Bug 50852 - No share access on a teachers pc after a finished exam
No share access on a teachers pc after a finished exam
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: UMC - Exam mode
UCS@school 4.4
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v5-errata
Assigned To: Ole Schwiegert
Tobias Wenzel
:
Depends on:
Blocks: 50968
  Show dependency treegraph
 
Reported: 2020-02-25 14:14 CET by Christina Scheinig
Modified: 2020-04-20 16:04 CEST (History)
10 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.286
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020020621000159, 2020021721000307
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments
simple patch (680 bytes, patch)
2020-03-09 22:04 CET, Jürn Brodersen
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2020-02-25 14:14:47 CET
The customer has a problem with the share access on a teachers pc, after an exam is finished.
After the end of the exam, shares are no longer accessible to anyone except MyFiles. This state remains unchanged even after a restart and different logins.

Remedy so that subsequent instruction with access to all shares is possible.
Simplest scenario: Log on to the teacher's workstation with a student account. Then log on to the UCS WebFrontEnd with a teacher account and start a test class and finish it immediately. All shares are immediately available.

Computer login teacher, UCS login teacher = share problems
Computer login student, UCS login teacher = Everything o.k.

Under ucs@school and computer room the logged in teacher cannot change any shares of a computer if the login behaviour is the same. Under student login this is no problem.

Additionally:
The IP address of the teacher's computer is entered into the UCR - 
samba/othershares/hosts/deny and 
samba/share/Marketplace/hosts/deny 
with the IP addresses of the student computers, but when the exam is finished, only the IP addresses of the student computers are logged out, the IP address of the teacher computer remains.

Unfortunately I could not reproduce this in my testenvironment.
But I could see, that the teachers pc was also listed in the computerroom like the students pc's. And the IP address of the teachers pc is set in the mentioned ucr variables as well, but after finishing the exam, the variables are completely cleared.
Comment 1 Erik Damrose univentionstaff 2020-02-25 14:59:24 CET
Which UCS and UCS@school version are in use in the domain that has the issue?
Comment 2 Christina Scheinig univentionstaff 2020-02-25 16:16:48 CET
(In reply to Erik Damrose from comment #1)
> Which UCS and UCS@school version are in use in the domain that has the issue?

UCS: 4.4-3 errata454
Installed: cups=2.2.1 dhcp-server=12.0 prometheus-node-exporter=1.1 samba4=4.10 squid=3.5 ucsschool=4.4 v4
Upgradable:

ucs-school-slave:
  Installiert:           12.0.2-6A~4.4.0.201912051307
  Installationskandidat: 12.0.2-6A~4.4.0.201912051307
Comment 3 Dirk Schnick univentionstaff 2020-02-27 08:57:21 CET
A second customer (PaedML) reports the problem with a hanging teacher computer (Ticket 2020021721000307).
Problem occurs no matter which PC the teacher logs on to. If an admin logs on to the teacher PC the problem does not occur (we will test if also not occur if student is logged on teacher PC). A wrong class is entered in the marketplace.

UCS: 4.3-5 errata626
Installed: cups=2.2.1 dhcp-server=12.0 horde=5.2.17-2 nagios=4.3 samba4=4.7 squid=3.5 ucsschool=4.3 v9
Comment 4 Dirk Schnick univentionstaff 2020-02-27 11:30:34 CET
Customer did following test:
1.
- Start KA mode on PC A as a teacher and exit normally
- Log off teacher after finishing KA
- logon and logoff student on PC A
- Re-logon teacher check share access
--> No access to share
2.
- Logon and Logoff student on PC A
- Restart the PC
- Re-logon teacher and check share access
--> No access to share

3.
- Log administrator on and off the PC A
- Restart the PC
- Re-logon teacher and check share access
--> No access to share

Seems to be different to first customer
Comment 5 Dirk Schnick univentionstaff 2020-03-06 12:22:19 CET
Need to correct the description:
- Share Access works normally before starting KA.
- Start KA mode on PC A as a teacher and exit normally
- Log off teacher after finishing KA

then customer did these tests:
 
> 1.
> - logon and logoff student on PC A
> - Re-logon teacher check share access
> --> No access to share
>
> 2.
> - Logon and Logoff student on PC A
> - Restart the PC
> - Re-logon teacher and check share access
> --> No access to share
> 
> 3.
> - Log administrator on and off the PC A
> - Restart the PC
> - Re-logon teacher and check share access
> --> No access to share

Customer asks for patch today.
Comment 6 Michel Smidt 2020-03-06 16:27:24 CET
I set "Who will be affected by this bug?" to "Will affect a very few installed domains", because I think that only very few domains are really affected. Irrespective of the fact that it has really unpleasant impacts.
Feel free to discuss it.
Comment 7 Michel Smidt 2020-03-06 16:35:38 CET
(In reply to Michel Smidt from comment #6)
> I set "Who will be affected by this bug?" to "Will affect a very few
> installed domains", because I think that only very few domains are really
> affected. Irrespective of the fact that it has really unpleasant impacts.
> Feel free to discuss it.

Sorry wrong Bug.
Comment 9 Jürn Brodersen univentionstaff 2020-03-09 22:09:44 CET
Ignore comment 8, copy paste gone wrong...


I guess this is a regression from bug 50083.

As described in bug 41752, it might take a second for iTalc to connect to the computers in a room. As long as iTalc isn't connected, the computer is considered a students computer and the share restrictions are applied. Later when a teacher stops the exam iTalc has connected and the teacher computer is therefore detected. But the share restrictions aren't lifted because they shouldn't have been applied in the first place.

With the fix of bug 50083 a subprocess call was removed which might have given iTalc enough time to connect to the computers and detect the teachers computer.


How to reproduce:
I didn't really try to reproduce the race condition, but this can also be reproduced as follows:
1) Add computer A to room A
2) Start exam in room A from computer B
3) computer A is now in "samba/share/Marktplatz/hosts/deny"
4) Login as a teacher on computer A
5) Stop the exam
6) computer A has not been removed from "samba/share/Marktplatz/hosts/deny"

Quick fix:
Reset all computers in the room (see patch)

We should also check if we can improve the detection of a teacher computer (see also bug 48080)
Comment 10 Christina Scheinig univentionstaff 2020-03-10 16:06:27 CET
I tested the patch in the paedml environment and it fixed the problem.
Thank you for the fast fix
Comment 11 Christina Scheinig univentionstaff 2020-03-12 09:31:35 CET
The patch also fixed the problem in the other environment!
Comment 12 Ole Schwiegert univentionstaff 2020-03-16 10:06:06 CET
The bugfix is implemented in oschwieg/4.4/50852
The backport for 4.3 will be handled in Bug #50968

Instead of using iTalc to fetch the ip addresses of all computers in the room we now use the ComputerRoom school object and fetch all hosts, excluding computers marked as teacher computers.

That means: It it not important where the teacher is logged in, it only matters which computers are configured to be teacher computers in the room management module (as it is documented in the manual).

Please QA on the branch and REOPEN for merge&build.
Comment 13 Tobias Wenzel univentionstaff 2020-04-16 11:42:00 CEST
QA -> all ok (code & functionality)

please merge&build

[oschwieg/4.4/50852] d32423282 Bug #50852: Exempt teacher computers from computerroom settings changes

ucsschool 4.4, Two Windows clients, which are in a computer room. One is a teacher's pc, the other one isn't.


Before the patch:
After KA start, both computers are in ucrv.
After KA finish, the teacher's computer remains in ucrv.

After the patch: 
After KA start, the student's computer is in the ucrv, the teacher's computer is left out. It doesn't matter whether the teacher was logged in before or not.
After the KA is finished, the student pc is removed, too (like before).
Comment 14 Ole Schwiegert univentionstaff 2020-04-16 11:55:10 CEST
Package: ucs-school-umc-computerroom
Version: 11.0.0-18A~4.4.0.202004161150
Branch: ucs_4.4-0
Scope: ucs-school-4.4

Advisory added.
Comment 15 Tobias Wenzel univentionstaff 2020-04-16 12:02:37 CEST
QA -> Merge & YAML OK
Comment 16 Daniel Tröder univentionstaff 2020-04-20 16:04:23 CEST
Released as an errata update to ucsschool 4.4 v5.

https://docs.software-univention.de/changelog-ucsschool-4.4v5-de.html#changelog:ucsschool:2020-04-20