First Last Prev Next    This bug is not in your last search results.
Bug 51837 - simplesamlphp traceback due to wrong permissions of /etc/simplesamlphp/serviceprovider_enabled_groups.json
simplesamlphp traceback due to wrong permissions of /etc/simplesamlphp/servic...
Status: RESOLVED DUPLICATE of bug 51608
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-19 11:27 CEST by Erik Damrose
Modified: 2020-09-10 14:45 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.114
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2020-08-19 11:27:34 CEST 
Aug 19 10:40:03 ucsserver simplesamlphp[33276]: 3 [5c2f483db6] SimpleSAML_Error_Exception: Error 2 - file_get_contents(/etc/simplesamlphp/serviceprovider_enabled_groups.json): failed to open stream: Permission denied
Aug 19 10:40:03 ucsserver simplesamlphp[33276]: 3 [5c2f483db6] SimpleSAML_Error_Exception: Error 2 - array_key_exists() expects parameter 2 to be array, null given

On the affected server the permissions were

-rw------- 1 root samlcgi 2195 Jul 22 10:35 /etc/simplesamlphp/serviceprovider_enabled_groups.json

But the file owner should be samlcgi.

As it is unclear how the permissions changed, as a first fix we could check and fix the permissions in the listener when the file is updated.
Comment 1 Julia Bremer univentionstaff 2020-08-19 12:31:58 CEST 
The listener already sets the permissions at each file update though:

saml/univention-saml/listener/univention-saml-groups.py

 87 »   »   with open(tmp_path, 'w+') as outfile:
 88 »   »   »   json.dump(data, outfile)
 89 »   »   »   os.chmod(tmp_path, 0600)
 90 »   »   »   os.chown(tmp_path, uid, gid)
 91 »   »   shutil.move(tmp_path, path)
Comment 2 Erik Damrose univentionstaff 2020-08-19 14:51:02 CEST 
(In reply to Julia Bremer from comment #1)
> The listener already sets the permissions at each file update though:

Thats great, i did not check the code before creating the bug. That means a simple workaround other than fixing the file ownership via CLI is to simply modify any groups saml settings.
Comment 3 Erik Damrose univentionstaff 2020-09-10 14:45:55 CEST 

*** This bug has been marked as a duplicate of bug 51608 ***
First Last Prev Next    This bug is not in your last search results.