Bug 56634 – univention-join executed with wrong umask

Bug 56634 - univention-join executed with wrong umask


Summary:	univention-join executed with wrong umask

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Join (univention-join)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:	53431
Blocks:
	Show dependency tree / graph

Reported:	2023-09-20 16:30 CEST by Philipp Hahn
Modified:	2023-09-20 16:30 CEST (History)
CC List:	6 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.343
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2023-09-20 16:30:37 CEST

+++ This bug was initially created as a clone of Bug #53431 +++

I='/usr/lib/univention-install/09test.inst'
base64 -d <<</Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4AC/AJldABGIQkY99BY0cwoN9BCnjxEL2X8MEpkwnSXp4vfe6BMssEHSXYJOz4FLkfq3S9VMH65YfWPq5knNLSyCQHVLM+1rTwSRU/zsJHFPbqLQnwJWrA4Mtp7LWZ6JzXzZiayBBo8Edi41T+JZuafP67ycCkUmgSYdXQl7kqinPokB+jesftf6ODwo7R5ArqyBbNnneFlpracSY1IAAAAAAABJ+n12kdSWVgABtQHAAQAAmvu9w7HEZ/sCAAAAAARZWg== | xz -d >"$I"
chmod 755 "$I"
…
ls -l /tmp/join
# old: 0600
# new: 0644


Actually this is a bug in `univention-join` respective `univention-run-join-scripts`:

# umask 0077
# univention-run-join-scripts
...
# ls -l /tmp/join
0600

Setting a `umask 0077` is not uncommon in security aware environments.

Any use of `cp` is affected by `umask`; better always use `install -m644 …` everywhere.


(In reply to Jürn Brodersen from comment #0)
> I see at least three possible solutions:
> - set the umask in the umc join module

This is what bug #53431 die; the fix is incomplete for CLI.

> - set the umask in the univention-join/univention-run-join-script scripts

Adding a `umask 0022` in both programs would be the simplest fix.

> - explicitly set the file access rights (in this case in the listener module: udm_extension)

This is a little bit more complicated:
- UDL modules are normally executed by UDL, which is running with `umask 0022` when executed by `systemd`:
  # grep Umask /proc/`pgrep -f /usr/sbin/univention-directory-listener`/status
  Umask:  0022
- But `03univention-directory-listener.inst` runs `univention-directory-listener $mode` directly to initialize it, where the `umask` is inherited.

Actually all UDL modules (and joins scripts) using
- os.mkdir()
- write(mode="w")
must explicitly use `os.chmod()` or better `os.fchmod()` to make the files group-world-readable if that is desired case-by-case:

/usr/lib/univention-directory-listener/system/udm_extension.py
277             with open(filename, 'wb') as f:
379             os.mkdir(target_path)
385         with open(python_init_filename, 'wb') as fd:  # touch
475         with open(filename, 'wb') as f:
520         with open(filename, 'wb') as f:
570     with open(filename, 'wb') as f:
599         with open(filename, 'wb') as f:



I think the better change would be to add `umask 0022` to both `/usr/sbin/univention-join` and `/usr/sbin/univention-run-join-scripts`.