Bug 51420 – System activation broken (apps)

Bug 51420 - System activation broken (apps)


Summary:	System activation broken (apps)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	System setup
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.4-4-errata
Assigned To:	Florian Best
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-06-04 10:17 CEST by Felix Botner
Modified:	2020-06-04 12:27 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.206
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Appliance, Regression
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2020-06-04 10:17:26 CEST

see https://jenkins.knut.univention.de:8181/job/UCS-4.4/job/UCS-4.4-4/job/Update%20Tests/test_system=owncloud-appliance/,

i can manually reproduce this, apache error logs says

[Thu Jun 04 03:50:28.000512 2020] [core:notice] [pid 17426] AH00094: Command line: '/usr/sbin/apache2'
[Thu Jun 04 03:55:10.630026 2020] [authz_core:error] [pid 14230] [client 10.207.130.93:43640] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://aplwmaster.www.local/univention/system-activation/
[Thu Jun 04 04:03:36.987097 2020] [authz_core:error] [pid 14230] [client 10.205.2.25:43732] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/
[Thu Jun 04 04:06:19.667508 2020] [authz_core:error] [pid 14213] [client 10.205.2.25:43842] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/
[Thu Jun 04 04:06:36.589711 2020] [authz_core:error] [pid 14233] [client 10.205.2.25:43850] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/
[Thu Jun 04 04:10:47.139397 2020] [authz_core:error] [pid 17720] [client 10.205.2.25:43964] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/

Comment 1 Erik Damrose

2020-06-04 10:48:43 CEST

Regression from bug 51373

Comment 2 Florian Best

2020-06-04 10:56:49 CEST

What is the problem? Is there a `apache2 reload` missing? Or does the file needs +x permissions?

Comment 3 Felix Botner

2020-06-04 11:20:50 CEST

(In reply to Florian Best from comment #2)
> What is the problem? 

The problem is: ;-)

Thu Jun 04 04:10:47.139397 2020] [authz_core:error] [pid 17720] [client 10.205.2.25:43964] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py, referer: http://10.207.130.93/univention/system-activation/

>Is there a `apache2 reload` missing? Or does the file
> needs +x permissions?

no, changed permissions and restarted apache, did nothing to improve the situation

Comment 4 Florian Best

2020-06-04 11:29:10 CEST

More debug level context:

[Thu Jun 04 05:28:03.437697 2020] [authz_core:debug] [pid 19958] mod_authz_core.c(809): [client 10.205.2.7:45498] AH01626: authorization result of Require all denied: denied                                                                 
[Thu Jun 04 05:28:03.437712 2020] [authz_core:debug] [pid 19958] mod_authz_core.c(809): [client 10.205.2.7:45498] AH01626: authorization result of <RequireAny>: denied                                                                       
[Thu Jun 04 05:28:03.437719 2020] [authz_core:error] [pid 19958] [client 10.205.2.7:45498] AH01630: client denied by server configuration: /usr/lib/python2.7/dist-packages/univention/system_activation/wsgi.py                              
[Thu Jun 04 05:28:03.437726 2020] [core:trace3] [pid 19958] request.c(119): [client 10.205.2.7:45498] auth phase 'check access' gave status 403: /license

Comment 5 Florian Best

2020-06-04 11:47:29 CEST

/etc/apache2/apache2.conf allowed access for /usr/share. For /usr/lib was nothing defined.
<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>

Fixed in by allowing /usr/lib/python2.7/dist-packages/univention/system_activation/:

univention-system-activation (4.0.0-13)
8f3046285996 | Bug #51420: fix apache permissions

Package: univention-system-activation
Version: 4.0.0-13A~4.4.0.202006041146

Comment 6 Felix Botner

2020-06-04 12:07:50 CEST

OK - univention-system-activation
OK - yaml

Comment 7 Erik Damrose

2020-06-04 12:27:19 CEST

<http://errata.software-univention.de/ucs/4.4/620.html>