Bug #3139

« Previous | Next »

.htwritable not applied recursively to files when permissions are reseted in the Ibay panel

Added by stephane de Labrusse over 6 years ago. Updated about 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-httpd
Target version:v6.6
Security class: Resolution:
Affected version:v6.6-final NEEDINFO:No

Description

Following that Tutorial http://community.nethserver.org/t/selfoss-rss-reader/730 I can see even if I set good values in the .htwritable, the files have not recursively the good ownership when I reset permissions in the Ibay panel

[root@nethserver-dev selfoss]# cat .htwritable 
public
data
data/cache
data/favicons
data/logs
data/sqlite
data/sqlite/selfoss.db
data/thumbnails

In fact the /var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db need to be writable by apache, since it is the sqlite database and also the /var/lib/nethserver/ibay/selfoss/data/logs/default.log

of course even if I set an apache ownership to these files I have an issue only when I reset permissions

chown apache:apache /var/lib/nethserver/ibay/selfoss/data/logs/default.log
chown apache:apache /var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db

look now permissions
[root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db
# owner: apache
# group: apache
user::rw-
user:apache:r--
group::r--
mask::r--
other::---

[root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/logs/
default.log  .htaccess    
[root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/logs/default.log 
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/selfoss/data/logs/default.log
# owner: apache
# group: apache
user::rw-
user:apache:r--
group::r--
mask::r--
other::---

I reset permissions and I have a ton of errors since now permissions are bad

[root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db
# owner: admin
# group: locals
user::rw-
user:apache:r--
group::r--
mask::r--
other::---

[root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/logs/default.log 
getfacl: Removing leading '/' from absolute path names
# file: var/lib/nethserver/ibay/selfoss/data/logs/default.log
# owner: admin
# group: locals
user::rw-
user:apache:r--
group::r--
mask::r--
other::---

This a major bug for me, permissions are not inherited, hard to set, each folders need to be specifically written , and files inside this folder have not the good ownership and permissions

Associated revisions

Revision 988294b9
Added by Davide Principi over 6 years ago

Ensure .htwritable paths are relative to ibay root. Refs #3139

Revision 46acb2c2
Added by Davide Principi over 6 years ago

Recurse into dir contents. Refs #3139

Revision c38287d5
Added by Davide Principi over 6 years ago

Skip .htwritable item if symlink. Refs #3139

History

#1 Updated by Giacomo Sanchietti over 6 years ago

  • Category set to nethserver-ibays
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Category changed from nethserver-ibays to nethserver-httpd

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Affected version set to v6.6-final

#4 Updated by Davide Principi over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#5 Updated by Davide Principi over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

The recursive behaviour must be handled with care. I added some checks on each .htwritable item.

Test case 1

Check the bug is not reproducible, check setfacl acts recursively ignoring symlinks.

Test case 2

Each item must resolve to a sub directory of the ibay. There must be no way to circumvent this rule. Thus specifying a

  • file
  • relative path (containing ..)
  • symlink pointing out of the ibay
  • [any other way to cheat]

must produce a warning message.

#6 Updated by Davide Principi over 6 years ago

In nethserver-testing

#7 Updated by Davide Principi over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-httpd-2.4.0-1.3.gc38287d.ns6.noarch.rpm

#8 Updated by stephane de Labrusse over 6 years ago

I will verify this bug, let me for me please

#9 Updated by stephane de Labrusse over 6 years ago

not yet on the server....is it normal

#10 Updated by Stefano Fancello over 6 years ago

Test case 1 VERIFIED
Test case 2 VERIFIED with:
  • symlink
  • variable
  • relative path
    ... Stephane help me cheating :)

#11 Updated by Stefano Fancello over 6 years ago

writing in .htwritable

data.*

and resetting permissions, I've got errors when trying to reset permissions again or creating another ibay:
Resetting permissions:
May  5 18:28:16 makako httpd-admin: [ERROR] Nethgui\System\NethPlatform: process on queue `post-process` exited with code 1: /usr/libexec/neth
server/ptrack  -j -s '/var/run/ptrack/59d073999a059bd6b91dc8044de3f131.sock' -d '/var/spool/ptrack/a98664b8fc13de69.dump'  -- /usr/bin/sudo -n
 /sbin/e-smith/signal-event 'ibay-reset-permissions' 'selfos'
May  5 18:28:16 makako httpd-admin: [EXCEPTION] RuntimeException 1405613538: Nethgui\Model\SystemTasks: could not open dump file /var/spool/pt
rack/a98664b8fc13de69.dump (in /usr/share/nethesis/Nethgui/Model/SystemTasks.php:141)

Creating a new ibay:

May  5 18:31:20 makako httpd-admin: [ERROR] Nethgui\System\NethPlatform: process on queue `post-process` exited with code 1: /usr/libexec/nethserver/ptrack  -j -s '/var/run/ptrack/0bf8663198a88da4902f7b8f2f2b295e.sock' -d '/var/spool/ptrack/ebf415e616ff5a0c.dump'  -- /usr/bin/sudo -n /sbin/e-smith/signal-event 'ibay-reset-permissions' 'selfos'
May  5 18:31:20 makako httpd-admin: [EXCEPTION] RuntimeException 1405613538: Nethgui\Model\SystemTasks: could not open dump file /var/spool/ptrack/ebf415e616ff5a0c.dump (in /usr/share/nethesis/Nethgui/Model/SystemTasks.php:141)

errors persist after removing "data.*" from .htwritable

#12 Updated by stephane de Labrusse over 6 years ago

i'm on it, i have installed the rpm

#13 Updated by stephane de Labrusse over 6 years ago

I don't know if it is wanted but when I set the .htwritablepublic

data
data/cache
data/favicons
data/logs
data/sqlite
data/thumbnails

indeed my data/sqlite/selfoss.db gets the good ownership

# getfacl data/sqlite/*
# file: data/sqlite/selfoss.db
# owner: apache
# group: locals
user::rw-
user:apache:rwx            #effective:rw-
group::r-x            #effective:r--
mask::rw-
other::---

but when I set to the .htwritable
public
data

then the ownership now is

# getfacl data/sqlite/*
# file: data/sqlite/selfoss.db
# owner: admin
# group: locals
user::rw-
user:apache:r--
group::r--
mask::r--
other::---

I understood that now we can have some recursively permissions without the need to list all directories ???

i look to directory we have the same problem

with .htwritable like this

public
data
data/cache
data/favicons
data/logs
data/sqlite
data/thumbnails

i have for the subfolder sqlite
# getfacl data/sqlite
# file: data/sqlite
# owner: admin
# group: locals
# flags: -s-
user::rwx
user:apache:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:mask::rwx
default:other::---

and if i set the .htwritable to 

public
data

i have these permissions

# file: data/sqlite
# owner: admin
# group: locals
# flags: -s-
user::rwx
user:apache:r-x
group::r-x
mask::r-x
other::---
default:user::rwx
default:user:apache:r-x
default:group::r-x
default:mask::r-x
default:other::---

I don't know if it is what you want but clearly it is not what I would want :)

One folder listed as the root folder should be enough for all subdirectories and files, but I agree if you need you could have some exemptions if you want to be able to forbid some directories.

Since stello has seen some errors, do I continue to test ?

#14 Updated by stephane de Labrusse over 6 years ago

sorry I have not installed the good version of rpm, I'm now testing the version :
  1. rpm -qa nethserver-httpd
    nethserver-httpd-2.4.0-1.3.gc38287d.ns6.noarch

#15 Updated by stephane de Labrusse over 6 years ago

rpm -qa nethserver-httpd
nethserver-httpd-2.4.0-1.3.gc38287d.ns6.noarch
  • Case : only root folder are listed in /htwritable ---->OK
# cat .htwritable 
public
data

now my db sqlite gets the good ownership

# getfacl data/sqlite/*
# file: data/sqlite/selfoss.db
# owner: apache
# group: locals
user::rw-
user:apache:rwx            #effective:rw-
group::r-x            #effective:r--
mask::rw-
other::---

same for folder inside created after the reset

# file: data/sqlite/toto
# owner: root
# group: locals
# flags: -s-
user::rwx
user:apache:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:mask::rwx
default:other::---

  • Case ownership of symlinks ------->OK
mkdir /tmp/tata
touch /tmp/plop
ln -s /tmp/tata data/sqlite/tata
ln -s /tmp/plop data/sqlite/plop

then when I reset

# file: data/sqlite/tata
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

# file: data/sqlite/plop
# owner: root
# group: root
user::rw-
group::r--
other::r--

IF I resume well, now recursively is good and sysmlink are not allowed

How I can test for 'variable' and 'relative path' ?????

#16 Updated by stephane de Labrusse about 6 years ago

How I can test for 'variable' and 'relative path' ?????

No idea ?

#17 Updated by Davide Principi about 6 years ago

For "Relative path" I was thinking about

../../etc/passwd

"Variable", I don't know. The list is passed to setfacl as STDIN data. Shell is not involved.

#18 Updated by Giacomo Sanchietti about 6 years ago

  • Assignee set to stephane de Labrusse

#19 Updated by stephane de Labrusse about 6 years ago

well to continue previous tests about https://dev.nethserver.org/issues/3139#note-15 I tested now relative path directly in .htwritable

mkdir ../../plop-folder
touch ../../plop

we can see them now
ll ../../
total 24
drwxr-xr-x. 2 root root 4096 May  7 00:15 backup
drwxr-s---. 2 root adm  4096 May  6 10:57 db
drwxr-xr-x. 3 root root 4096 May  6 10:20 home
drwxr-xr-x. 3 root root 4096 May  6 10:22 ibay
-rw-r--r--. 1 root root    0 May 14 09:09 plop
drwxr-xr-x. 2 root root 4096 May 14 09:10 plop-folder
drwxr-xr-x. 2 root root 4096 May  6 10:20 secrets

and look with getfacl

 getfacl ../../plop
# file: ../../plop
# owner: root
# group: root
user::rw-
group::r--
other::r--

  getfacl ../../plop-folder
# file: ../../plop-folder
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

I edit the .htwritable and add

cat .htwritable
public
data
../../plop-folder
../../plop

then I reset permission with the I bay panel

getfacl ../../plop
# file: ../../plop
# owner: root
# group: root
user::rw-
group::r--
other::r--

getfacl ../../plop-folder
# file: ../../plop-folder
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

well it seems ok concerning

files and folder creation, keeps also good ownership after a reset
folder and file link are not allowed to apache
relative link written in .htwritable are also not allowed to apache

===> seems verified, it needs now a textarea :)

#20 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (stephane de Labrusse)
  • % Done changed from 70 to 90

#21 Updated by Giacomo Sanchietti about 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-httpd-2.4.1-1.ns6.noarch.rpm

Also available in: Atom PDF