Univention Bugzilla – Bug 56634
univention-join executed with wrong umask
Last modified: 2023-09-20 16:30:37 CEST
+++ This bug was initially created as a clone of Bug #53431 +++ I='/usr/lib/univention-install/09test.inst' base64 -d <<</Td6WFoAAATm1rRGAgAhARYAAAB0L+Wj4AC/AJldABGIQkY99BY0cwoN9BCnjxEL2X8MEpkwnSXp4vfe6BMssEHSXYJOz4FLkfq3S9VMH65YfWPq5knNLSyCQHVLM+1rTwSRU/zsJHFPbqLQnwJWrA4Mtp7LWZ6JzXzZiayBBo8Edi41T+JZuafP67ycCkUmgSYdXQl7kqinPokB+jesftf6ODwo7R5ArqyBbNnneFlpracSY1IAAAAAAABJ+n12kdSWVgABtQHAAQAAmvu9w7HEZ/sCAAAAAARZWg== | xz -d >"$I" chmod 755 "$I" … ls -l /tmp/join # old: 0600 # new: 0644 Actually this is a bug in `univention-join` respective `univention-run-join-scripts`: # umask 0077 # univention-run-join-scripts ... # ls -l /tmp/join 0600 Setting a `umask 0077` is not uncommon in security aware environments. Any use of `cp` is affected by `umask`; better always use `install -m644 …` everywhere. (In reply to Jürn Brodersen from comment #0) > I see at least three possible solutions: > - set the umask in the umc join module This is what bug #53431 die; the fix is incomplete for CLI. > - set the umask in the univention-join/univention-run-join-script scripts Adding a `umask 0022` in both programs would be the simplest fix. > - explicitly set the file access rights (in this case in the listener module: udm_extension) This is a little bit more complicated: - UDL modules are normally executed by UDL, which is running with `umask 0022` when executed by `systemd`: # grep Umask /proc/`pgrep -f /usr/sbin/univention-directory-listener`/status Umask: 0022 - But `03univention-directory-listener.inst` runs `univention-directory-listener $mode` directly to initialize it, where the `umask` is inherited. Actually all UDL modules (and joins scripts) using - os.mkdir() - write(mode="w") must explicitly use `os.chmod()` or better `os.fchmod()` to make the files group-world-readable if that is desired case-by-case: /usr/lib/univention-directory-listener/system/udm_extension.py 277 with open(filename, 'wb') as f: 379 os.mkdir(target_path) 385 with open(python_init_filename, 'wb') as fd: # touch 475 with open(filename, 'wb') as f: 520 with open(filename, 'wb') as f: 570 with open(filename, 'wb') as f: 599 with open(filename, 'wb') as f: I think the better change would be to add `umask 0022` to both `/usr/sbin/univention-join` and `/usr/sbin/univention-run-join-scripts`.