Bug #8181: Error message about setgid on ncf.conf - Rudder - Issue Tracker

Actions

Copy link

Bug #8181

closed

Error message about setgid on ncf.conf

Added by Alexis Mousset over 8 years ago. Updated over 8 years ago.

Status:

Released

Priority:

N/A

Assignee:

Benoît PECCATTE

Category:

System techniques

Target version:

2.11.21

Pull Request:

https://github.com/Normation/rudder-p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

Fix check:

Regression:

Description

During the first run after updating from 3.1.8 to 3.1.9 on SLES:

2016-04-14T16:59:23+0200    error: /default/propagatePromises/files/'/var/rudder/configuration-repository/ncf/ncf.conf'[0]: NEW SETGID root PROGRAM '/var/rudder/configuration-repository/ncf/ncf.conf'

Actions

Copy link

Updated by Jonathan CLARKE over 8 years ago

This happens because cf-agent keeps a log of all known SETUID/SETGID files it copies, and this is the first time it's seen ncf.conf as a SETGID file. As a matter of fact we contributed a patch to CFEngine to make these messages no longer "error" but "warning" instead (see https://github.com/cfengine/core/pull/2581) which will be available in the next patch release of CFEngine 3.7.

However, ncf.conf doesn't need to be SETGID. These lines in rudder-webapp's postinst script set SITGID a bit too liberally. We need SETGID on the /var/rudder/configuration-repository/{ncf,techniques} directories so that all files created there belong to the rudder group, so that ncf-api and others can read/write them. But we don't need it on files (the SETGID bit on files is only useful for executables, and there shouldn't be any there except for the ncf-api hooks).

Actions

Copy link