Univention Bugzilla – Bug 51608
Wrong file ownership for serviceprovider_enabled_groups.json
Last modified: 2020-10-14 14:11:14 CEST
The new listener script univention-saml-groups.py which creates / updates the "SAML SP to LDAP groups" mapping in /etc/simplesamlphp/serviceprovider_enabled_groups.json first creates a temporary file in /tmp/ where it sets the correct file permissions and ownership and then uses shutil.move() to move that to the final destination in /etc/simplesamlphp/ This only works correctly if the /tmp/ and /etc/simplesamlphp/ directories are on the same filesystem, because shutl.move() uses os.rename() in this case, which keeps all file metadata. Hoever, if these two directories are on separat filesystems, shutil.move() by default uses shutil.copy2() to copy the file to the new location and then deletes the source file. According to the python documentation "copy2() uses copystat() to copy the file metadata." which in turn states that it doesn't copy the file owners. ("Copy the permission bits, last access time, last modification time, and flags from src to dst. On Linux, copystat() also copies the “extended attributes” where possible. The file contents, owner, and group are unaffected.") So the target file gets created with default owner and user, in our cases this was "root.nogroup". This has the effect that simplesamlphp process cannot read the file, as the following syslog entries show: simplesamlphp[21022]: 3 [5bf27ee2ac] SimpleSAML_Error_Exception: Error 2 - file_get_contents(/etc/simplesamlphp/serviceprovider_enabled_groups.json): failed to open stream: Permission denied Our hotfix was to change the variable "tmp_path" in univention-saml-groups.py as follows: tmp_path = path + ".tmp" So it creates the temporary file in the same directory as the final .json file and then just moves it inside that directory, keeping mode and ownership.
Created attachment 10414 [details] patch Thank you for the detailed bug report!
*** Bug 51837 has been marked as a duplicate of this bug. ***
9c973f65 + 8679cb86 Fix owner for SAML group permission file e6612975 yaml univention-saml 6.0.2-56A~4.4.0.202010061414
7d1d1301 ucs-test 9.0.5-11
841e9976 Set correct permissions in postinst univention-saml 6.0.2-57A~4.4.0.202010061451
1900ff37 Fix styling univention-saml 6.0.2-58A~4.4.0.202010061504
TODO merge request OK - yaml OK - update (permissions fixed) before ls -la /etc/simplesamlphp/serviceprovider_enabled_groups.json -rwxrwxrwx 1 samlcgi samlcgi 184 Okt 6 15:01 /etc/simplesamlphp/serviceprovider_enabled_groups.json after ls -al /etc/simplesamlphp/serviceprovider_enabled_groups.json -rw------- 1 samlcgi samlcgi 184 Okt 6 15:01 /etc/simplesamlphp/serviceprovider_enabled_groups.json OK - installation (permissions correct) OK - test
https://git.knut.univention.de/univention/ucs/-/merge_requests/12
OK
<https://errata.software-univention.de/#/?erratum=4.4x766>
Just for the notes, during upgrade I see the following message: Calling joinscript 91univention-saml.inst ... 2020-10-10 17:52:36.670087897+02:00 (in joinscript_init) Joinscript 91univention-saml.inst finished with exitcode 1 chmod: Zugriff auf '/etc/simplesamlphp/serviceprovider_enabled_groups.json' nicht möglich: Datei oder Verzeichnis nicht gefunden chown: Zugriff auf '/etc/simplesamlphp/serviceprovider_enabled_groups.json' nicht möglich: Datei oder Verzeichnis nicht gefunden stunnel4.service is not a native service, redirecting to systemd-sysv-install.