[Debian-ha-maintainers] Bug#1042448: crmsh: HA_GROUP permission regression after upgrading bullseye to bookworm

Florent CARLI fcarli at gmail.com
Fri Jul 28 11:11:48 BST 2023 

Package: crmsh
Version: 4.4.1-1
Severity: normal
X-Debbugs-Cc: fcarli at gmail.com

Dear Maintainer,

I encounter a regression with crmsh on debian12. On debian 11, I used
to be able to issue crm commands with a standard user as long as it
was a member of haclient group.
On debian 12, this same user cannot use crm because of some chown that
it's not allowed to do:

virtu at virtu-elabo1:~$ id
uid=1000(virtu) gid=1000(virtu) groups=1000(virtu),110(haclient),118(libvirt)
virtu at virtu-elabo1:~$ crm status
Traceback (most recent call last):
  File "/usr/sbin/crm", line 31, in <module>
    log.setup_logging()
  File "/usr/lib/python3/dist-packages/crmsh/log.py", line 445, in setup_logging
    shutil.chown(CRMSH_LOG_FILE, constants.HA_USER, constants.HA_GROUP)
  File "/usr/lib/python3.11/shutil.py", line 1385, in chown
    os.chown(path, _user, _group)
PermissionError: [Errno 1] Operation not permitted: '/var/log/crmsh/crmsh.log'


Ferenc Wágner did a first analysis and concluded that:

it's a bug introduced in 4.4.0 by
Fix: log: Change the log file owner as hacluster:haclient (bsc#1194619)
https://github.com/ClusterLabs/crmsh/commit/b4ef13cd8c9a8c37f2bf671abb803b24d93125ee

and fixed in 4.5.0 by
fix: log: fail to open log file even if user is in haclient group (bsc#1204670)
https://github.com/ClusterLabs/crmsh/commit/b4abe21d2fd55ced0f56baff5c4892a4826aa0f7


Thanks.
Florent.


-- System Information:
Debian Release: 12.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)

Kernel: Linux 5.15.49-linuxkit-pr (SMP w/5 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_RANDSTRUCT
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages crmsh depends on:
ii  gawk                 1:5.2.1-2
ii  iputils-ping         3:20221126-1
ii  pacemaker-cli-utils  2.1.5-1+deb12u1
ii  python3              3.11.2-1+b1
ii  python3-dateutil     2.8.2-2
ii  python3-lxml         4.9.2-1+b1
ii  python3-parallax     1.0.6-4
ii  python3-yaml         6.0-3+b2

Versions of packages crmsh recommends:
ii  pacemaker  2.1.5-1+deb12u1

Versions of packages crmsh suggests:
pn  bash-completion    <none>
pn  csync2             <none>
pn  dmidecode          <none>
pn  ocfs2-tools        <none>
pn  openssh-server     <none>
pn  parted             <none>
pn  sbd                <none>
pn  ufw                <none>
ii  util-linux         2.38.1-5+b1
pn  vim-addon-manager  <none>

-- no debconf information

More information about the Debian-ha-maintainers mailing list