Issue 2550506
Created on 2009-02-18 13:54 by lu_zero, last changed 2019-10-25 15:22 by rouilj.
| Messages | |||
|---|---|---|---|
| msg3555 | Author: [hidden] (lu_zero) | Date: 2009-02-18 13:54 | |
As a way to workaround more or less improper usage of roundup-mailgw and apache integration the simplest way should set a group (roundup) and have both postfix and apache inside it and then make sure that the db directory is owned by that group (e.g. roundup:roundup). The problem is that the blobfile.py doesn't preserve the group and instead saves files and dirs as either apache:apache or postfix:postfix. The proper solution would be have a transport recipe for postfix and avoid mod_python or even better have a single roundup daemon queried by the various agents/front-ends. |
|||
| msg3563 | Author: [hidden] (stefan) | Date: 2009-02-20 11:57 | |
(test) |
|||
| msg5750 | Author: [hidden] (rouilj) | Date: 2016-07-04 21:28 | |
Luca, did you solve this?
One way to handle this is the following. Go to the roundup home
tracker directory. Take a backup in case things break, make sure you
can restore permissions, owner and group.
Then change all files and directories to the roundup group.
chgrp -hR roundup .
(-h prevents changing the group for files symbolically linked outside the
roundup tree).
Then you need to set the setGID bit on the directories using:
find . -type d | xargs chmod g+s
Now if you can write to the directory, you will see the file is in
group roundup. All files/directories created from now on will be in
group roundup. The user/owner will still be postfix or apache however.
A better fix requires the following code development:
add a new group parameter to config.ini
in roundup/scripts/* use this new value to setgid similar to how
roundup-server currently handles -g.
For roundup-server since it support -g implement the following:
group is inherited from: -g on command line use -g DONOTSETGROUP
to explicitly prevent setgid
group is read from the server (not tracker) config file
again DONOTSETGROUP is used to prevent any setgid calls.
group is read from the tracker's config.ini [main] section.
IIRC setgid can be done at any point as long as the effective user is
part of the group. So roundup-server should be able to setuid using
command line and the server config flags before handling the setgid
from the tracker config (assuming roundup-server can read the tracker
config using its effective uid/gid).
Note that all users invoking the scripts will have to be in group
roundup otherwise the setgid will fail.
The only reason for defaulting to the tracker config in roundup-server
is to provide one place to specify it that will work for all
frontends.
Another way to do this is to use a small C program (or three of them
one for each roundup-admin, mail gw and the cgi program). Then the roundup
commands will run with their gid set to roundup and create files using
the roundup group.
I wold not suggest solving it with a "chgrp roundup" call in blobfiles. It
will kind of work, but it isn't clean. Running the whole program with proper
permissions has other advantages.
-- rouilj
|
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2019-10-25 15:22:35 | rouilj | set | status: new -> closed resolution: abandoned |
| 2016-07-04 21:28:21 | rouilj | set | keywords:
+ Effort-Low nosy: + rouilj messages: + msg5750 |
| 2009-02-20 11:57:05 | stefan | set | nosy:
+ stefan messages: + msg3563 |
| 2009-02-18 13:54:11 | lu_zero | create | |