Roundup Tracker - Issues

Message5750

Author rouilj
Recipients lu_zero, rouilj, stefan
Date 2016-07-04.21:28:20
Message-id <1467667701.44.0.855640749834.issue2550506@psf.upfronthosting.co.za>
In-reply-to 
Luca, did you solve this?

One way to handle this is the following. Go to the roundup home
tracker directory. Take a backup in case things break, make sure you
can restore permissions, owner and group.

Then change all files and directories to the roundup group.

  chgrp -hR roundup .

(-h prevents changing the group for files symbolically linked outside the
roundup tree).

Then you need to set the setGID bit on the directories using:

  find . -type d | xargs chmod g+s

Now if you can write to the directory, you will see the file is in
group roundup. All files/directories created from now on will be in
group roundup. The user/owner will still be postfix or apache however.

A better fix requires the following code development:

  add a new group parameter to config.ini
  
  in roundup/scripts/* use this new value to setgid similar to how
     roundup-server currently handles -g.

  For roundup-server since it support -g implement the following:
      group is inherited from: -g on command line use -g DONOTSETGROUP 
          to explicitly prevent setgid
      group is read from the server (not tracker) config file
          again DONOTSETGROUP is used to prevent any setgid calls.
      group is read from the tracker's config.ini [main] section.

IIRC setgid can be done at any point as long as the effective user is
part of the group. So roundup-server should be able to setuid using
command line and the server config flags before handling the setgid
from the tracker config (assuming roundup-server can read the tracker
config using its effective uid/gid).

Note that all users invoking the scripts will have to be in group
roundup otherwise the setgid will fail.

The only reason for defaulting to the tracker config in roundup-server
is to provide one place to specify it that will work for all
frontends.

Another way to do this is to use a small C program (or three of them
one for each roundup-admin, mail gw and the cgi program). Then the roundup
commands will run with their gid set to roundup and create files using
the roundup group.

I wold not suggest solving it with a "chgrp roundup" call in blobfiles. It
will kind of work, but it isn't clean. Running the whole program with proper
permissions has other advantages.

-- rouilj
History
Date User Action Args
2016-07-04 21:28:21rouiljsetmessageid: <1467667701.44.0.855640749834.issue2550506@psf.upfronthosting.co.za>
2016-07-04 21:28:21rouiljsetrecipients: + rouilj, stefan, lu_zero
2016-07-04 21:28:21rouiljlinkissue2550506 messages
2016-07-04 21:28:20rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020