Created on 2009-02-18 13:54 by lu_zero, last changed 2016-07-04 21:28 by rouilj.
|msg3555||Author: [hidden] (lu_zero)||Date: 2009-02-18 13:54|
As a way to workaround more or less improper usage of roundup-mailgw and apache integration the simplest way should set a group (roundup) and have both postfix and apache inside it and then make sure that the db directory is owned by that group (e.g. roundup:roundup). The problem is that the blobfile.py doesn't preserve the group and instead saves files and dirs as either apache:apache or postfix:postfix. The proper solution would be have a transport recipe for postfix and avoid mod_python or even better have a single roundup daemon queried by the various agents/front-ends.
|msg3563||Author: [hidden] (stefan)||Date: 2009-02-20 11:57|
|msg5750||Author: [hidden] (rouilj)||Date: 2016-07-04 21:28|
Luca, did you solve this? One way to handle this is the following. Go to the roundup home tracker directory. Take a backup in case things break, make sure you can restore permissions, owner and group. Then change all files and directories to the roundup group. chgrp -hR roundup . (-h prevents changing the group for files symbolically linked outside the roundup tree). Then you need to set the setGID bit on the directories using: find . -type d | xargs chmod g+s Now if you can write to the directory, you will see the file is in group roundup. All files/directories created from now on will be in group roundup. The user/owner will still be postfix or apache however. A better fix requires the following code development: add a new group parameter to config.ini in roundup/scripts/* use this new value to setgid similar to how roundup-server currently handles -g. For roundup-server since it support -g implement the following: group is inherited from: -g on command line use -g DONOTSETGROUP to explicitly prevent setgid group is read from the server (not tracker) config file again DONOTSETGROUP is used to prevent any setgid calls. group is read from the tracker's config.ini [main] section. IIRC setgid can be done at any point as long as the effective user is part of the group. So roundup-server should be able to setuid using command line and the server config flags before handling the setgid from the tracker config (assuming roundup-server can read the tracker config using its effective uid/gid). Note that all users invoking the scripts will have to be in group roundup otherwise the setgid will fail. The only reason for defaulting to the tracker config in roundup-server is to provide one place to specify it that will work for all frontends. Another way to do this is to use a small C program (or three of them one for each roundup-admin, mail gw and the cgi program). Then the roundup commands will run with their gid set to roundup and create files using the roundup group. I wold not suggest solving it with a "chgrp roundup" call in blobfiles. It will kind of work, but it isn't clean. Running the whole program with proper permissions has other advantages. -- rouilj
nosy: + rouilj
messages: + msg5750
messages: + msg3563