Bug 35368

Summary: Listener module cups-printers.py doesn't set uid(0) when loading UCR handlers
Product: UCS Reporter: Florian Best <best>
Component: UCRAssignee: Felix Botner <botner>
Status: CLOSED FIXED QA Contact: Stefan Gohmann <gohmann>
Severity: normal    
Priority: P5 CC: gohmann, hahn, walkenhorst
Version: UCS 3.2   
Target Milestone: UCS 3.2-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Attachments: Skip writing cache if process has no write permission

Description Florian Best univentionstaff 2014-07-15 15:28:09 CEST 
15.07.14 15:25:57.138  LISTENER    ( ERROR   ) : import of filename=/usr/lib/univention-directory-listener/system/cups-printers.py failed
Traceback (most recent call last):
  File "/usr/lib/univention-directory-listener/system/cups-printers.py", line 42, in <module>
    ucr_handlers.load()
  File "/usr/lib/pymodules/python2.6/univention/config_registry/handler.py", line 530, in load
    self.update()
  File "/usr/lib/pymodules/python2.6/univention/config_registry/handler.py", line 702, in update
    self._save_cache()
  File "/usr/lib/pymodules/python2.6/univention/config_registry/handler.py", line 742, in _save_cache
    cache_file = open(ConfigHandlers.CACHE_FILE, 'w')
IOError: [Errno 13] Permission denied: '/var/cache/univention-config/cache'

Seems that ucr_handlers.load() has a side effect of caching things so that it writes to a cache file which is only writeable by root.

If this error should be handlded in UCR directly please change the component.

Workaround is:
--- /usr/lib/univention-directory-listener/system/cups-printers.py.old  2014-07-15 15:31:33.536000000 +0200
+++ /usr/lib/univention-directory-listener/system/cups-printers.py      2014-07-15 15:28:45.160000000 +0200
@@ -39,7 +39,9 @@
 ## for the ucr commit below in postrun we need ucr configHandlers
 from univention.config_registry import configHandlers
 ucr_handlers = configHandlers()
+listener.setuid(0)
 ucr_handlers.load()
+listener.unsetuid()
 from univention.config_registry.interfaces import Interfaces
 interfaces = Interfaces(listener.configRegistry)
Comment 1 Philipp Hahn univentionstaff 2014-07-16 09:01:35 CEST 
(In reply to Florian Best from comment #0)
> Workaround is:
...
>  from univention.config_registry import configHandlers
>  ucr_handlers = configHandlers()
> +listener.setuid(0)
try:
>  ucr_handlers.load()
finally:
> +listener.unsetuid()

as the EUID is a property of the UNIX process, which must be reset always
(Bug #34324).
Comment 2 Philipp Hahn univentionstaff 2014-08-28 16:04:29 CEST 
Created attachment 6079 [details]
Skip writing cache if process has no write permission
Comment 3 Felix Botner univentionstaff 2014-08-28 16:17:11 CEST 
(In reply to Philipp Hahn from comment #2)
> Created attachment 6079 [details]
> Skip writing cache if process has no write permission

OK, merged patch to errara3.2-3 and UCS 4.0

YAML: 2014-08-28-univention-config-registry.yaml
Comment 4 Stefan Gohmann univentionstaff 2014-09-01 08:50:40 CEST 
Test: OK, I was able to reproduce it with the old version but not with the erratum

YAML: I think we could also release the UCR package for UCS 3.2-2-errata → Reopen
Comment 5 Felix Botner univentionstaff 2014-09-01 09:47:11 CEST 
2014-08-28-univention-config-registry.yaml
+version: [2,3]
Comment 6 Stefan Gohmann univentionstaff 2014-09-01 09:49:52 CEST 
OK
Comment 7 Janek Walkenhorst univentionstaff 2014-09-10 17:34:36 CEST 
http://errata.univention.de/ucs/3.2/189.html