Univention Bugzilla – Bug 48112
Diagnostic test for file and socket permissions is too strict
Last modified: 2020-07-06 16:33:10 CEST
+++ This bug was initially created as a clone of Bug #40227 +++ We should add a check for the System Diagnostic UMC module which checks if specific files sockets have the correct owners and permissions set: /etc/machine.secret /etc/ldap.secret /etc/univention/ssl/* /var/run/slapd/ldapi (→ Bug #39811) /var/run/univention/management-console/*.socket /var/run/memcached-univention-self-service.socket /var/run/univention-saml/memcached.socket Especially the SSL certificate renewal might cause permission problems if done manually by users. --------------------------------------------------------------------------------- In a customer environment the system diagnostic module shows the following permission issues: Datei '/etc/univention/ssl' hat Datei-Modus 2755, 755 war erwartet. Datei '/etc/univention/ssl/ucsCA' hat Datei-Modus 2775, 775 war erwartet. Datei '/etc/univention/ssl/ucs-sso.schein.ig' hat Datei-Modus 2750, 750 war erwartet. Datei '/var/cache/univention-virtual-machine-manager-daemon' hat Datei-Modus 755, 700 war erwartet. Datei '/var/cache/univention-usercert' hat Datei-Modus 755, 700 war erwartet. My suggestion to ignore this warning was commented by: "someone thinks the test makes sense, otherwise it wouldn't be in the diagnosis." This is right I think, so we should be sure with our checks. In this case '2755' is not a problem here, especially the group is checked, too. The check for '700' in /var/cache/univention* is a little bit misleading, particularly if we create here 755 ourselves. (I checked /var/cache/univention-virtual-machine-manager-daemon on laiva)
The 700 for UVMM should be correct. If it's broken on laiva we should fix it there. virtualization/univention-virtual-machine-manager-daemon/debian/rules: override_dh_fixperms: » chmod 0700 debian/univention-virtual-machine-manager-daemon/var/cache/univention-virtual-machine-manager-daemon