Bug 51420 - System activation broken (apps)
Summary: System activation broken (apps)
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: System setup
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 4.4-4-errata
Assignee: Florian Best
QA Contact: Felix Botner
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-04 10:17 CEST by Felix Botner
Modified: 2020-06-04 12:27 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 6: Setup Problem: Issue for the setup process
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.206
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Appliance, Regression
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2020-06-04 10:17:26 CEST 
see https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-4/job/Update%20Tests/test_system=owncloud-appliance/,

i can manually reproduce this, apache error logs says

[Thu Jun 04 03:50:28.000512 2020] [core:notice] [pid 17426] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jun 04 03:55:10.630026 2020] [authz_core:error] [pid 14230] [client 10.207.130.93:43640] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://aplwmaster.www.local/univention/system-activation/
[Thu Jun 04 04:03:36.987097 2020] [authz_core:error] [pid 14230] [client 10.205.2.25:43732] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/
[Thu Jun 04 04:06:19.667508 2020] [authz_core:error] [pid 14213] [client 10.205.2.25:43842] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/
[Thu Jun 04 04:06:36.589711 2020] [authz_core:error] [pid 14233] [client 10.205.2.25:43850] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/
[Thu Jun 04 04:10:47.139397 2020] [authz_core:error] [pid 17720] [client 10.205.2.25:43964] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/
Comment 1 Erik Damrose univentionstaff 2020-06-04 10:48:43 CEST 
Regression from bug 51373
Comment 2 Florian Best univentionstaff 2020-06-04 10:56:49 CEST 
What is the problem? Is there a `apache2 reload` missing? Or does the file needs +x permissions?
Comment 3 Felix Botner univentionstaff 2020-06-04 11:20:50 CEST 
(In reply to Florian Best from comment #2)
> What is the problem? 

The problem is: ;-)

Thu Jun 04 04:10:47.139397 2020] [authz_core:error] [pid 17720] [client 10.205.2.25:43964] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/

>Is there a `apache2 reload` missing? Or does the file
> needs +x permissions?

no, changed permissions and restarted apache, did nothing to improve the situation
Comment 4 Florian Best univentionstaff 2020-06-04 11:29:10 CEST 
More debug level context:

[Thu Jun 04 05:28:03.437697 2020] [authz_core:debug] [pid 19958] mod_authz_core.c(809): [client 10.205.2.7:45498] AH01626: authorization result of Require all denied: denied                                                                 
[Thu Jun 04 05:28:03.437712 2020] [authz_core:debug] [pid 19958] mod_authz_core.c(809): [client 10.205.2.7:45498] AH01626: authorization result of <RequireAny>: denied                                                                       
[Thu Jun 04 05:28:03.437719 2020] [authz_core:error] [pid 19958] [client 10.205.2.7:45498] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py                              
[Thu Jun 04 05:28:03.437726 2020] [core:trace3] [pid 19958] request.c(119): [client 10.205.2.7:45498] auth phase 'check access' gave status 403: /license
Comment 5 Florian Best univentionstaff 2020-06-04 11:47:29 CEST 
/etc/apache2/apache2.conf allowed access for /usr/share. For /usr/lib was nothing defined.
<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

Fixed in by allowing /usr/lib/python2.7/dist-packages/univention/system_activation/:

univention-system-activation (4.0.0-13)
8f3046285996 | Bug #51420: fix apache permissions

Package: univention-system-activation
Version: 4.0.0-13A~4.4.0.202006041146
Comment 6 Felix Botner univentionstaff 2020-06-04 12:07:50 CEST 
OK - univention-system-activation
OK - yaml
Comment 7 Erik Damrose univentionstaff 2020-06-04 12:27:19 CEST 
<http://errata.software-univention.de/ucs/4.4/620.html>