Closed
Bug 99024
Opened 23 years ago
Closed 23 years ago
checksetup doesn't give template proper permissions.
Categories
(Bugzilla :: Installation & Upgrading, defect, P1)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.16
People
(Reporter: CodeMachine, Assigned: justdave)
Details
Attachments
(1 file, 2 obsolete files)
3.97 KB,
patch
|
zach
:
review+
zach
:
review+
|
Details | Diff | Splinter Review |
checksetup.pl should make the template directory and its subdirectories have
correct permissions.
Currently it doesn't, and I spent quite a while trying to work out why I
couldn't emit templates.
Reporter | ||
Updated•23 years ago
|
Priority: -- → P1
Target Milestone: --- → Bugzilla 2.16
Comment 1•23 years ago
|
||
Can someone tell me what the correct permissions are. I would be happy
to fix this if this is known.
Comment 2•23 years ago
|
||
I think it'd be 750 w/$webservgroup and 755 w/out.
Comment 3•23 years ago
|
||
Index: checksetup.pl
===================================================================
RCS file: /cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v
retrieving revision 1.104
diff -u -2 -r1.104 checksetup.pl
--- checksetup.pl 2001/09/23 17:07:55 1.104
+++ checksetup.pl 2001/10/07 19:56:55
@@ -80,5 +80,5 @@
# change table definitions --TABLE--
# add more groups --GROUPS--
-# create initial administrator account --ADMIN--
+# create initial administrator account --ADMIN--
#
# Note: sometimes those special comments occur more then once. For
@@ -740,4 +740,5 @@
chmod 0771, 'data';
chmod 0770, 'graphs';
+ system("chmod -R 755 template");
} else {
# get current gid from $( list
Comment 4•23 years ago
|
||
Try this:
Index: checksetup.pl
===================================================================
RCS file: /cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v
retrieving revision 1.104
diff -u -2 -r1.104 checksetup.pl
--- checksetup.pl 2001/09/23 17:07:55 1.104
+++ checksetup.pl 2001/10/07 20:04:25
@@ -80,5 +80,5 @@
# change table definitions --TABLE--
# add more groups --GROUPS--
-# create initial administrator account --ADMIN--
+# create initial administrator account --ADMIN--
#
# Note: sometimes those special comments occur more then once. For
@@ -740,4 +740,5 @@
chmod 0771, 'data';
chmod 0770, 'graphs';
+ system("chmod -R 755 template");
} else {
# get current gid from $( list
@@ -746,4 +747,5 @@
fixPerms('*',022);
chmod 01777, 'data', 'graphs';
+ system("chmod -R 755 template");
}
Comment 5•23 years ago
|
||
This first patch didn't cover the else clause for $webservergroup users - I see
this is fixed, thanks. The second one ignores the security problem of an invalid
path: if the user running checksetup.pl has path set insecurely and a trojanized
chmod, we might cause trouble.
IMHO we should check for /usr/bin and /bin and run chmod. But this makes bbaetz
ask: what about windowsNT. So I look up:
http://aspn.activestate.com/ASPN/Reference/Products/ActivePerl/faq/Windows/ActivePerl-Winfaq4.html#What_s_the_equivalent_of_chmod_f
And realize that chmod() does work on NTFS, so we should use perl chmod to keep
portability. Do the recursion, zach. Sorry. :-)
Status: NEW → ASSIGNED
Assignee | ||
Comment 6•23 years ago
|
||
I was going to question that anyway... are the template files supposed to be
executable? I would think you'd only want 644 for the files, and 755 for the
folders. (and you probably don't want the CVS folders to be 755, those should
be 700)
Assignee | ||
Comment 7•23 years ago
|
||
This is going to be a blocker for the 2.16 release
Severity: major → blocker
Comment 8•23 years ago
|
||
Someone needs to establish definitively what the permissions should be.
Gerv
Comment 9•23 years ago
|
||
This has reached an extremely critical stage as this has to be in 2.16. I
don't know what the permissions need to be, can someone who knows
for sure please experiment and post results here so I can write a patch?
Comment 10•23 years ago
|
||
And what about the recursion issue?
Assignee | ||
Comment 11•23 years ago
|
||
Updated•23 years ago
|
Comment 12•23 years ago
|
||
Comment on attachment 65133 [details] [diff] [review]
add "do directories" optional param to fixPerms() and make it recursive
>Index: checksetup.pl
...
>@@ -780,7 +790,8 @@
> if (-e ".htaccess") { chown $<, $webservergid, ".htaccess" } # glob('*') doesn't catch dotfiles
> if (-e "data/.htaccess") { chown $<, $webservergid, "data/.htaccess" }
> if (-e "data/webdot/.htaccess") { chown $<, $webservergid, "data/webdot/.htaccess" }
Any reason not to recursively chown all files inside the Bugzilla
install directory like this? Seems like the template hierarchy
should also be chowned in this way.
Comment 13•23 years ago
|
||
Comment on attachment 65133 [details] [diff] [review]
add "do directories" optional param to fixPerms() and make it recursive
What Myk said; however, careful with the data directory since at least params
and versioncache need to be writeable by webservergroup.
That, minus the printfs, grant r=kiko
Attachment #65133 -
Flags: review-
Comment 14•23 years ago
|
||
With respect to the printf's: it may make sense to introduce a "--verbose", or
"-v" option that prints debug information like this.
Such an option would have been useful when I had the problem described in bug
123165.
Comment 15•23 years ago
|
||
I like the idea of adding a verbose option to checksetup.pl, but 2.16 crunch
time isn't the time to do it. It is already coded into the newinstall system
(2.20?) along with a quiet mode for use with automatic update scripts and
such.
Assignee | ||
Comment 16•23 years ago
|
||
Attachment #65133 -
Attachment is obsolete: true
Assignee | ||
Comment 17•23 years ago
|
||
Just a note for whoever's reviewing this, note that the "do_dirs" flag is NOT
set on the fixPerms('*'), so directories are not recursed. They are recursed
for the individual call to fixPerms('template'). This means that the contents
of the data directory are treated no differently than they were before this patch.
Comment 18•23 years ago
|
||
Comment on attachment 67697 [details] [diff] [review]
handles file ownership as well
>Index: checksetup.pl
>+ if (!(-d $file)) {
>+ # check if the file is executable.
>+ if (isExecutableFile($file)) {
>+ #printf ("Changing $file to %o\n", $execperm);
>+ chown $owner, $group, $file;
>+ chmod $execperm, $file;
>+ } else {
>+ #printf ("Changing $file to %o\n", $normperm);
>+ chown $owner, $group, $file;
>+ chmod $normperm, $file;
>+ }
>+ }
"chown $owner, $group, $file;" should be placed before the
isExecutableFile conditional since it gets run regardless.
>+ elsif ($do_dirs) {
>+ if ($file =~ /CVS$/) {
>+ chown $owner, $group, $file;
>+ chmod 0700, $file;
>+ }
>+ else {
>+ #printf ("Changing $file to %o\n", $execperm);
>+ chown $owner, $group, $file;
>+ chmod $execperm, $file;
>+ fixPerms("$file/*", $owner, $group, $umask, $do_dirs); # do the contents of the directory
>+ }
> }
Same comment as the previous one.
Otherwise the patch looks good and works fine. One more issue, however:
I noticed while testing out this patch that template files are loadable
in raw form from the URL line. Should this be possible? My instinctive
reaction tells me it shouldn't.
Attachment #67697 -
Flags: review-
Assignee | ||
Comment 19•23 years ago
|
||
Attachment #67697 -
Attachment is obsolete: true
Comment 20•23 years ago
|
||
Comment on attachment 68503 [details] [diff] [review]
adds .htaccess file for template and consolidates chown calls
r=zach x2
Attachment #68503 -
Flags: review+
Assignee | ||
Updated•23 years ago
|
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 22•23 years ago
|
||
Checking in checksetup.pl;
/cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl
new revision: 1.119; previous revision: 1.118
done
Comment 23•23 years ago
|
||
You need to create template/.cvsignore, containing only .htaccess.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 24•23 years ago
|
||
Checked in .cvsignore, r=justdave x2 (on IRC)
Status: REOPENED → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•