Bug 193935

Summary: Failure attempting to create trace file when running as non-root
Product: Red Hat Enterprise Linux 4 Reporter: Denise Eckstein <denise.eckstein>
Component: tog-pegasusAssignee: Jason Vas Dias <jvdias>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2006-0474 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-22 17:17:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Denise Eckstein 2006-06-03 01:10:38 UTC 
Description of problem:

The "traceLevel" and "traceComponents" cimconfig options control tracing for 
both the cimserver and cimprovagt processes.

A Provider Agent Process writes its trace output to a file, in 
the /var/lib/Pegasus/cache/trace directory, whose name contains the associated 
provider module name. To ensure uniqueness (and avoid collisions in writing to 
the trace files), a user name is also appended to the trace file name. For 
example, the Provider Agent Process for the OperatingSystemModule in the 
context of user "A" writes to the trace 
file "cimserver.trc.OperatingSystemModule.A".

By default, only root has access to 
the /var/lib/Pegasus, /var/lib/Pegasus/cache/ and /var/lib/Pegasus/cache/trace 
directories.

# chmod 777 Pegasus
# chmod 777 Pegasus/cache
# chmod 777 Pegasus/cache/trace

Note: Permissions on trace files allow read and write access to only the 
owner. E.g.,

-rw------- 1 root root 66550 May 6 15:03 cimserver.trc
-rw------- 1 guest pegasus 6921 May 6 15:03 
cimserver.trc.OperatingSystemModule.guest
-rw------- 1 root root 866 May 6 15:03 cimserver.trc.OperatingSystemModule.root

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Configure OS Provider to Run-As-Requestor
2. Enable tracing
   2A. # cimconfig -s traceLevel=4
   2B. # cimconfig -s traceComponents=ALL
  
Actual results:


Expected results:


Additional info:
Comment 1 Jason Vas Dias 2006-06-05 18:39:00 UTC 
OK, the next version will enable mode 0770 for /var/lib/Pegasus/cache/trace .
I don't think users not in the pegasus group need write / seach access to
/var/lib/Pegasus/cache/trace - users must be in the pegasus group in order
to connect to the cimserver, so I think mode 0770 should be sufficient, not 0777.
I do not think we want to enable mode 0770 for /var/lib/Pegasus/cache, else
any user could delete the /var/lib/Pegasus/cache/localauth directory, thus
disabling local authentication.
Comment 2 Denise Eckstein 2006-06-05 21:25:58 UTC 
Sounds good.  If the administrator configures OpenPegasus to allow access by 
non-pegasus group users, they'll also need to change permissions on these 
directories to ...

# chmod 755 Pegasus
# chmod 755 Pegasus/cache
# chmod 777 Pegasus/cache/trace

but we can document this.

Thanks!
Comment 4 Bill Nottingham 2006-11-22 17:17:48 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0474.html