First Last Prev Next    This bug is not in your last search results.
Bug 44196 - oxUserDefaults hooks uses getMachineConnection, causes Permission denied: /etc/machine.secret
oxUserDefaults hooks uses getMachineConnection, causes Permission denied: /et...
Status: RESOLVED DUPLICATE of bug 44197
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 4.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
:
Depends on: 44197 44203 44660
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-31 16:06 CEST by Daniel Tröder
Modified: 2018-04-13 12:27 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.229
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Tröder univentionstaff 2017-03-31 16:06:34 CEST 
The gsuite-listeners

  component/univention-google-apps/google-apps-user.py
  component/univention-google-apps/google-apps-group.py
  component/univention-google-apps/modules/univention/googleapps/listener.py

don't use listener.suid(0) before UDM-calls, they use the LDAP-credentials provided by setdata(). That works well, except if installed together with OX:


31.03.17 15:48:21.035  LISTENER    ( PROCESS ) : updating 'uid=test1,cn=users,dc=uni,dc=dtr' command m
31.03.17 15:48:21.198  LISTENER    ( ERROR   ) : gafw: Email address 'test1m@uni.dtr' invalid, changed to 'test1m@univention.de'.
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=m41.uni.dtr port=7389 base=dc=uni,dc=dtr
UNIVENTION_DEBUG_END    : uldap.__open host=m41.uni.dtr port=7389 base=dc=uni,dc=dtr
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/google-apps-user.py", line 266, in handler
    udm_user = ol.get_udm_user(dn)
  File "/usr/lib/pymodules/python2.7/univention/googleapps/listener.py", line 414, in get_udm_user
    univention.admin.modules.init(lo, po, usersmod)
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 135, in init
    update_extended_attributes(lo, module, position)
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 297, in update_extended_attributes
    propertyHook = getattr(univention.admin.hook, propertyHookString)()
  File "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py", line 62, in __init__
    lo, pos = univention.admin.uldap.getMachineConnection()
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 147, in getMachineConnection
    lo = univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 81, in getMachineConnection
    bindpw = open(secret_file).read().rstrip('\n')
IOError: [Errno 13] Permission denied: '/etc/machine.secret'
31.03.17 15:48:25.295  LISTENER    ( WARN    ) : handler: google-apps-user (failed)

This is actually a generell problem of UDM hooks. If they want to make UDM calls them selfs they might need root-permissions - which their caller (here a listener module) cannot know.
Comment 1 Daniel Tröder univentionstaff 2017-03-31 16:08:21 CEST 
IMHO the culprit of this problem is the OX UDM hook and I created a related bug in their component. But it's not clear whether it's possible to solve this in their scope. So we'll have two bugs for now.
Comment 2 Daniel Tröder univentionstaff 2017-05-04 14:53:40 CEST 
Related OX bug: https://bugs.open-xchange.com/show_bug.cgi?id=51751
Comment 3 Daniel Tröder univentionstaff 2017-05-04 17:53:35 CEST 

*** This bug has been marked as a duplicate of bug 44197 ***
First Last Prev Next    This bug is not in your last search results.