First Last Prev Next    This bug is not in your last search results.
Bug 48814 - /var/cache/univention-portal has wrong permissions
/var/cache/univention-portal has wrong permissions
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Portal
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Dirk Wiesenthal
Johannes Keiser
https://help.univention.com/t/problem...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-27 20:49 CET by Philipp Hahn
Modified: 2019-08-19 14:04 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 5: Will affect all installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.171
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019042321000705, 2019042421000847
Bug group (optional):
Max CVSS v3 score:
hahn: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2019-02-27 20:49:50 CET 
A newly installed UCS-4.4 system has '/var/cache/univention-portal' with mode 0o755, but it should be 0o700. This is the only issue found when running the UMC system diagnostics module.
An out-of-the-box-installation should not be "kaputt".

Either tell the diagnostics module, that is is okay, or fix the permissions by applying a fix similar to <https://git.knut.univention.de/univention/ucs/commit/4051a4c6c2ebf432ca7aef68218786528b22f610> from Bug #47741.
Comment 1 Christian Völker univentionstaff 2019-04-24 09:09:08 CEST 
Frequently generating support tickets. 

As already suggested, either remove the warning from UMC or simply correct the settings.
Comment 2 Philipp Hahn univentionstaff 2019-05-06 18:16:41 CEST 
UCS technical training 2019-03-21/22
UCS technical training 2019-05-08/09
git:phahn/48814-diag-cache-permissions

QA: univention-run-diagnostic-checks --username Administrator --bindpwdfile <(exec printf %s univention) -t 31_file_permissions
< Datei '/var/cache/univention-portal' hat Datei-Modus 755, 700 war erwartet.
> ran 31_file_permissions successfully
Comment 3 Michel Smidt 2019-05-16 10:43:52 CEST 
Requested by customer
Comment 4 Philipp Hahn univentionstaff 2019-05-17 10:23:53 CEST 
(In reply to Philipp Hahn from comment #2)
> git:phahn/48814-diag-cache-permissions

https://git.knut.univention.de/univention/ucs/commit/f657d5a551ff0d7bfb674de4364ed4159cb7b1a0

Unless the generated files contain secret data, 0755 is okay for that directory and the diagnostic module should be fixed.
Comment 5 Dirk Wiesenthal univentionstaff 2019-05-17 11:35:11 CEST 
(In reply to Philipp Hahn from comment #4)
> (In reply to Philipp Hahn from comment #2)
> > git:phahn/48814-diag-cache-permissions
> 
> https://git.knut.univention.de/univention/ucs/commit/
> f657d5a551ff0d7bfb674de4364ed4159cb7b1a0
> 
> Unless the generated files contain secret data, 0755 is okay for that
> directory and the diagnostic module should be fixed.

Probably, the cache essentially holds LDAP data that should be "world readable". But as there are some DNs involved and I did not want to start a lengthy discussion, I changed the permissions of /var/cache/univention-portal in the postinst.

debian/rules can do this, too, and seems like the correct place, but I found it does not work for existing installations that already created this directory with an older version of the package.

univention-portal 3.0.1-23A~4.4.0.201905171116
Comment 6 Johannes Keiser univentionstaff 2019-05-22 11:59:17 CEST 
OK: file permission is now 700 (System diagnostic module does not show warning)
OK: yaml (b79b351a06 Bug #48814: yaml)
-> verified
Comment 7 Arvid Requate univentionstaff 2019-05-29 13:24:17 CEST 
<http://errata.software-univention.de/ucs/4.4/128.html>
First Last Prev Next    This bug is not in your last search results.