| Summary: | settings.yml readable by anybody | ||
|---|---|---|---|
| Product: | [Retired] CloudForms Cloud Engine | Reporter: | Jan Provaznik <jprovazn> |
| Component: | aeolus-configure | Assignee: | Mo Morsi <mmorsi> |
| Status: | CLOSED ERRATA | QA Contact: | wes hayutin <whayutin> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 1.0.0 | CC: | akarol, deltacloud-maint, jguiditt, morazi, slinaber, ssachdev |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-05-15 20:45:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Jan Provaznik
2012-01-05 11:57:38 UTC
adding to ce-sprint-next adding to ce-sprint-next adding to ce-sprint removing ce-sprint-next tracker taking off ce-sprint-next.. This seems to have been fixed already. If you have an old rpm install, you won't see the fix, though, since the prior config file won't be overwritten. If you remove that file and install a new RPM, you should get proper permissions: -rw-r----- 1 root aeolus 631 Jan 17 17:34 /usr/share/aeolus-conductor/config/settings.yml This issue is reproducible.The permissions are not proper. #ls -lhtr /usr/share/aeolus-conductor/config/settings.yml -rw-r--r--. 1 root root 674 Jan 18 23:06 /usr/share/aeolus-conductor/config/settings.yml # rpm -qa | grep aeolus aeolus-conductor-0.8.0-8.el6.noarch rubygem-aeolus-cli-0.3.0-4.el6.noarch aeolus-configure-2.5.0-5.el6.noarch aeolus-conductor-daemons-0.8.0-8.el6.noarch rubygem-aeolus-image-0.3.0-3.el6.noarch aeolus-all-0.8.0-8.el6.noarch aeolus-conductor-doc-0.8.0-8.el6.noarch OK, now I see the problem. aeolus-configure overwrites this file, and it's probably getting the permissions wrong:
in recipes/aeolus/manifests/conductor.pp:
file{"/usr/share/aeolus-conductor/config/settings.yml":
content => template("aeolus/conductor-settings.yml"),
require => Package['aeolus-conductor']}
so the puppet manifest here needs to set the file perms to 640 and ownership to root:aeolus
OK, I have acked and pushed Mo's patch for this. Note that we decided it didnt make sense to change _existing_ file permissions, so if the admin (or previous configure) changed this to the wrong thing, it will stay that way. To properly test, either use a fresh install, or delete the file in question and reinstall/rerun configure.
commit 3e5dc4b7998556a8a3fbbba84e5ae7f63d12ba80
Author: Mo Morsi <mmorsi>
Date: Wed Jan 25 16:39:43 2012 -0500
BZ# 771922: set owner, group, mode on conductor settings file
3e5dc4b in aeolus-configure-2.5.0-11 Permissions set correctly.
# ls -lhtr /usr/share/aeolus-conductor/config/settings.yml
-rw-r-----. 1 root aeolus 674 Jan 31 23:25 /usr/share/aeolus-conductor/config/settings.yml
conductor.pp:
file{"/usr/share/aeolus-conductor/config/settings.yml":
content => template("aeolus/conductor-settings.yml"),
require => Package['aeolus-conductor'],
mode => 640, owner => 'root', group => 'aeolus'}
verified on:
rpm -qa | grep aeolus
aeolus-conductor-0.8.0-17.el6.noarch
rubygem-aeolus-cli-0.3.0-7.el6.noarch
aeolus-configure-2.5.0-11.el6.noarch
aeolus-conductor-daemons-0.8.0-17.el6.noarch
aeolus-all-0.8.0-17.el6.noarch
aeolus-conductor-doc-0.8.0-17.el6.noarch
rubygem-aeolus-image-0.3.0-7.el6.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-0586.html |