Roundup Tracker - Issues

Issue 2550506

Title: should properly set the group for the files
Type: behavior Severity: normal
Components: Web interface, Mail interface Versions: 1.4
Status: new Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: lu_zero, rouilj, stefan
Priority: Keywords: Effort-Low

Created on 2009-02-18 13:54 by lu_zero, last changed 2016-07-04 21:28 by rouilj.

msg3555 Author: [hidden] (lu_zero) Date: 2009-02-18 13:54
As a way to workaround more or less improper usage of roundup-mailgw and
apache integration the simplest way should set a group (roundup) and
have both postfix and apache inside it and then make sure that the db
directory is owned by that group (e.g. roundup:roundup).

The problem is that the doesn't preserve the group and
instead saves files and dirs as either apache:apache or postfix:postfix.

The proper solution would be have a transport recipe for postfix and
avoid mod_python or even better have a single roundup daemon queried by
the various agents/front-ends.
msg3563 Author: [hidden] (stefan) Date: 2009-02-20 11:57
msg5750 Author: [hidden] (rouilj) Date: 2016-07-04 21:28
Luca, did you solve this?

One way to handle this is the following. Go to the roundup home
tracker directory. Take a backup in case things break, make sure you
can restore permissions, owner and group.

Then change all files and directories to the roundup group.

  chgrp -hR roundup .

(-h prevents changing the group for files symbolically linked outside the
roundup tree).

Then you need to set the setGID bit on the directories using:

  find . -type d | xargs chmod g+s

Now if you can write to the directory, you will see the file is in
group roundup. All files/directories created from now on will be in
group roundup. The user/owner will still be postfix or apache however.

A better fix requires the following code development:

  add a new group parameter to config.ini
  in roundup/scripts/* use this new value to setgid similar to how
     roundup-server currently handles -g.

  For roundup-server since it support -g implement the following:
      group is inherited from: -g on command line use -g DONOTSETGROUP 
          to explicitly prevent setgid
      group is read from the server (not tracker) config file
          again DONOTSETGROUP is used to prevent any setgid calls.
      group is read from the tracker's config.ini [main] section.

IIRC setgid can be done at any point as long as the effective user is
part of the group. So roundup-server should be able to setuid using
command line and the server config flags before handling the setgid
from the tracker config (assuming roundup-server can read the tracker
config using its effective uid/gid).

Note that all users invoking the scripts will have to be in group
roundup otherwise the setgid will fail.

The only reason for defaulting to the tracker config in roundup-server
is to provide one place to specify it that will work for all

Another way to do this is to use a small C program (or three of them
one for each roundup-admin, mail gw and the cgi program). Then the roundup
commands will run with their gid set to roundup and create files using
the roundup group.

I wold not suggest solving it with a "chgrp roundup" call in blobfiles. It
will kind of work, but it isn't clean. Running the whole program with proper
permissions has other advantages.

-- rouilj
Date User Action Args
2016-07-04 21:28:21rouiljsetkeywords: + Effort-Low
nosy: + rouilj
messages: + msg5750
2009-02-20 11:57:05stefansetnosy: + stefan
messages: + msg3563
2009-02-18 13:54:11lu_zerocreate