Univention Bugzilla – Bug 53431
univention-join executed with umask 0077 (on UMC)
Last modified: 2023-09-20 17:56:49 CEST
univention-join executed with umask 0077 (on UMC) This results in all joinscripts also being run with umask 0077 and can result in wrong file permissions. For example: -rw------- 1 root nogroup 1,9K Jun 10 14:04 /usr/lib/python3/dist-packages/univention/admin/syntax.d/app_syntax.py The syntax is now only readable for root. This has been previously discussed in some way or another: bug 21587, bug 25287 (bug 30112 broke it again), bug 33241 and possibly more. We might need better tests for this ;) I see at least three possible solutions: - set the umask in the umc join module - set the umask in the univention-join/univention-run-join-script scripts - explicitly set the file access rights (in this case in the listener module: udm_extension) How to reproduce on a replicant: A) join using the umc B) - delete "/usr/lib/python3/dist-packages/univention/admin/syntax.d/app_syntax.py" - force join script execution of 03univention-directory-listener using the umc Listener Tracebacks (no crash though): Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/admin/syntax.py", line 94, in import_syntax_files with io.open(fn, 'rb') as fd: PermissionError: [Errno 13] Permission denied: '/usr/lib/python3/dist-packages/univention/admin/syntax.d/app_syntax. py -------------------------------------------------- Traceback (most recent call last): File "/usr/lib/python3/dist-packages/univention/admin/syntax.py", line 94, in import_syntax_files with io.open(fn, 'rb') as fd: PermissionError: [Errno 13] Permission denied: '/usr/lib/python3/dist-packages/univention/admin/syntax.d/univention- portal.py'
univention-management-console-server runs with Umask 0077: # grep ^Umask /proc/931/status Umask: 0077 This is inherited by "univention-management-console-module -m join: # grep ^Umask /proc/3390/status Umask: 0077 /usr/sbin/univention-join does not overwrite the umask itself, so inherits this and all files lack permissions for the group and all other users.
The listener is not working properly anymore. Modules could not get initializend, for example samba-shares, so no shares (in school all classshares) are created.
Happens in another school environment.
https://git.knut.univention.de/univention/ucs/-/merge_requests/807
The TM was changed to 5.0-5-Errata and the FB was rebased on 5.0-5, but the MR is still targeting 5.0-4 and thus fails. Please retarget to 5.0-4-Errata to get this out ASAP.
The join module is now executed with umask 022 instead of 077. univention-management-console-module-join.yaml fd13dae347d8 | fix(umc-join): run join with more permissive umask univention-management-console-module-join (12.0.5-5) fd13dae347d8 | fix(umc-join): run join with more permissive umask
I='/usr/lib/univention-install/09test.inst' base64 -d <<</Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4AC/AJldABGIQkY99BY0cwoN9BCnjxEL2X8MEpkwnSXp4vfe6BMssEHSXYJOz4FLkfq3S9VMH65YfWPq5knNLSyCQHVLM+1rTwSRU/zsJHFPbqLQnwJWrA4Mtp7LWZ6JzXzZiayBBo8Edi41T+JZuafP67ycCkUmgSYdXQl7kqinPokB+jesftf6ODwo7R5ArqyBbNnneFlpracSY1IAAAAAAABJ+n12kdSWVgABtQHAAQAAmvu9w7HEZ/sCAAAAAARZWg== | xz -d >"$I" chmod 755 "$I" … ls -l /tmp/join # old: 0600 # new: 0644 Actually this is a bug in `univention-join` respective `univention-run-join-scripts`: # umask 0077 # univention-run-join-scripts ... # ls -l /tmp/join 0600 Setting a `umask 0077` is not uncommon in security aware environments. Any use of `cp` is affected by `umask`; better always use `install -m644 …` everywhere. (In reply to Jürn Brodersen from comment #0) > I see at least three possible solutions: > - set the umask in the umc join module This is what this bug does; the fix is incomplete > - set the umask in the univention-join/univention-run-join-script scripts Adding a `umask 0022` in both programs would be the simplest fix. > - explicitly set the file access rights (in this case in the listener module: udm_extension) This is a little bit more complicated: - UDL modules are normally executed by UDL, which is running with `umask 0022` when executed by `systemd`: # grep Umask /proc/`pgrep -f /usr/sbin/univention-directory-listener`/status Umask: 0022 - But `03univention-directory-listener.inst` runs `univention-directory-listener $mode` directly to initialize it, where the `umask` is inherited. Actually all UDL modules (and joins scripts) using - os.mkdir() - write(mode="w") must explicitly use `os.chmod()` or better `os.fchmod()` to make the files group-world-readable if that is desired case-by-case: /usr/lib/univention-directory-listener/system/udm_extension.py 277 with open(filename, 'wb') as f: 379 os.mkdir(target_path) 385 with open(python_init_filename, 'wb') as fd: # touch 475 with open(filename, 'wb') as f: 520 with open(filename, 'wb') as f: 570 with open(filename, 'wb') as f: 599 with open(filename, 'wb') as f: I think the better change would be to add `umask 0022` to both `/usr/sbin/univention-join` and `/usr/sbin/univention-run-join-scripts`.
<https://errata.software-univention.de/#/?erratum=5.0x810>