Univention Bugzilla – Full Text Bug Listing |
Summary: | freeradius is unable to start due to permissions of /etc/freeradius/ssl | ||
---|---|---|---|
Product: | UCS | Reporter: | Michael Grandjean <grandjean> |
Component: | Radius | Assignee: | Christian Castens <castens> |
Status: | CLOSED FIXED | QA Contact: | Max Pohle <pohle> |
Severity: | normal | ||
Priority: | P5 | CC: | castens, gulden, pohle, requate |
Version: | UCS 4.4 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.4-4-errata | ||
Hardware: | Other | ||
OS: | Windows NT | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.137 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: |
Description
Michael Grandjean
2020-02-29 22:47:56 CET
Package: univention-radius Version: 6.0.2-25A~4.4.0.202006081555 Branch: ucs_4.4-0 Scope: errata4.4-4 2a8dba7b64 Bug #50887: Permissions for radius in postinst 00a27d9298 Bug #50887: changelog 7c4d8ab01a Bug #50887: yaml updated dd49035810 Bug #50887, fix /etc/freeradius/ssl ownership 8b18bbb680 Bug #50887: condition for permission setting 23c3b03cac Bug #50887: changelog updated f918ae611 Bug #50887: Radius permissions set during installation Permissions are now set via "univention-radius.postinst" (if path exists) and "80univention-radius.inst". Package: univention-management-console-module-diagnostic Version: 5.0.1-49A~4.4.0.202006041601 Branch: ucs_4.4-0 Scope: errata4.4-4 3693745d37 Bug #50887: Diagnostic check for radius permissions 43b72f1aad Bug #50887: yaml diagnostic module A new diagnostic check has been added. Path "/etc/freeradius/ssl" is checked for correct permissions. I installed the usual package without the bug fix and it created this directory structure: ``` ├── [drwxr-xr-x freerad freerad ] 3.0 │ ├── [drwxr-xr-x freerad freerad ] certs │ ├── [drwxr-xr-x freerad freerad ] mods-available │ ├── [drwxr-xr-x freerad freerad ] mods-config │ │ ├── [drwxr-xr-x freerad freerad ] attr_filter │ │ ├── [drwxr-xr-x freerad freerad ] files │ │ ├── [drwxr-xr-x freerad freerad ] perl │ │ ├── [drwxr-xr-x freerad freerad ] preprocess │ │ ├── [drwxr-xr-x freerad freerad ] python │ │ ├── [drwxr-xr-x freerad freerad ] sql │ │ │ ├── [drwxr-xr-x freerad freerad ] counter │ │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ ├── [drwxr-xr-x freerad freerad ] postgresql │ │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ │ ├── [drwxr-xr-x freerad freerad ] cui │ │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ ├── [drwxr-xr-x freerad freerad ] postgresql │ │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ │ ├── [drwxr-xr-x freerad freerad ] ippool │ │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ ├── [drwxr-xr-x freerad freerad ] oracle │ │ │ │ ├── [drwxr-xr-x freerad freerad ] postgresql │ │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ │ ├── [drwxr-xr-x freerad freerad ] ippool-dhcp │ │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ ├── [drwxr-xr-x freerad freerad ] oracle │ │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ │ └── [drwxr-xr-x freerad freerad ] main │ │ │ ├── [drwxr-xr-x freerad freerad ] mssql │ │ │ ├── [drwxr-xr-x freerad freerad ] mysql │ │ │ │ └── [drwxr-xr-x freerad freerad ] extras │ │ │ │ └── [drwxr-xr-x freerad freerad ] wimax │ │ │ ├── [drwxr-xr-x freerad freerad ] ndb │ │ │ ├── [drwxr-xr-x freerad freerad ] oracle │ │ │ ├── [drwxr-xr-x freerad freerad ] postgresql │ │ │ │ └── [drwxr-xr-x freerad freerad ] extras │ │ │ └── [drwxr-xr-x freerad freerad ] sqlite │ │ └── [drwxr-xr-x freerad freerad ] unbound │ ├── [drwxr-xr-x freerad freerad ] mods-enabled │ ├── [drwxr-xr-x freerad freerad ] policy.d │ ├── [drwxr-xr-x freerad freerad ] sites-available │ └── [drwxr-xr-x freerad freerad ] sites-enabled └── [drwxr-sr-x root freerad ] ssl ``` Everything looks okay, so I mofied the permissions for `/etc/freeradius/ssl` with `chmod go-rx /etc/freeradius/ssl/` and then installed the upcoming patch. The patch fixes the permission problem automatically during the package update -> verified, issue is fixed A suggestion was made by Florian to use a `dpkg-statoverride` instead of `chmod`. That would allow the system administrator to adapt the permissions and the solution would nevertheless survive any package update. The debian documentation states under point 10.9 "Permissions and Owners", footnote 14 (https://www.debian.org/doc/debian-policy/ch-files.html#id29): "To correctly change permissions of a directory the package owns, explicit action is required, usually in the `postinst` script". With our fix we followed that approach as it solves the bug, even though configurability would have been a nice and new feature. |