Univention Bugzilla – Bug 44197
(4.2) oxUserDefaults hooks uses getMachineConnection, causes Permission denied: /etc/machine.secret
Last modified: 2017-07-06 17:48:36 CEST
+++ This bug was initially created as a clone of Bug #44196 +++ The gsuite-listeners component/univention-google-apps/google-apps-user.py component/univention-google-apps/google-apps-group.py component/univention-google-apps/modules/univention/googleapps/listener.py don't use listener.suid(0) before UDM-calls, they use the LDAP-credentials provided by setdata(). That works well, except if installed together with OX: 31.03.17 15:48:21.035 LISTENER ( PROCESS ) : updating 'uid=test1,cn=users,dc=uni,dc=dtr' command m 31.03.17 15:48:21.198 LISTENER ( ERROR ) : gafw: Email address 'test1m@uni.dtr' invalid, changed to 'test1m@univention.de'. UNIVENTION_DEBUG_BEGIN : uldap.__open host=m41.uni.dtr port=7389 base=dc=uni,dc=dtr UNIVENTION_DEBUG_END : uldap.__open host=m41.uni.dtr port=7389 base=dc=uni,dc=dtr Traceback (most recent call last): File "/usr/lib/univention-directory-listener/system/google-apps-user.py", line 266, in handler udm_user = ol.get_udm_user(dn) File "/usr/lib/pymodules/python2.7/univention/googleapps/listener.py", line 414, in get_udm_user univention.admin.modules.init(lo, po, usersmod) File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 135, in init update_extended_attributes(lo, module, position) File "/usr/lib/pymodules/python2.7/univention/admin/modules.py", line 297, in update_extended_attributes propertyHook = getattr(univention.admin.hook, propertyHookString)() File "/usr/lib/pymodules/python2.7/univention/admin/hooks.d/oxUserDefaults.py", line 62, in __init__ lo, pos = univention.admin.uldap.getMachineConnection() File "/usr/lib/pymodules/python2.7/univention/admin/uldap.py", line 147, in getMachineConnection lo = univention.uldap.getMachineConnection(start_tls, decode_ignorelist=decode_ignorelist, ldap_master=ldap_master) File "/usr/lib/pymodules/python2.7/univention/uldap.py", line 81, in getMachineConnection bindpw = open(secret_file).read().rstrip('\n') IOError: [Errno 13] Permission denied: '/etc/machine.secret' 31.03.17 15:48:25.295 LISTENER ( WARN ) : handler: google-apps-user (failed) This is actually a generell problem of UDM hooks. If they want to make UDM calls them selfs they might need root-permissions - which their caller (here a listener module) cannot know.
*** Bug 44196 has been marked as a duplicate of this bug. ***
r79091: initialize late and use existing LDAP object if available Package: univention-ox Version: 9.0.1-20A~4.2.0.201705041752 Branch: ucs_4.2-0 Scope: oxse4ucs
r79184: adapt to API change in simpleHook (r79179) univention-ox 9.0.1-21A~4.2.0.201705081356
Created attachment 8830 [details] patch Attached is a patch (based on UCS 4.1) which doesn't depend on Bug #44203 and is therefore suitable for a backport.
Created attachment 8837 [details] patch Patch for the current state.
r79301: patch applied (API from Bug #44203 was removed → use module.{lo,position} instead of reverted simpleHook API) Package: univention-ox Version: 9.0.1-22A~4.2.0.201705111652 Branch: ucs_4.2-0 Scope: oxse4ucs
Shouldn't this also be fixed for OX 7.8.2 on UCS 4.1, as especially school customers will be affected?
TODO: create/adapt a ucs-test for this bug
r79692: test for running oxUserDefaults w/o root permissions
r80076: advisory
OK: use lo, po instead of reading machine.secret in hook OK: ucs-test OK: yaml Verified
Published