Description Florian Best 2025-03-21 14:31:16 CET

Bug #57453 changes the permissions of some files in Python:

diff --git services/univention-ad-connector/scripts/remove_ad_rejected.py services/univention-ad-connector/scripts/remove_ad_rejected.py
index ff7de82d3af..fd53ce3e9cc 100755
--- services/univention-ad-connector/scripts/remove_ad_rejected.py
+++ services/univention-ad-connector/scripts/remove_ad_rejected.py
@@ -50 +50,2 @@ def remove_ad_rejected(ad_dn):
-    config = univention.connector.configdb('/etc/univention/%s/internal.sqlite' % CONFIGBASENAME)
+    db_internal_file = '/etc/univention/%s/internal.sqlite' % CONFIGBASENAME
+    config = univention.connector.configdb(db_internal_file)
@@ -56 +57 @@ def remove_ad_rejected(ad_dn):
-
+    os.chmod(db_internal_file, 640)

diff --git services/univention-ad-connector/scripts/remove_ucs_rejected.py services/univention-ad-connector/scripts/remove_ucs_rejected.py
index 18d415727c0..8ac1a9f91fb 100755
--- services/univention-ad-connector/scripts/remove_ucs_rejected.py
+++ services/univention-ad-connector/scripts/remove_ucs_rejected.py
@@ -50 +50,2 @@ def remove_ucs_rejected(ucs_dn):
-    config = univention.connector.configdb('/etc/univention/%s/internal.sqlite' % CONFIGBASENAME)
+    db_internal_file = '/etc/univention/%s/internal.sqlite' % CONFIGBASENAME
+    config = univention.connector.configdb(db_internal_file)
@@ -63,0 +65 @@ def remove_ucs_rejected(ucs_dn):
+    os.chmod(db_internal_file, 640)

diff --git services/univention-ad-connector/scripts/resync_object_from_ad.py services/univention-ad-connector/scripts/resync_object_from_ad.py
index 9f58f7b44f4..73d42c19492 100755
--- services/univention-ad-connector/scripts/resync_object_from_ad.py
+++ services/univention-ad-connector/scripts/resync_object_from_ad.py
@@ -74,0 +75 @@ class ad(univention.connector.ad.ad):
+        os.chmod(cache_filename, 640)
@@ -82,0 +84 @@ class ad(univention.connector.ad.ad):
+        os.chmod(state_filename, 640)

→ the problem is, that 640 != 0o640.

Additionally the umask is set in the script:
diff --git services/univention-ad-connector/univention-ad-connector services/univention-ad-connector/univention-ad-connector
index a9f8644a146..6cd38642a50 100755
--- services/univention-ad-connector/univention-ad-connector
+++ services/univention-ad-connector/univention-ad-connector
@@ -35,0 +36 @@
+umask 027

→ This could be done in the systemd service defintion.

+++ This bug was initially created as a clone of Bug #57453 +++

Same applied to S4-Connector.