Univention Bugzilla – Bug 29450
Checking for filesystem permissions... Test failed
Last modified: 2015-07-07 11:12:51 CEST
Bei den UCS 3.1 Basis-Produkttests sind folgende Fehlschläge von ucs-test aufgefallen: master, backup, slave, member Checking for filesystem permissions... Test failed === *** BEGIN *** ['/bin/bash', '25check-permissions'] *** ***Searching for files and directories with write permissions for other: drwsrwsrwt 2 root root 4096 28. Nov 09:32 /cdrom drwsrwsrwt 13 root root 4096 28. Nov 09:44 /etc/univention drwsrwsrwt 2 root root 4096 28. Nov 09:32 /floppy drwsrwsrwt 2 root root 4096 28. Nov 12:28 /var/cache/apt/archives/partial drwsrwsrwt 2 root root 4096 28. Nov 12:26 /var/lib/apt/lists/partial -rw-rw-rw- 2 root root 0 28. Nov 10:37 /var/run/backup.MainThread-16117 -rw-rw-rw- 2 root root 0 28. Nov 10:37 /var/run/umc-web-server.pid.lock *** END *** 110 *** === Außerdem: master, backup, slave, member: Check log files for errors and warnings... Test failed === ***Searching for world-readable logfiles: Some potentially sensitive log files are world-readable: -rw-r--r-- 1 root root 2431 28. Nov 11:16 /var/log/ConsoleKit/history -rw-r--r-- 1 root root 258 28. Nov 11:13 /var/log/pm-powersave.log === Sensitive logfiles are not world-readable... Unfixed expected
Aus dem Jenkins: Standard Ausgabe (STDOUT) ***Searching for files and directories with write permissions for other: -rw-rw-rw- 2 root root 0 Mar 11 00:37 /var/run/ip36e4617a.MainThread-1314 -rw-rw-rw- 2 root root 0 Mar 11 00:37 /var/run/umc-web-server.pid.lock
(In reply to comment #1) > ***Searching for files and directories with write permissions for other: > -rw-rw-rw- 2 root root 0 Mar 11 00:37 /var/run/ip36e4617a.MainThread-1314 > -rw-rw-rw- 2 root root 0 Mar 11 00:37 /var/run/umc-web-server.pid.lock Bug #25162 (In reply to comment #0) > drwsrwsrwt 2 root root 4096 28. Nov 09:32 /cdrom > drwsrwsrwt 13 root root 4096 28. Nov 09:44 /etc/univention > drwsrwsrwt 2 root root 4096 28. Nov 09:32 /floppy > drwsrwsrwt 2 root root 4096 28. Nov 12:28 /var/cache/apt/archives/partial > drwsrwsrwt 2 root root 4096 28. Nov 12:26 /var/lib/apt/lists/partial Das sollte so nicht sein, sondern 0755. > Some potentially sensitive log files are world-readable: > -rw-r--r-- 1 root root 2431 28. Nov 11:16 /var/log/ConsoleKit/history Vermutlich besser ändern auf 060, weil hier Benutzerinformationen drin stehen. > -rw-r--r-- 1 root root 258 28. Nov 11:13 /var/log/pm-powersave.log AFAIK nicht sensitiv.
(In reply to Florian Best from comment #0) > -rw-rw-rw- 2 root root 0 28. Nov 10:37 /var/run/backup.MainThread-16117 Der Filter wurde auf /var/run/*.MainThread-* erweitert.
> drwsrwsrwt 2 root root 4096 28. Nov 09:32 /cdrom > drwsrwsrwt 13 root root 4096 28. Nov 09:44 /etc/univention > drwsrwsrwt 2 root root 4096 28. Nov 09:32 /floppy > drwsrwsrwt 2 root root 4096 28. Nov 12:28 /var/cache/apt/archives/partial > drwsrwsrwt 2 root root 4096 28. Nov 12:26 /var/lib/apt/lists/partial Hier werden im installer jetzt die Verzeichnisse explizit mit 0755 erstellt, so dass die oben genannten Verzeichnisse korrekte Berechtigungen erhalten. Fixed in 3.2: univention-installer 9.0.10-1.1073.201307031347 > -rw-r--r-- 1 root root 2431 28. Nov 11:16 /var/log/ConsoleKit/history consolekit wurde gepatcht, so dass das logfile mit 640 permissions erstellt wird. Gebaut für 3.2: consolekit 0.4.1-4.7.201307031354 >> -rw-r--r-- 1 root root 258 28. Nov 11:13 /var/log/pm-powersave.log > AFAIK nicht sensitiv. Wurde nicht umgesetzt. Die Berechtigungsprobleme der Dateien unter /var/run werden über Bug 25162 behandelt.
OK: svn11887 consolekit FAIL: svn41953 Installer ucs_3.2-0-20130812090341-dvd-amd64.iso apt is still world-writable: # ls -ld /cdrom /etc/univention /floppy /var/cache/apt/archives/partial /var/lib/apt/lists/partial drwxr-xr-x 2 root root 4096 12. Aug 11:36 /cdrom drwxr-xr-x 12 root root 4096 12. Aug 21:13 /etc/univention drwxr-xr-x 2 root root 4096 12. Aug 11:36 /floppy drwsrwsrwt 2 root root 4096 12. Aug 15:37 /var/cache/apt/archives/partial drwsrwsrwt 2 root root 4096 12. Aug 21:13 /var/lib/apt/lists/partial There's also Bug #25162: # ls -ld /var/run/*Main* /var/run/umc-* -rw------- 2 root root 0 12. Aug 15:25 /var/run/master32.MainThread-1307 -rw------- 1 root root 5 12. Aug 15:25 /var/run/umc-server.pid -rw------- 2 root root 0 12. Aug 15:25 /var/run/umc-server.pid.lock -rw-rw-rw- 2 root root 0 12. Aug 15:25 /var/run/master32.MainThread-1312 -rw-r--r-- 1 root root 5 12. Aug 15:25 /var/run/umc-web-server.pid -rw-rw-rw- 2 root root 0 12. Aug 15:25 /var/run/umc-web-server.pid.lock
An installation with the current DVD created the directories with correct permissions. Fix: Set apt-directory permissions during update in r43268 univention-updater_9.0.9-2.1195.201308191337
FAIL: New installation with ucs_3.2-0-20130819115400-dvd-amd64.iso: $ ls -ld /var/cache/apt/archives/partial /var/lib/apt/lists/partial drwsrwsrwt 2 root root 4096 19. Aug 16:21 /var/cache/apt/archives/partial drwsrwsrwt 2 root root 4096 19. Aug 16:28 /var/lib/apt/lists/partial
OK: On an upgrade 3.1-1 to 3.2-0 the permissions are now correct. FAIL: /cdrom, /floppy, /etc/univention are still 01777; this is especially problematic, since the root file system can be filled.
Observation: permission are correct when installing with the i386 medium, but not with the amd64 dvd
Permission are now correct after new installations with univention-installer 9.0.17-7.1088.201308201514 Tested with: ucs_3.2-0-20130820153720-dvd-amd64.iso ucs_3.2-0-20130820153849-dvd-i386.iso Updating also sets correct permissions with univention-updater 9.0.10-3.1198.201308201304
OK: amd64 3.2-0 Neuinstallation: # ls -ld /var/lib/apt/lists/partial /var/cache/apt/archives/partial /etc/univention /floppy /cdrom drwxr-xr-x 2 root root 4096 22. Aug 07:32 /cdrom drwxr-xr-x 11 root root 4096 22. Aug 07:57 /etc/univention drwxr-xr-x 2 root root 4096 22. Aug 07:32 /floppy drwxr-xr-x 2 root root 4096 22. Aug 07:31 /var/cache/apt/archives/partial drwxr-xr-x 2 root root 4096 22. Aug 07:57 /var/lib/apt/lists/partial OK: i386 3.2-0 Neuinstallation: # ls -ld /var/lib/apt/lists/partial /var/cache/apt/archives/partial /etc/univention /floppy /cdrom drwxr-xr-x 2 root root 4096 22. Aug 07:35 /cdrom drwxr-xr-x 11 root root 4096 22. Aug 07:57 /etc/univention drwxr-xr-x 2 root root 4096 22. Aug 07:35 /floppy drwxr-xr-x 2 root root 4096 22. Aug 07:34 /var/cache/apt/archives/partial drwxr-xr-x 2 root root 4096 22. Aug 07:57 /var/lib/apt/lists/partial OK: i386 3.1-1 bereits _vor_ dem Update, alsauch danach: # ls -ld /var/lib/apt/lists/partial /var/cache/apt/archives/partial /etc/univention /floppy /cdrom drwxr-xr-x 2 root root 4096 27. Mär 12:05 /cdrom drwxr-xr-x 12 root root 4096 22. Aug 08:09 /etc/univention drwxr-xr-x 2 root root 4096 27. Mär 12:05 /floppy drwxr-xr-x 2 root root 4096 27. Mär 13:11 /var/cache/apt/archives/partial drwxr-xr-x 2 root root 4096 22. Aug 08:15 /var/lib/apt/lists/partial OK: amd64 3.1-1 vor dem Update=07777, danach: # ls -ld /var/lib/apt/lists/partial /var/cache/apt/archives/partial /etc/univention /floppy /cdrom drwsr-sr-x 2 root root 4096 27. Mär 12:05 /cdrom drwsr-sr-x 12 root root 4096 22. Aug 08:18 /etc/univention drwsr-sr-x 2 root root 4096 27. Mär 12:05 /floppy drwsr-sr-x 2 root root 4096 22. Aug 08:10 /var/cache/apt/archives/partial drwsr-sr-x 2 root root 4096 22. Aug 08:18 /var/lib/apt/lists/partial FYI: Auf amd64 sind immer noch die SUID and SGID-Bits gesetzt, aber das ist unkritisch. "chmod u=rwx-s,go=rx-s" würde das tun. Aus "man 7" dazu: | ... You can set or clear the bits with symbolic modes like u+s and g-s, and you can set (*but not clear*) the bits with a numeric mode. OK: ChangeLog
(In reply to Stefan Gohmann from comment #3) > (In reply to Florian Best from comment #0) > > -rw-rw-rw- 2 root root 0 28. Nov 10:37 /var/run/backup.MainThread-16117 > > Der Filter wurde auf /var/run/*.MainThread-* erweitert. This remains unfixed: Any user can fill the FS for DOS. See Bug #25162 for that issue.
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".