[request-tracker-maintainers] Bug#737248: request-tracker4: Interesting permissions on /var/cache/request-tracker4
Kevin Falcone
falcone at bestpractical.com
Fri Jan 31 19:24:03 UTC 2014
Package: request-tracker4
Version: 4.0.18-1~bpo70+1
Severity: normal
Tags:
I noticed that the Debian packages install the mason cache file directories with a forced group of root.
Given the ./configure that the package uses, a 'normal' RT that is configured with:
./configure \
--with-web-user=www-data \
--with-web-group=www-data \
would have an install target set of permissions of
root at debian-rt:~# ls -ld /opt/rt4/var
drwxr-xr-x 5 root root 4096 Jan 31 13:57 /opt/rt4/var
root at debian-rt:~# ls -ld /opt/rt4/var/mason_data
drwxrwx--- 5 www-data www-data 4096 Jan 31 13:57 /opt/rt4/var/mason_data
Debian packages install with (modifying for layout)
root at debian-rt:~# ls -ld /var/cache/request-tracker4/
drwxr-s--- 4 www-data root 4096 Jan 31 12:15 /var/cache/request-tracker4/
root at debian-rt:~# ls -ld /var/cache/request-tracker4/mason_data/
drwxr-s--- 5 www-data root 4096 Jan 31 12:15 /var/cache/request-tracker4/mason_data/
In particular, this hurts because you can't run an external process (such as an
external fcgi daemon, or standalone server to be proxied) without the daemon
being run *as* www-data. With more standard permissions, you can run as
www-other who is a member of the www-data group and have it work.
I have a separate patch I'll file that makes /etc/init.d/rt4-fcgi support this,
but since it requires permissions changes, I wanted to know if anyone remembers
*why* Debian does this in request-tracker4/debian/rules
find $(RT_PKG)/var/cache/$(RT)/ -type d -print0 | xargs --null chown www-data:root
find $(RT_PKG)/var/cache/$(RT)/ -type d -print0 | xargs --null chmod 2750
The sticky bit in the second command is actually nice, but restricting who can
write to the mason cache really strangles any of the advanced RT configurations
available.
Git and Svn history didn't provide any useful history for this.
-- Package-specific info:
Changed files:
-- System Information:
Debian Release: 7.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages request-tracker4 depends on:
ii dbconfig-common 1.8.47+nmu1
ii debconf [debconf-2.0] 1.5.49
ii exim4 4.80-7
ii exim4-daemon-light [mail-transport-agent] 4.80-7
ii fonts-droid 20111207+git-1
ii libapache-session-perl 1.89-1
ii libcache-simple-timedexpiry-perl 0.27-2
ii libcgi-emulate-psgi-perl 0.14-1
ii libcgi-psgi-perl 0.15-1
ii libclass-accessor-perl 0.34-1
ii libclass-returnvalue-perl 0.55-1
ii libconvert-color-perl 0.08-1
ii libcss-squish-perl 0.09-1
ii libdata-ical-perl 0.18+dfsg-1
ii libdatetime-locale-perl 1:0.45-1
ii libdatetime-perl 2:0.7500-1
ii libdbi-perl 1.622-1
ii libdbix-searchbuilder-perl 1.62-1
ii libdevel-globaldestruction-perl 0.06-1
ii libdevel-stacktrace-perl 1.2700-1
ii libemail-address-perl 1.895-1
ii libfcgi-procmanager-perl 0.24-1
ii libfile-sharedir-perl 1.00-0.1
ii libgd-graph-perl 1.44-6
ii libgd-text-perl 0.86-8
ii libgnupg-interface-perl 0.45-1
ii libgraphviz-perl 2.10-1
ii libhtml-format-perl 2.10-1
ii libhtml-mason-perl 1:1.48-1
ii libhtml-mason-psgihandler-perl 0.52-1
ii libhtml-quoted-perl 0.03-1
ii libhtml-rewriteattributes-perl 0.05-1~bpo70+1
ii libhtml-scrubber-perl 0.09-1
ii libhtml-tree-perl 5.02-1
ii libipc-run-perl 0.92-1
ii libipc-run3-perl 0.045-1
ii libjson-perl 2.53-1
ii liblist-moreutils-perl 0.33-1+b1
ii liblocale-maketext-fuzzy-perl 0.11-1
ii liblocale-maketext-lexicon-perl 0.91-1
ii liblog-dispatch-perl 2.32-1
ii libmailtools-perl 2.09-1
ii libmime-tools-perl [libmime-perl] 5.503-1
ii libmime-types-perl 1.35-1
ii libmodule-versions-report-perl 1.06-1
ii libnet-cidr-perl 0.15-1
ii libperlio-eol-perl 0.14-1+b3
ii libplack-perl 0.9989-1
ii libregexp-common-net-cidr-perl 0.02-1
ii libregexp-common-perl 2011121001-1
ii libregexp-ipv6-perl 0.03-1
ii libtext-autoformat-perl 1.669002-1
ii libtext-password-pronounceable-perl 0.30-1
ii libtext-quoted-perl 2.06-1
ii libtext-template-perl 1.45-2
ii libtext-wikiformat-perl 0.79-1
ii libtext-wrapper-perl 1.04-1
ii libtime-modules-perl 2011.0517-1
ii libtimedate-perl 1.2000-1
ii libtree-simple-perl 1.18-1
ii libuniversal-require-perl 0.13-1
ii liburi-perl 1.60-1
ii libxml-rss-perl 1.49-1
ii libxml-simple-perl 2.20-1
ii perl [libencode-perl] 5.14.2-21+deb7u1
ii perl-modules [libfile-temp-perl] 5.14.2-21+deb7u1
ii rsyslog [system-log-daemon] 5.8.11-3
ii rt4-apache2 4.0.18-1~bpo70+1
ii rt4-clients 4.0.18-1~bpo70+1
ii rt4-db-postgresql 4.0.18-1~bpo70+1
ii ucf 3.0025+nmu3
Versions of packages request-tracker4 recommends:
ii cron [cron-daemon] 3.0pl1-124
Versions of packages request-tracker4 suggests:
ii rt4-doc-html 4.0.18-1~bpo70+1
-- debconf information:
request-tracker4/internal/reconfiguring: false
request-tracker4/remote/port:
* request-tracker4/database-type: pgsql
* request-tracker4/dbconfig-install: true
request-tracker4/remove-error: abort
request-tracker4/install-error: abort
* request-tracker4/dbconfig-upgrade: true
* request-tracker4/install-cronjobs: false
* request-tracker4/db/app-user: requesttracker4
request-tracker4/pgsql/no-empty-passwords:
* request-tracker4/webbaseurl: http://debian-rt.local
request-tracker4/upgrade-backup: true
request-tracker4/upgrade-error: abort
request-tracker4/pgsql/manualconf:
* request-tracker4/correspondaddress: rt at debian-rt.local
request-tracker4/internal/skip-preseed: false
request-tracker4/purge: false
request-tracker4/passwords-do-not-match:
request-tracker4/dbconfig-reinstall: false
request-tracker4/mysql/method: unix socket
request-tracker4/mysql/admin-user: root
request-tracker4/missing-db-package-error: abort
* request-tracker4/commentaddress: rt-comment at debian-rt.local
* request-tracker4/handle-siteconfig-permissions: true
request-tracker4/remote/host:
* request-tracker4/webpath: /rt
* request-tracker4/pgsql/method: unix socket
request-tracker4/remote/newhost:
* request-tracker4/dbconfig-remove:
request-tracker4/pgsql/changeconf: false
* request-tracker4/pgsql/authmethod-admin: ident
* request-tracker4/db/dbname: rtdb
request-tracker4/db/basepath: /var/lib/dbconfig-common/sqlite3/request-tracker4
* request-tracker4/pgsql/authmethod-user: ident
* request-tracker4/rtname: debian-rt
* request-tracker4/organization: debian-rt.local
* request-tracker4/pgsql/admin-user: postgres
More information about the pkg-request-tracker-maintainers
mailing list