Bug #3139
.htwritable not applied recursively to files when permissions are reseted in the Ibay panel
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-httpd | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.6-final | NEEDINFO: | No |
Description
Following that Tutorial http://community.nethserver.org/t/selfoss-rss-reader/730 I can see even if I set good values in the .htwritable, the files have not recursively the good ownership when I reset permissions in the Ibay panel
[root@nethserver-dev selfoss]# cat .htwritable public data data/cache data/favicons data/logs data/sqlite data/sqlite/selfoss.db data/thumbnails
In fact the /var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db need to be writable by apache, since it is the sqlite database and also the /var/lib/nethserver/ibay/selfoss/data/logs/default.log
of course even if I set an apache ownership to these files I have an issue only when I reset permissions
chown apache:apache /var/lib/nethserver/ibay/selfoss/data/logs/default.log chown apache:apache /var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db
look now permissions
[root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db getfacl: Removing leading '/' from absolute path names # file: var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db # owner: apache # group: apache user::rw- user:apache:r-- group::r-- mask::r-- other::--- [root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/logs/ default.log .htaccess [root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/logs/default.log getfacl: Removing leading '/' from absolute path names # file: var/lib/nethserver/ibay/selfoss/data/logs/default.log # owner: apache # group: apache user::rw- user:apache:r-- group::r-- mask::r-- other::---
I reset permissions and I have a ton of errors since now permissions are bad
[root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db getfacl: Removing leading '/' from absolute path names # file: var/lib/nethserver/ibay/selfoss/data/sqlite/selfoss.db # owner: admin # group: locals user::rw- user:apache:r-- group::r-- mask::r-- other::--- [root@nethserver-dev selfoss]# getfacl /var/lib/nethserver/ibay/selfoss/data/logs/default.log getfacl: Removing leading '/' from absolute path names # file: var/lib/nethserver/ibay/selfoss/data/logs/default.log # owner: admin # group: locals user::rw- user:apache:r-- group::r-- mask::r-- other::---
This a major bug for me, permissions are not inherited, hard to set, each folders need to be specifically written , and files inside this folder have not the good ownership and permissions
Associated revisions
Ensure .htwritable paths are relative to ibay root. Refs #3139
Recurse into dir contents. Refs #3139
Skip .htwritable item if symlink. Refs #3139
History
#1 Updated by Giacomo Sanchietti over 6 years ago
- Category set to nethserver-ibays
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
#2 Updated by Giacomo Sanchietti over 6 years ago
- Category changed from nethserver-ibays to nethserver-httpd
#3 Updated by Giacomo Sanchietti over 6 years ago
- Affected version set to v6.6-final
#4 Updated by Davide Principi over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Davide Principi
- % Done changed from 20 to 30
#5 Updated by Davide Principi over 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 30 to 60
The recursive behaviour must be handled with care. I added some checks on each .htwritable
item.
Test case 1
Check the bug is not reproducible, check setfacl
acts recursively ignoring symlinks.
Test case 2
Each item must resolve to a sub directory of the ibay. There must be no way to circumvent this rule. Thus specifying a
- file
- relative path (containing
..
) - symlink pointing out of the ibay
- [any other way to cheat]
must produce a warning message.
#6 Updated by Davide Principi over 6 years ago
In nethserver-testing
#7 Updated by Davide Principi over 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing:
nethserver-httpd-2.4.0-1.3.gc38287d.ns6.noarch.rpm
#8 Updated by stephane de Labrusse over 6 years ago
I will verify this bug, let me for me please
#9 Updated by stephane de Labrusse over 6 years ago
not yet on the server....is it normal
#10 Updated by Stefano Fancello over 6 years ago
Test case 2 VERIFIED with:
- symlink
- variable
- relative path
... Stephane help me cheating :)
#11 Updated by Stefano Fancello over 6 years ago
writing in .htwritable
data.*
and resetting permissions, I've got errors when trying to reset permissions again or creating another ibay:
Resetting permissions:
May 5 18:28:16 makako httpd-admin: [ERROR] Nethgui\System\NethPlatform: process on queue `post-process` exited with code 1: /usr/libexec/neth server/ptrack -j -s '/var/run/ptrack/59d073999a059bd6b91dc8044de3f131.sock' -d '/var/spool/ptrack/a98664b8fc13de69.dump' -- /usr/bin/sudo -n /sbin/e-smith/signal-event 'ibay-reset-permissions' 'selfos' May 5 18:28:16 makako httpd-admin: [EXCEPTION] RuntimeException 1405613538: Nethgui\Model\SystemTasks: could not open dump file /var/spool/pt rack/a98664b8fc13de69.dump (in /usr/share/nethesis/Nethgui/Model/SystemTasks.php:141)
Creating a new ibay:
May 5 18:31:20 makako httpd-admin: [ERROR] Nethgui\System\NethPlatform: process on queue `post-process` exited with code 1: /usr/libexec/nethserver/ptrack -j -s '/var/run/ptrack/0bf8663198a88da4902f7b8f2f2b295e.sock' -d '/var/spool/ptrack/ebf415e616ff5a0c.dump' -- /usr/bin/sudo -n /sbin/e-smith/signal-event 'ibay-reset-permissions' 'selfos' May 5 18:31:20 makako httpd-admin: [EXCEPTION] RuntimeException 1405613538: Nethgui\Model\SystemTasks: could not open dump file /var/spool/ptrack/ebf415e616ff5a0c.dump (in /usr/share/nethesis/Nethgui/Model/SystemTasks.php:141)
errors persist after removing "data.*" from .htwritable
#12 Updated by stephane de Labrusse over 6 years ago
i'm on it, i have installed the rpm
#13 Updated by stephane de Labrusse over 6 years ago
I don't know if it is wanted but when I set the .htwritablepublic
data data/cache data/favicons data/logs data/sqlite data/thumbnails
indeed my data/sqlite/selfoss.db gets the good ownership
# getfacl data/sqlite/* # file: data/sqlite/selfoss.db # owner: apache # group: locals user::rw- user:apache:rwx #effective:rw- group::r-x #effective:r-- mask::rw- other::---
but when I set to the .htwritable
public
data
then the ownership now is
# getfacl data/sqlite/* # file: data/sqlite/selfoss.db # owner: admin # group: locals user::rw- user:apache:r-- group::r-- mask::r-- other::---
I understood that now we can have some recursively permissions without the need to list all directories ???
i look to directory we have the same problem
with .htwritable like this
public data data/cache data/favicons data/logs data/sqlite data/thumbnails
i have for the subfolder sqlite
# getfacl data/sqlite # file: data/sqlite # owner: admin # group: locals # flags: -s- user::rwx user:apache:rwx group::r-x mask::rwx other::--- default:user::rwx default:user:apache:rwx default:group::r-x default:mask::rwx default:other::---
and if i set the .htwritable to
public data
i have these permissions
# file: data/sqlite # owner: admin # group: locals # flags: -s- user::rwx user:apache:r-x group::r-x mask::r-x other::--- default:user::rwx default:user:apache:r-x default:group::r-x default:mask::r-x default:other::---
I don't know if it is what you want but clearly it is not what I would want :)
One folder listed as the root folder should be enough for all subdirectories and files, but I agree if you need you could have some exemptions if you want to be able to forbid some directories.
Since stello has seen some errors, do I continue to test ?
#14 Updated by stephane de Labrusse over 6 years ago
- rpm -qa nethserver-httpd
nethserver-httpd-2.4.0-1.3.gc38287d.ns6.noarch
#15 Updated by stephane de Labrusse over 6 years ago
rpm -qa nethserver-httpd nethserver-httpd-2.4.0-1.3.gc38287d.ns6.noarch
- Case : only root folder are listed in /htwritable ---->OK
# cat .htwritable public data
now my db sqlite gets the good ownership
# getfacl data/sqlite/* # file: data/sqlite/selfoss.db # owner: apache # group: locals user::rw- user:apache:rwx #effective:rw- group::r-x #effective:r-- mask::rw- other::---
same for folder inside created after the reset
# file: data/sqlite/toto # owner: root # group: locals # flags: -s- user::rwx user:apache:rwx group::r-x mask::rwx other::--- default:user::rwx default:user:apache:rwx default:group::r-x default:mask::rwx default:other::---
- Case ownership of symlinks ------->OK
mkdir /tmp/tata touch /tmp/plop ln -s /tmp/tata data/sqlite/tata ln -s /tmp/plop data/sqlite/plop
then when I reset
# file: data/sqlite/tata # owner: root # group: root user::rwx group::r-x other::r-x # file: data/sqlite/plop # owner: root # group: root user::rw- group::r-- other::r--
IF I resume well, now recursively is good and sysmlink are not allowed
How I can test for 'variable' and 'relative path' ?????
#16 Updated by stephane de Labrusse about 6 years ago
How I can test for 'variable' and 'relative path' ?????
No idea ?
#17 Updated by Davide Principi about 6 years ago
For "Relative path" I was thinking about
../../etc/passwd
"Variable", I don't know. The list is passed to setfacl
as STDIN data. Shell is not involved.
#18 Updated by Giacomo Sanchietti about 6 years ago
- Assignee set to stephane de Labrusse
#19 Updated by stephane de Labrusse about 6 years ago
well to continue previous tests about https://dev.nethserver.org/issues/3139#note-15 I tested now relative path directly in .htwritable
mkdir ../../plop-folder touch ../../plop
we can see them now
ll ../../ total 24 drwxr-xr-x. 2 root root 4096 May 7 00:15 backup drwxr-s---. 2 root adm 4096 May 6 10:57 db drwxr-xr-x. 3 root root 4096 May 6 10:20 home drwxr-xr-x. 3 root root 4096 May 6 10:22 ibay -rw-r--r--. 1 root root 0 May 14 09:09 plop drwxr-xr-x. 2 root root 4096 May 14 09:10 plop-folder drwxr-xr-x. 2 root root 4096 May 6 10:20 secrets
and look with getfacl
getfacl ../../plop # file: ../../plop # owner: root # group: root user::rw- group::r-- other::r-- getfacl ../../plop-folder # file: ../../plop-folder # owner: root # group: root user::rwx group::r-x other::r-x
I edit the .htwritable and add
cat .htwritable public data ../../plop-folder ../../plop
then I reset permission with the I bay panel
getfacl ../../plop # file: ../../plop # owner: root # group: root user::rw- group::r-- other::r-- getfacl ../../plop-folder # file: ../../plop-folder # owner: root # group: root user::rwx group::r-x other::r-x
well it seems ok concerning
files and folder creation, keeps also good ownership after a reset
folder and file link are not allowed to apache
relative link written in .htwritable are also not allowed to apache
===> seems verified, it needs now a textarea :)
#20 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
stephane de Labrusse) - % Done changed from 70 to 90
#21 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-httpd-2.4.1-1.ns6.noarch.rpm