Bug #8065
closedACL Posix on Git repos
Description
Hello,
As seens with François, if the server as Posix ACL with a "default" type like that:
- file: var/rudder/configuration-repository/.git/objects
- owner: root
- group: rudder
- flags:
s
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x
Then on that case, user "ncf-api-venv", belonging to "rudder", does NOT have write rights on Git repos because of "default:group::r-x".
To prevent that case, the installation shoud delete ACL rules with the following command:
setfacl -R -k /var/rudder/
Thanks !
Updated by François ARMAND almost 9 years ago
- Subject changed from ACL Posix sur le dépôt Git to ACL Posix on Git repos
- Description updated (diff)
Updated by Nicolas CHARLES over 8 years ago
- Translation missing: en.field_tag_list set to Sponsored
- Category set to System integration
- Assignee set to Alexis Mousset
- Target version set to 3.0.15
Alexis,
I think you're the most suited for this one
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 3.0.15 to 3.0.16
Updated by Jonathan CLARKE over 8 years ago
Alexandre Anriot wrote:
Hello,
As seens with François, if the server as Posix ACL with a "default" type like that:
- file: var/rudder/configuration-repository/.git/objects
- owner: root
- group: rudder
- flags:
s
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::r-x
default:other::r-xThen on that case, user "ncf-api-venv", belonging to "rudder", does NOT have write rights on Git repos because of "default:group::r-x".
To prevent that case, the installation shoud delete ACL rules with the following command:
setfacl -R -k /var/rudder/
Thanks !
Thanks for the report, Alex. We'll implement this command on initial installation only (then, if a user modifies their ACLs, they can, if they know what they're doing).
Updated by Jonathan CLARKE over 8 years ago
- Translation missing: en.field_tag_list changed from Sponsored to Sponsored, Next minor release
Updated by Alexis Mousset over 8 years ago
- Target version changed from 3.0.16 to 2.11.21
Updated by Alexis Mousset over 8 years ago
- Status changed from New to In progress
Updated by Alexis Mousset over 8 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Alexis Mousset to Benoît PECCATTE
- Pull Request set to https://github.com/Normation/rudder-packages/pull/916
Updated by Alexis Mousset over 8 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset rudder-packages|34550cd7cf87cd79220e81d8625032e759c37fcc.
Updated by Vincent MEMBRÉ over 8 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 2.11.21, 3.0.16, 3.1.10 and 3.2.3 which were released on 2016-06-01, but not announced.
- 2.11: Changelog
- 3.0: Changelog
- 3.1: Changelog
- 3.2: Changelog
- Download: https://www.rudder-project.org/site/get-rudder/downloads/