[Debian-ha-maintainers] crmsh: HA_GROUP permission regression after upgrading bullseye to bookworm
Ferenc Wágner
wferi at niif.hu
Mon Jul 10 10:47:46 BST 2023
Florent Carli <fcarli at gmail.com> writes:
> I encounter a regression with crmsh on debian12. On debian 11, I used
> to be able to issue crm commands with a standard user as long as it
> was a member of haclient group.
> On debian 12, this same user cannot use crm because of some chown that
> it's not allowed to do:
>
> virtu at virtu-elabo1:~$ id
> uid=1000(virtu) gid=1000(virtu) groups=1000(virtu),110(haclient),118(libvirt)
> virtu at virtu-elabo1:~$ crm status
> Traceback (most recent call last):
> File "/usr/sbin/crm", line 31, in <module>
> log.setup_logging()
> File "/usr/lib/python3/dist-packages/crmsh/log.py", line 445, in setup_logging
> shutil.chown(CRMSH_LOG_FILE, constants.HA_USER, constants.HA_GROUP)
> File "/usr/lib/python3.11/shutil.py", line 1385, in chown
> os.chown(path, _user, _group)
> PermissionError: [Errno 1] Operation not permitted: '/var/log/crmsh/crmsh.log'
>
> Is this by design or is it a bug?
I think it's a bug introduced in 4.4.0 by
Fix: log: Change the log file owner as hacluster:haclient (bsc#1194619)
https://github.com/ClusterLabs/crmsh/commit/b4ef13cd8c9a8c37f2bf671abb803b24d93125ee
and fixed in 4.5.0 by
fix: log: fail to open log file even if user is in haclient group (bsc#1204670)
https://github.com/ClusterLabs/crmsh/commit/b4abe21d2fd55ced0f56baff5c4892a4826aa0f7
Feel free to open a Debian bug to make sure this issue doesn't get lost.
I probably won't have the bandwidth personally to push this through
before the first point release, unfortunately.
--
Feri.
More information about the Debian-ha-maintainers
mailing list