Univention Bugzilla – Bug 44196
oxUserDefaults hooks uses getMachineConnection, causes Permission denied: /etc/machine.secret
Last modified: 2018-04-13 12:27:04 CEST
The gsuite-listeners component/univention-google-apps/google-apps-user.py component/univention-google-apps/google-apps-group.py component/univention-google-apps/modules/univention/googleapps/listener.py don't use listener.suid(0) before UDM-calls, they use the LDAP-credentials provided by setdata(). That works well, except if installed together with OX: 31.03.17 15:48:21.035 LISTENER ( PROCESS ) : updating 'uid=test1,cn=users,dc=uni,dc=dtr' command m 31.03.17 15:48:21.198 LISTENER ( ERROR ) : gafw: Email address 'test1m@uni.dtr' invalid, changed to 'test1m@univention.de'. UNIVENTION_DEBUG_BEGIN : uldap.__open host=m41.uni.dtr port=7389 base=dc=uni,dc=dtr UNIVENTION_DEBUG_END : uldap.__open host=m41.uni.dtr port=7389 base=dc=uni,dc=dtr Traceback (most recent call last): File "/usr/lib/univention-directory-listener/system/google-apps-user.py", line 266, in handler udm_user = ol.get_udm_user(dn) File "/usr/lib/pymodules/python2.7/univention/googleapps/listener.py", line 414, in get_udm_user univention.admin.modules.init(lo, po, usersmod) File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 135, in init update_extended_attributes(lo, module, position) File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 297, in update_extended_attributes propertyHook = getattr(univention.admin.hook, propertyHookString)() File "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py", line 62, in __init__ lo, pos = univention.admin.uldap.getMachineConnection() File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 147, in getMachineConnection lo = univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 81, in getMachineConnection bindpw = open(secret_file).read().rstrip('\n') IOError: [Errno 13] Permission denied: '/etc/machine.secret' 31.03.17 15:48:25.295 LISTENER ( WARN ) : handler: google-apps-user (failed) This is actually a generell problem of UDM hooks. If they want to make UDM calls them selfs they might need root-permissions - which their caller (here a listener module) cannot know.
IMHO the culprit of this problem is the OX UDM hook and I created a related bug in their component. But it's not clear whether it's possible to solve this in their scope. So we'll have two bugs for now.
Related OX bug: https://bugs.open-xchange.com/show_bug.cgi?id=51751
*** This bug has been marked as a duplicate of bug 44197 ***