Bug 856403 - shellinabox needs to run as a particular user if it is to have access to .pem files.
shellinabox needs to run as a particular user if it is to have access to .pem...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: shellinabox (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Simone Caronni
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-11 20:20 EDT by Joel
Modified: 2012-09-26 04:59 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-17 14:01:34 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
updated sysconfig to support shellinabox user and group (155 bytes, application/octet-stream)
2012-09-11 20:20 EDT, Joel
no flags Details
Patch to spec to implement fix (1.96 KB, patch)
2012-09-11 20:22 EDT, Joel
no flags Details | Diff

  None (edit)
Description Joel 2012-09-11 20:20:02 EDT
Created attachment 611957 [details]
updated sysconfig to support shellinabox user and group

Description of problem:

As packaged, shellinabox can not run as it doesn't have access to a directory to store its generated .pem files.

Version-Release number of selected component (if applicable):

2.14

How reproducible:

install shellinabox and then try systemctl start shellinaboxd.service and then check the status and /var/log/messages.

  
Actual results:

Doesn't run

Expected results:

service starts.

Additional info:

I am attaching an updated shellinaboxd.sysconfig and a diff to the spec file that fix the problem.  The problem is fixed by having pre in the spec create a user account, having post chown a directory in /var/run to that user account, and having the sysconfig file tell shellinabox to look for certs in that directory and run with the shellinabox user and group.

The patch to the spec file assumes that bug:

https://bugzilla.redhat.com/show_bug.cgi?id=856398

is fixed
Comment 1 Joel 2012-09-11 20:22:09 EDT
Created attachment 611959 [details]
Patch to spec to implement fix
Comment 2 Joel 2012-09-11 20:31:48 EDT
Sorry I didn't include a %changelog entry in the spec and I missed your new packages that were just built a few days ago.

Here is a candidate template:

%changelog
* Tue Sep 11 2012 Joel Young <jdy@cryregarder.com> - 2.14-8
+- Fix bug with firefox 15 in which - key ignored
+- Create shellinabox user/group and /var/run dir for certs
Comment 3 Simone Caronni 2012-09-12 05:52:07 EDT
Many thanks for the patches. I mostly use it as a web ssh frontend to some hidden boxes, so I didn't step onto the issue.

I applied the required changes, but a bit differently to comply with packaging guidelines and uniformity:

http://pkgs.fedoraproject.org/cgit/shellinabox.git/commit/?id=b15565af5a8728dc7e5346244208ed6160a668c0

Many thanks! Builds on the way.
Comment 4 Fedora Update System 2012-09-12 06:24:24 EDT
shellinabox-2.14-9.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/shellinabox-2.14-9.el5
Comment 5 Fedora Update System 2012-09-12 06:24:57 EDT
shellinabox-2.14-9.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/shellinabox-2.14-9.el6
Comment 6 Fedora Update System 2012-09-12 06:25:48 EDT
shellinabox-2.14-9.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/shellinabox-2.14-9.fc16
Comment 7 Fedora Update System 2012-09-12 06:26:19 EDT
shellinabox-2.14-9.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/shellinabox-2.14-9.fc17
Comment 8 Fedora Update System 2012-09-12 06:27:02 EDT
shellinabox-2.14-9.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/shellinabox-2.14-9.fc18
Comment 9 Joel 2012-09-12 11:07:24 EDT
I forgot one thing on my patch.  I think that the /var/run/shellinabox directory should be chmod 700.  What do you think?

Thanks for processing these so quickly!

Joel
Comment 10 Joel 2012-09-12 11:11:47 EDT
Never mind.  I see in  your spec that you set it to 750.  That is fine!  

From what I read in the packager guidelines, fedora doesn't advocate removing the user on package uninstall.
Comment 11 Gwyn Ciesla 2012-09-12 11:14:06 EDT
s/doesn't advocate/forbids/ is closer.
Comment 12 Fedora Update System 2012-09-12 15:11:18 EDT
Package shellinabox-2.14-9.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing shellinabox-2.14-9.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-13852/shellinabox-2.14-9.fc18
then log in and leave karma (feedback).
Comment 13 Joel 2012-09-12 21:30:54 EDT
Thanks!  I've tested these on F16 and they work fine.  Note that I did create a new bug (I guess it is really a feature request) also.  

https://bugzilla.redhat.com/show_bug.cgi?id=856860

Sorry for sending these staggered.  Didn't expect such fast support!  I have no more in the pipeline.
Comment 14 Simone Caronni 2012-09-13 02:58:29 EDT
(In reply to comment #11)
> s/doesn't advocate/forbids/ is closer.

Oh, it's true [1]. I thought about what was done in another package, but that was to switch from a dynamic fedora-usermgmt created user to switch to an allocated static uid and not for a normal user.

I will remove that along with the changes in the other bug.

"We never remove users or groups created by packages. [...] Cleanup of unused users/groups is left to the system administrators to take care of if they so desire."

[1] http://fedoraproject.org/wiki/Packaging:UsersAndGroups

Thanks,
--Simone
Comment 15 Fedora Update System 2012-09-17 14:01:34 EDT
shellinabox-2.14-9.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2012-09-17 18:36:33 EDT
shellinabox-2.14-9.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2012-09-26 04:59:21 EDT
shellinabox-2.14-9.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.