Bug 44197 – (4.2) oxUserDefaults hooks uses getMachineConnection, causes Permission denied: /etc/machine.secret

Bug 44197 - (4.2) oxUserDefaults hooks uses getMachineConnection, causes Permission denied: /etc/machine.secret


Summary:	(4.2) oxUserDefaults hooks uses getMachineConnection, causes Permission denie...

Status:	CLOSED FIXED

Product:	Z_Internal OX development
Classification:	Unclassified
Component:	UDM
Version:	UCS 4.2 / 7.8.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	7.8.3-ucs2
Assigned To:	Daniel Tröder
QA Contact:	Erik Damrose

URL:
Keywords:

Duplicates:	44196 (view as bug list)
Depends on:	44203
Blocks:	44196 44660
	Show dependency tree / graph

Reported:	2017-03-31 16:07 CEST by Daniel Tröder
Modified:	2017-07-06 17:48 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	4: A User would return the product
User Pain:	0.229
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
patch (1.58 KB, patch) 2017-05-09 15:59 CEST, Florian Best	Details \| Diff
patch (1.48 KB, patch) 2017-05-10 17:51 CEST, Florian Best	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Tröder

2017-03-31 16:07:30 CEST

+++ This bug was initially created as a clone of Bug #44196 +++

The gsuite-listeners

  component/univention-google-apps/google-apps-user.py
  component/univention-google-apps/google-apps-group.py
  component/univention-google-apps/modules/univention/googleapps/listener.py

don't use listener.suid(0) before UDM-calls, they use the LDAP-credentials provided by setdata(). That works well, except if installed together with OX:


31.03.17 15:48:21.035  LISTENER    ( PROCESS ) : updating 'uid=test1,cn=users,dc=uni,dc=dtr' command m
31.03.17 15:48:21.198  LISTENER    ( ERROR   ) : gafw: Email address 'test1m@uni.dtr' invalid, changed to 'test1m@univention.de'.
UNIVENTION_DEBUG_BEGIN  : uldap.__open host=m41.uni.dtr port=7389 base=dc=uni,dc=dtr
UNIVENTION_DEBUG_END    : uldap.__open host=m41.uni.dtr port=7389 base=dc=uni,dc=dtr
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/google-apps-user.py", line 266, in handler
    udm_user = ol.get_udm_user(dn)
  File "/usr/lib/pymodules/python2.7/univention/googleapps/listener.py", line 414, in get_udm_user
    univention.admin.modules.init(lo, po, usersmod)
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 135, in init
    update_extended_attributes(lo, module, position)
  File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 297, in update_extended_attributes
    propertyHook = getattr(univention.admin.hook, propertyHookString)()
  File "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py", line 62, in __init__
    lo, pos = univention.admin.uldap.getMachineConnection()
  File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 147, in getMachineConnection
    lo = univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master)
  File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 81, in getMachineConnection
    bindpw = open(secret_file).read().rstrip('\n')
IOError: [Errno 13] Permission denied: '/etc/machine.secret'
31.03.17 15:48:25.295  LISTENER    ( WARN    ) : handler: google-apps-user (failed)

This is actually a generell problem of UDM hooks. If they want to make UDM calls them selfs they might need root-permissions - which their caller (here a listener module) cannot know.

Comment 1 Daniel Tröder

2017-05-04 17:53:35 CEST

*** Bug 44196 has been marked as a duplicate of this bug. ***

Comment 2 Daniel Tröder

2017-05-04 17:54:39 CEST

r79091: initialize late and use existing LDAP object if available

Package: univention-ox
Version: 9.0.1-20A~4.2.0.201705041752
Branch: ucs_4.2-0
Scope: oxse4ucs

Comment 3 Daniel Tröder

2017-05-08 13:58:30 CEST

r79184: adapt to API change in simpleHook (r79179)

univention-ox 9.0.1-21A~4.2.0.201705081356

Comment 4 Florian Best

2017-05-09 15:59:51 CEST

Created attachment 8830 [details]
patch

Attached is a patch (based on UCS 4.1) which doesn't depend on Bug #44203 and is therefore suitable for a backport.

Comment 5 Florian Best

2017-05-10 17:51:27 CEST

Created attachment 8837 [details]
patch

Patch for the current state.

Comment 6 Daniel Tröder

2017-05-11 16:53:53 CEST

r79301: patch applied (API from Bug #44203 was removed → use module.{lo,position} instead of reverted simpleHook API)

Package: univention-ox
Version: 9.0.1-22A~4.2.0.201705111652
Branch: ucs_4.2-0
Scope: oxse4ucs

Comment 7 Daniel Tröder

2017-05-22 17:24:53 CEST

Shouldn't this also be fixed for OX 7.8.2 on UCS 4.1, as especially school customers will be affected?

Comment 8 Daniel Tröder

2017-05-24 08:52:26 CEST

TODO: create/adapt a ucs-test for this bug

Comment 9 Daniel Tröder

2017-05-26 15:14:59 CEST

r79692: test for running oxUserDefaults w/o root permissions

Comment 10 Daniel Tröder

2017-06-08 14:31:16 CEST

r80076: advisory

Comment 11 Erik Damrose

2017-06-16 14:06:17 CEST

OK: use lo, po instead of reading machine.secret in hook
OK: ucs-test
OK: yaml
Verified

Comment 12 Sönke Schwardt-Krummrich

2017-07-06 17:48:36 CEST

Published