Open Bug 652618 Opened 13 years ago Updated 11 years ago

Saving the params file should not change its owner and group

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

People

(Reporter: michael.j.tosh, Unassigned)

Details

Attachments

(1 file)

Code Patch Ver 1
1.70 KB, patch
mkanat
: review-
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 (.NET CLR 3.5.30729)
Build Identifier: 

When the params file is rewritten, any time a param is changed, then the group permissions are not set properly.  In order to properly set permissions, the user must run checksetup.pl after each change.

I have "apache" user running under the "apache" group, but also a member of the "bz-run" group.  I have set the webservergroup in localconfig to be "bz-run".  I also have a local user account on the system (not my webserver) called "bz-admin", who is a member of "bz-run".

For security reasons, we do not run whine.pl or collectstats.pl under the apache user, we instead run them under the bz-admin user.  If a change is made to params, then whine.pl and collectstats.pl cannot run.

Reproducible: Always




The code to correct this problem, in Bugzilla/Install/Filesystem.pm, is only run if Bugzilla->usage_mode == USAGE_MODE_CMDLINE.  I would expect that when recreating the params file, an expected change, that the permissions are set correctly.
Version: unspecified → 4.1
Attached patch Code Patch Ver 1Splinter Review 
Without this fix, whine.pl and collectstats.pl need to run as the apache user.  With this fix, as long as they are a member of $webservergroup, they can read the params file.
Attachment #565292 - Flags: review?(LpSolit)
Comment on attachment 565292 [details] [diff] [review]
Code Patch Ver 1

>=== modified file 'Bugzilla/Config.pm'

> sub _fix_perms {

>     # The webserver should never try to chown files.
>-    if (Bugzilla->usage_mode == USAGE_MODE_CMDLINE) {
>+    if (Bugzilla->usage_mode == USAGE_MODE_CMDLINE || $force) {

The comment is now wrong with this $force argument. I will let mkanat review this patch.
Attachment #565292 - Flags: review?(LpSolit) → review?(mkanat)
Comment on attachment 565292 [details] [diff] [review]
Code Patch Ver 1

Review of attachment 565292 [details] [diff] [review]:
-----------------------------------------------------------------

The reason that that code is behind USAGE_MODE_CMDLINE is that Apache runs under only one user and one group--it can't normally change ownership on any other file. Also, we usually don't want the owner to change to the current user, when in the webserver, because that owner is Apache.

Instead, perhaps we should investigate some way of creating the file with the same permissions as the original file. Perhaps using File::copy would do it.
Attachment #565292 - Flags: review?(mkanat) → review-
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: params group ownership should be forced → Saving the params file should not change its owner and group
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: