[request-tracker-maintainers] Bug#737248: Bug#737248: request-tracker4: Interesting permissions on /var/cache/request-tracker4

Sun Feb 9 12:15:57 UTC 2014

On Fri, Jan 31, 2014 at 02:24:03PM -0500, Kevin Falcone wrote:
> I noticed that the Debian packages install the mason cache file directories with a forced group of root.
> Given the ./configure that the package uses, a 'normal' RT that is configured with:
> 
>         ./configure \
>           --with-web-user=www-data \
>           --with-web-group=www-data \
> 
> would have an install target set of permissions of
> 
> root at debian-rt:~# ls -ld /opt/rt4/var
> drwxr-xr-x 5 root root 4096 Jan 31 13:57 /opt/rt4/var
> root at debian-rt:~# ls -ld /opt/rt4/var/mason_data
> drwxrwx--- 5 www-data www-data 4096 Jan 31 13:57 /opt/rt4/var/mason_data
> 
> Debian packages install with (modifying for layout)
> 
> root at debian-rt:~# ls -ld /var/cache/request-tracker4/
> drwxr-s--- 4 www-data root 4096 Jan 31 12:15 /var/cache/request-tracker4/
> root at debian-rt:~# ls -ld /var/cache/request-tracker4/mason_data/
> drwxr-s--- 5 www-data root 4096 Jan 31 12:15 /var/cache/request-tracker4/mason_data/
> 
> In particular, this hurts because you can't run an external process (such as an
> external fcgi daemon, or standalone server to be proxied) without the daemon
> being run *as* www-data.  With more standard permissions, you can run as
> www-other who is a member of the www-data group and have it work.

I agree that it would be useful to support running with other users
in the www-data group. If we were going to do that, might it make sense
to make that group an RT specific one?

(That would need bigger changes to the package, both in terms of managing
the migration safely but also because we'd need to manage the permissions
in package postinst scripts, since our own group wouldn't be in base-passwd
like www-data is.)

> I have a separate patch I'll file that makes /etc/init.d/rt4-fcgi support this,
> but since it requires permissions changes, I wanted to know if anyone remembers
> *why* Debian does this in request-tracker4/debian/rules
> 
>         find $(RT_PKG)/var/cache/$(RT)/ -type d -print0 | xargs --null chown www-data:root
>         find $(RT_PKG)/var/cache/$(RT)/ -type d -print0 | xargs --null chmod 2750
> 
> The sticky bit in the second command is actually nice, but restricting who can
> write to the mason cache really strangles any of the advanced RT configurations
> available.

Can you clarify why you think the sticky bit is appropriate? I can't
really see the use of it myself in this context.

Just a note: we would also need to make the same change for
/var/log/request-tracker4 (which isn't currently group-writable)
and /var/lib/request-tracker4 (including /var/lib/request-tracker4/data/gpg)
However I think the reason we are treating that specially:

        chmod 700 $(RT_PKG)/var/lib/$(RT)/data/gpg

is that gnupg will refuse to run otherwise; but I'd need to check that.

Another issue is whether this is a reasonable change to make to existing
installations; it is possible that this will open up access to RT's
data to processes that the sysadmin didn't intend.

Dominic.