Bug 48112 – Diagnostic test for file and socket permissions is too strict

Bug 48112 - Diagnostic test for file and socket permissions is too strict


Summary:	Diagnostic test for file and socket permissions is too strict

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	UMC - System diagnostic
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:	40227
Blocks:
	Show dependency tree / graph

Reported:	2018-11-07 12:36 CET by Christina Scheinig
Modified:	2020-07-06 16:33 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.034
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018092721000521
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2018-11-07 12:36:08 CET

+++ This bug was initially created as a clone of Bug #40227 +++

We should add a check for the System Diagnostic UMC module which checks if specific files sockets have the correct owners and permissions set:

/etc/machine.secret
/etc/ldap.secret
/etc/univention/ssl/*
/var/run/slapd/ldapi (→ Bug #39811)
/var/run/univention/management-console/*.socket
/var/run/memcached-univention-self-service.socket
/var/run/univention-saml/memcached.socket

Especially the SSL certificate renewal might cause permission problems if done manually by users.

---------------------------------------------------------------------------------
In a customer environment the system diagnostic module shows the following permission issues:

Datei '/etc/univention/ssl' hat Datei-Modus 2755, 755 war erwartet.
Datei '/etc/univention/ssl/ucsCA' hat Datei-Modus 2775, 775 war erwartet.
Datei '/etc/univention/ssl/ucs-sso.schein.ig' hat Datei-Modus 2750, 750 war erwartet.
Datei '/var/cache/univention-virtual-machine-manager-daemon' hat Datei-Modus 755, 700 war erwartet.
Datei '/var/cache/univention-usercert' hat Datei-Modus 755, 700 war erwartet.

My suggestion to ignore this warning was commented by:
"someone thinks the test makes sense, otherwise it wouldn't be in the diagnosis."
This is right I think, so we should be sure with our checks.
In this case '2755' is not a problem here, especially the group is checked, too.

The check for '700' in /var/cache/univention* is a little bit misleading, particularly if  we create here 755 ourselves.
(I checked /var/cache/univention-virtual-machine-manager-daemon on laiva)

Comment 1 Florian Best

2019-03-30 08:19:27 CET

The 700 for UVMM should be correct. If it's broken on laiva we should fix it there.

virtualization/univention-virtual-machine-manager-daemon/debian/rules:
override_dh_fixperms:
»   chmod 0700 debian/univention-virtual-machine-manager-daemon/var/cache/univention-virtual-machine-manager-daemon