Bug 35368 - Listener module cups-printers.py doesn't set uid(0) when loading UCR handlers
Listener module cups-printers.py doesn't set uid(0) when loading UCR handlers
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UCR
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-3-errata
Assigned To: Felix Botner
Stefan Gohmann
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-07-15 15:28 CEST by Florian Best
Modified: 2014-09-10 17:34 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments
Skip writing cache if process has no write permission (1.44 KB, patch)
2014-08-28 16:04 CEST, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2014-07-15 15:28:09 CEST
15.07.14 15:25:57.138  LISTENER    ( ERROR   ) : import of filename=/usr/lib/univention-directory-listener/system/cups-printers.py failed
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/cups-printers.py", line 42, in <module>
    ucr_handlers.load()
  File "/usr/lib/pymodules/python2.6/univention/config_registry/handler.py", line 530, in load
    self.update()
  File "/usr/lib/pymodules/python2.6/univention/config_registry/handler.py", line 702, in update
    self._save_cache()
  File "/usr/lib/pymodules/python2.6/univention/config_registry/handler.py", line 742, in _save_cache
    cache_file = open(ConfigHandlers.CACHE_FILE, 'w')
IOError: [Errno 13] Permission denied: '/var/cache/univention-config/cache'

Seems that ucr_handlers.load() has a side effect of caching things so that it writes to a cache file which is only writeable by root.

If this error should be handlded in UCR directly please change the component.

Workaround is:
--- /usr/lib/univention-directory-listener/system/cups-printers.py.old  2014-07-15 15:31:33.536000000 +0200
+++ /usr/lib/univention-directory-listener/system/cups-printers.py      2014-07-15 15:28:45.160000000 +0200
@@ -39,7 +39,9 @@
 ## for the ucr commit below in postrun we need ucr configHandlers
 from univention.config_registry import configHandlers
 ucr_handlers = configHandlers()
+listener.setuid(0)
 ucr_handlers.load()
+listener.unsetuid()
 from univention.config_registry.interfaces import Interfaces
 interfaces = Interfaces(listener.configRegistry)
Comment 1 Philipp Hahn univentionstaff 2014-07-16 09:01:35 CEST
(In reply to Florian Best from comment #0)
> Workaround is:
...
>  from univention.config_registry import configHandlers
>  ucr_handlers = configHandlers()
> +listener.setuid(0)
try:
>  ucr_handlers.load()
finally:
> +listener.unsetuid()

as the EUID is a property of the UNIX process, which must be reset always
(Bug #34324).
Comment 2 Philipp Hahn univentionstaff 2014-08-28 16:04:29 CEST
Created attachment 6079 [details]
Skip writing cache if process has no write permission
Comment 3 Felix Botner univentionstaff 2014-08-28 16:17:11 CEST
(In reply to Philipp Hahn from comment #2)
> Created attachment 6079 [details]
> Skip writing cache if process has no write permission

OK, merged patch to errara3.2-3 and UCS 4.0

YAML: 2014-08-28-univention-config-registry.yaml
Comment 4 Stefan Gohmann univentionstaff 2014-09-01 08:50:40 CEST
Test: OK, I was able to reproduce it with the old version but not with the erratum

YAML: I think we could also release the UCR package for UCS 3.2-2-errata → Reopen
Comment 5 Felix Botner univentionstaff 2014-09-01 09:47:11 CEST
2014-08-28-univention-config-registry.yaml
+version: [2,3]
Comment 6 Stefan Gohmann univentionstaff 2014-09-01 09:49:52 CEST
OK
Comment 7 Janek Walkenhorst univentionstaff 2014-09-10 17:34:36 CEST
http://errata.univention.de/ucs/3.2/189.html