Project

General

Profile

Actions

Bug #5194

closed

Bug #5172: ncf-api does not run as root and cannot use command to read/write promises

correct permission on /var/rudder/configuration-repository so ncf-builder can write/delete techniques

Added by Vincent MEMBRÉ over 9 years ago. Updated over 9 years ago.

Status:
Released
Priority:
N/A
Category:
System integration
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

We apply permission 2775 on /var/Rudder/configuration-repository at package installation.

However on first install the .git is not present and permissions are not set to make it usable.

We should initialise the git with the good permission (git init --share=2775) so it would be ok


Subtasks 6 (0 open6 closed)

Bug #5209: Some issues on perms still persists even with shared repositoryReleasedVincent MEMBRÉ2014-07-03Actions
Bug #5220: The package rudder-webapp enforce mode of all files/folder under /var/rudder/configuration-files into '2775'ReleasedJonathan CLARKE2014-07-04Actions
Bug #5212: The group 'rudder' can't be added on SLES or RHEL during installation of rudder-webappReleasedJonathan CLARKE2016-11-14Actions
Bug #9674: Wrong group parameter during installation of rudder-webappReleasedAlexis Mousset2016-11-14Actions
Bug #5229: ncf-api needs to adjust permissions on .git ReleasedJonathan CLARKE2014-07-07Actions
Bug #5227: rudder-webapp fails with chmod in its postinst as bashism does not workReleasedJonathan CLARKE2014-07-07Actions
Actions #1

Updated by Vincent MEMBRÉ over 9 years ago

  • Assignee changed from Vincent MEMBRÉ to Jonathan CLARKE

Three solutions I see:

  • initialize the repo before setting permissions
  • Modify system techniques so cfengine ensure that the repo si OK
  • set acl on /var/rudder/configuration-repo so the perms should always be OK

I don't know which one is better ... I would go for the first (easier) or the third ( would assure that it works over time )

Jon, Matthieu, what do you think of this ?

Actions #2

Updated by Matthieu CERDA over 9 years ago

  • Status changed from New to Discussion
  • git init --share=2775 looks good to me.
  • The system Techniques are bloated enough, and using them to manage git is dangerous are they are themselves stored in it. Chicken and egg problem :) break the system promises, break git, break rudder, no more system promises deployed :)
  • I'd rather not rely on ACLs, we just can't ask every person deploying rudder to remount his/her / or /var partition with the acl option :/ and it would reduce the portability potential to other OSes, even it is not the same level of concern.

For all those reasons, I'd stick to the first option, and if it does not work maybe try something else :)

Actions #3

Updated by Jonathan CLARKE over 9 years ago

  • Assignee changed from Jonathan CLARKE to Matthieu CERDA

I agree, the git config option seems best.

However, caution: it is called "--shared" not "--share". Also, from the man page:

       --shared[=(false|true|umask|group|all|world|everybody|0xxx)]
           Specify that the git repository is to be shared amongst several users. This allows users belonging to the same group to push into that repository. When
           specified, the config variable "core.sharedRepository" is set so that files and directories under $GIT_DIR are created with the requested permissions.
           When not specified, git will use permissions reported by umask(2).

       The option can have the following values, defaulting to group if no value is given:

       ·    umask (or false): Use permissions reported by umask(2). The default, when --shared is not specified.

       ·    group (or true): Make the repository group-writable, (and g+sx, since the git group may be not the primary group of all users). This is used to loosen
           the permissions of an otherwise safe umask(2) value. Note that the umask still applies to the other permission bits (e.g. if umask is 0022, using group
           will not remove read privileges from other (non-group) users). See 0xxx for how to exactly specify the repository permissions.

       ·    all (or world or everybody): Same as group, but make the repository readable by all users.

       ·    0xxx: 0xxx is an octal number and each file will have mode 0xxx.  0xxx will override users' umask(2) value (and not only loosen permissions as group
           and all does).  0640 will create a repository which is group-readable, but not group-writable or accessible to others.  0660 will create a repo that is
           readable and writable to the current user and group, but inaccessible to others.

Therefore, it does not seem that "2775" is an applicable mode. I suggest we simply use "--shared=group", since that is our intent (it will always be clearer to write an intent with a word than using obscure octal modes).

Actions #4

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Discussion to Pending technical review
  • Assignee changed from Matthieu CERDA to Jonathan CLARKE
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/429
Actions #5

Updated by Matthieu CERDA over 9 years ago

I agree with jon :)

Actions #6

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100

Applied in changeset packages:commit:d1f710e27cf5bbc15d698b5145aa0ec67653c333.

Actions #7

Updated by Jonathan CLARKE over 9 years ago

Applied in changeset packages:commit:63a75a119a35b10e0a3aa0cf56b218f041efaa27.

Actions #8

Updated by Vincent MEMBRÉ over 9 years ago

  • Subject changed from ncf-api_virtual has no rights on git if it was initiated after the package installation to correct permission on /var/rudder/configuration-repository so ncf-builder can write/delete techniques
Actions #9

Updated by Vincent MEMBRÉ over 9 years ago

  • Parent task set to #5172
Actions #10

Updated by Vincent MEMBRÉ over 9 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.0~rc1 (announcement , changelog), which was released today.

Actions

Also available in: Atom PDF