathan CLARKE almost 8 years ago

Applied in changeset commit:8964eb01b1f032ba924d090535c2af3ec6e8b149.

Actions #8

Updated by Vincent MEMBRÉ almost 8 years ago

  • Project changed from 34 to Rudder
  • Category set to System integration
Actions #9

Updated by Vincent MEMBRÉ almost 8 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.0~rc1 (announcement , changelog), which was released today.

Actions

Also available in: Atom PDF