Closed Bug 648982 Opened 13 years ago Closed 13 years ago

jobqueue.pl should not run as root

Categories

(Bugzilla :: Email Notifications, enhancement)

Product:
Bugzilla
Component:
Email Notifications
Platform:
x86_64
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: webmaster, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; Linux i686; rv:2.0) Gecko/20100101 Firefox/4.0
Build Identifier: Bugzilla 4

I've been running jobqueue.pl as my Apache web user and it works just fine.  However, checksetup.pl insists on changing the permissions so that only root can run it, which is annoying.  IMO we shouldn't run stuff as root unless we need to.

These are the two files that I need to change permissions to make this happen.

-rwx------  1 root [mywebgroup]   2881 Sep  4  2009 jobqueue.pl
-rw-r--r--  1 root [mywebgroup]      6 Apr 11 08:57 data/jobqueue.pl.pid

Reproducible: Always

Steps to Reproduce:
1. change permissons on jobqueue files to run as non-root
2. run checksetup.pl
3. repeat
You actually can run it as a non-root user:

./jobqueue.pl install

vim /etc/sysconfig/bugzilla-queue

That works at least on CentOS (and probably also on SuSE). It allows you to specify what user it should run as. As long as the user is in the webservergroup, you should be fine.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Support for this seems shoddy at best; but I'll figure it out.  Thanks.

This is what I get on SLES:

# ./jobqueue.pl install
insserv: Service MTA has to be enabled for service bugzilla-queue
insserv: Service mysqld has to be enabled for service bugzilla-queue
insserv: exiting now!
/sbin/insserv failed, exit code 1
bugzilla-queue            0:off  1:off  2:off  3:off  4:off  5:off  6:off
bugzilla-queue installed. To start the daemon, do "/etc/init.d/bugzilla-queue start" as root.


# /etc/init.d/bugzilla-queue start
/etc/init.d/bugzilla-queue: line 54: /etc/rc.d/init.d/functions: No such file or directory
/etc/init.d/bugzilla-queue: line 66: checkpid: command not found
Starting bugzilla-queue: /etc/init.d/bugzilla-queue: line 71: daemon: command not found
Okay. That's supposed to work on SLES, at least as of 4.0, but I didn't test it because I don't have an SLES machine. Do you think you'd be capable of figuring out what's wrong there and submitting a patch? At least filing a bug would be good. (If this is an old SLES, though, it may simply be an issue that we don't support it.)
Would it be possible to reopen this?  My proposed fix would be to simply change the permissions on jobqueue.pl to 750, since checksetup already sets the group as the web server.

This would allow (and perhaps encourage) jobqueue.pl to run as anything but root.
(In reply to Denis Roy from comment #4)
> Would it be possible to reopen this?  My proposed fix would be to simply
> change the permissions on jobqueue.pl to 750, since checksetup already sets
> the group as the web server.
> 
> This would allow (and perhaps encourage) jobqueue.pl to run as anything but
> root.

Pretty please?  I hate running stuff as root and I've been running jobqueue.pl for years as my web user.
You need to log in before you can comment on or make changes to this bug.