Project

General

Profile

Actions

Bug #2767

closed

Permissions on /var/rudder/inventories/ prevent inventories being received by Apache when using a strict umask

Added by Gonéri Le Bouder over 11 years ago. Updated about 9 years ago.

Status:
Released
Priority:
1
Assignee:
Nicolas PERRON
Category:
Packaging
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

I had to do :

chmod a+rx /var/rudder/inventories/

to be able to accept inventory.

Before, the POST were rejected by 403. The directory is owned by root:root and were setted with 750 right.

755 fixed the problem.

root@srv00015:~# dpkg -l|grep rudder
ii  rudder-cfengine-community           2.3.8-squeeze0               Configuration management and audit tool - CFEngine server component
ii  rudder-inventory-endpoint           2.3.8-squeeze0               Configuration management and audit tool - service to receive inventory data
ii  rudder-inventory-ldap               2.3.8-squeeze0               Configuration management and audit tool - OpenLDAP
ii  rudder-jetty                        2.3.8-squeeze0               Configuration management and audit tool - Jetty application server
ii  rudder-policy-templates             2.3.8-squeeze0               Configuration management and audit tool -  policy templates
ii  rudder-reports                      2.3.8-squeeze0               Configuration management and audit tool - reports database
ii  rudder-server-root                  2.3.8-squeeze0               Configuration management and audit tool - root server base package
ii  rudder-webapp                       2.3.8-squeeze0               Configuration management and audit tool - webapp
Actions #1

Updated by Nicolas PERRON over 11 years ago

  • Category set to 11
  • Assignee set to Nicolas PERRON
  • Priority changed from N/A to 1
  • Target version set to 2.3.9

We will try to reproduce it.

Actions #2

Updated by Nicolas PERRON over 11 years ago

  • Status changed from New to In progress

Ok, it seems that /var/rudder/inventories/ folder is missing execution right in order to let apache user to access /var/rudder/inventories/incoming

Actions #3

Updated by Nicolas PERRON over 11 years ago

  • Status changed from In progress to Pending technical review
  • % Done changed from 0 to 100

Applied in changeset commit:ae74cf8a6cb41e18acc7506f8796f85338ee82d5.

Actions #4

Updated by Matthieu CERDA over 11 years ago

Nice work ! Guessing that must have been painful ... Approved.

Actions #5

Updated by Nicolas PERRON over 11 years ago

This issue need some context to explain the fix:

Initially, the folder /var/rudder/inventories/ doesn't have execution permission:

root@orchestrateur-2:~# ls -lah /var/rudder/inventories/
total 24K
drwxr-x---  6 root root     4,0K 17 juil. 19:25 .
drwxr-xr-x 12 root root     4,0K 17 juil. 19:06 ..
drwxr-x---  2 root root     4,0K 17 juil. 19:25 debug
drwxr-xr-x  3 root root     4,0K 17 juil. 19:25 historical
drwxrws---  2 root www-data 4,0K 19 sept. 11:47 incoming
drwxr-xr-x  2 root root     4,0K 19 sept. 11:47 received

Which prevent apache user (here, www-data) to read the folder /var/rudder/inventories/incoming despite the fact that this folder is owned by the group www-data (this is logic):

www-data@orchestrateur-2:~$ ls -lh /var/rudder/inventories/incoming/
ls: cannot access /var/rudder/inventories/incoming/: Permission denied

If a node needs to send to its inventory to the server (here, orchestrateur-2), rudder-agent will use a command like this after creation of inventory:

root@ubuntu-12-04-64:~# curl -f --user rudder:rudder -T /root/ubuntu-12-04-64-2012-09-15-00-21-40.ocs  http://orchestrateur-2.labo.normation.com/inventories/
curl: (22) The requested URL returned error: 403

Nevertheless, on the node it result into an "403" HTTP error and on the server side, it lead to this output in /var/log/rudder/apache2/err.log:

root@orchestrateur-2:~# tail -n0 -f /var/log/rudder/apache2/error.log
[Wed Sep 19 13:05:15 2012] [crit] [client 192.X.X.X] (13)Permission denied: /var/rudder/inventories/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

After adding execution rights to the folder /var/rudder/inventories/:

root@orchestrateur-2:~# chmod 751 /var/rudder/inventories/

Sending inventory works perfectly, now:

root@ubuntu-12-04-64:~# curl -f -s --user rudder:rudder -T /root/ubuntu-12-04-64-2012-09-15-00-21-40.ocs  http://orchestrateur-2.labo.normation.com/inventories/
root@ubuntu-12-04-64:~#

root@orchestrateur-2:~# tail -n0 -f /var/log/rudder/apache2/access.log
192.X.X.X - rudder [19/Sep/2012:13:08:22 +0200] "PUT /inventories/ubuntu-12-04-64-2012-09-15-00-21-40.ocs HTTP/1.1" 204 166 "-" "curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3" 
Actions #6

Updated by Nicolas PERRON over 11 years ago

And an explanation could the this:

We never seen this before because of our laxist umask:

root@orchestrateur-2:~# umask 
0022

Why ? Because we didn't manage the rights of the folder before and with the umask set to 0022, the folder /var/rudder/inventories right was set to 755.

If the umask was set to 0027, the folder would be with the right set to 750.

Actions #7

Updated by Jonathan CLARKE over 11 years ago

  • Status changed from Pending technical review to Released

OK, then I agree with the change implemented: if we require a certain file mode, we should force it.

Actions #8

Updated by Jonathan CLARKE over 11 years ago

  • Subject changed from right issue with 2.3 Debian package to Permissions on /var/rudder/inventories/ prevent inventories being received by Apache when using a strict umask
Actions #9

Updated by Nicolas PERRON about 11 years ago

  • Project changed from Rudder to 34
  • Category deleted (11)
Actions #10

Updated by Benoît PECCATTE about 9 years ago

  • Project changed from 34 to Rudder
  • Category set to Packaging
Actions

Also available in: Atom PDF