Opened 16 years ago
Closed 16 years ago
#32 closed defect (fixed)
permissions issue, email2trac config
Reported by: | acgoss@… | Owned by: | bas |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | email2trac | Version: | 0.1 |
Keywords: | Cc: |
Description
I am currently attempting to implement trac on my system which is a CentOS 5 server, running Trac 0.10.4 and the newer email2trac from the svn. I am getting the following errors in my syslog when attempting to send mails via email2trac. When configured using postfix and run_email2trac in the aliases file I get:
TracError?: The user trac requires read _and_ write permission to the database file /var/www/trac/CNSEHelp/db/trac.db and the directory it is located in.
I installed using ./configure --with-trac_user=apache, which corresponds to my apache account.
When configured using postfix and a direct call to email2trac, I get the following error in syslog:
IOError: [Errno 13] Permission denied: '/var/www/trac/CNSEHelp/VERSION'
I have even gone so far as to chmod my trac project's db file and folder to 777 as well as the VERSION file, and in both cases with both the run_email2trac and email2trac calls, I still get the same errors, so I see no conceivable way this could be a security issue.
Attachments (4)
Change History (13)
comment:1 Changed 16 years ago by bas
- Status changed from new to assigned
comment:2 Changed 16 years ago by Adam Goss
The output of running email2trac --project=cnsehelp < msg.txt as my user (non-root) yieVlds the following output to syslog. Nov 1 13:06:29 cnsetrac email2trac: Traceback (most recent call last): Nov 1 13:06:29 cnsetrac email2trac: File "/usr/local/bin/email2trac", line 1060, in ? env = Environment(settings['project'], create=0) Nov 1 13:06:29 cnsetrac email2trac: File "/usr/lib/python2.4/site-packages/trac/env.py", line 147, in __init__ self.verify() Nov 1 13:06:29 cnsetrac email2trac: File "/usr/lib/python2.4/site-packages/trac/env.py", line 195, in verify fd = open(os.path.join(self.path, 'VERSION'), 'r') Nov 1 13:06:29 cnsetrac email2trac: IOError: [Errno 13] Permission denied: '/var/www/trac/CNSEHelp/VERSION' running the same command as root yields no error and the ticket is created. running the same command as apache (via sudo -u apache email2trac --project=cnsehelp < msg.txt) yields a ticket being created, but the attachment cannot be created, which appears to be due to permissions in the attachments/ticket/# subfolder. The output of ls -l /var/www/trac/CNSEHelp/VERSION is: -rwxr-xr-x 1 apache trac 27 Oct 30 11:40 /var/www/trac/CNSEHelp/VERSION On 11/1/07, email2trac <email2trac@sara.nl> wrote: > > #32: permissions issue, email2trac config > > -----------------------------+-------------------------------------- -------- > Reporter: acgoss@gmail.com | Owner: bas > Type: defect | Status: assigned > Priority: major | Component: email2trac > Version: 0.10 | Resolution: > Keywords: | > > -----------------------------+-------------------------------------- -------- > Changes (by bas): > > * status: new => assigned > > Comment: > > You can access the TRAC project with a web browser? > > You can also run email2trac on the commandline: > {{{ > email2trac --project=CNSEHelp < msg.txt > }}} > > what is the output of: > {{{ > ls -l /var/www/trac/CNSEHelp/VERSION > }}} > > > > In the most distribution the user id is not apache, but www-data or > nobody. > > -- > Ticket URL: <https://subtrac.rc.sara.nl/oss/email2trac/ticket/32#comment:1 > > > email2trac <https://subtrac.sara.nl/oss/email2trac> > Documentation server for email2trac
comment:3 Changed 16 years ago by bas
email2trac is working for root and apache user and you fixed the permissions for the attachment folder. Only run_email2trac is not working, Is run_email2trac suid root (4755 or 4111):
---s--x--x 1 root root 3964 Aug 8 14:03 /usr/bin/run_email2trac
Where did you installed the binary? Sometins certain filesystem (like NFS mouts) do allow to run suid programs.
comment:4 Changed 16 years ago by Adam Goss
run_email2trac was installed in /usr/local/bin. All three installed files belong to root. On 11/2/07, email2trac <email2trac@sara.nl> wrote: > > #32: permissions issue, email2trac config > > -----------------------------+-------------------------------------- -------- > Reporter: acgoss@gmail.com | Owner: bas > Type: defect | Status: assigned > Priority: major | Component: email2trac > Version: 0.10 | Resolution: > Keywords: | > > -----------------------------+-------------------------------------- -------- > Comment (by bas): > > email2trac is working for root and apache user and you fixed the > permissions for the attachment folder. Only run_email2trac is not working, > Is run_email2trac suid root (4755 or 4111): > {{{ > ---s--x--x 1 root root 3964 Aug 8 14:03 /usr/bin/run_email2trac > }}} > > Where did you installed the binary? Sometins certain filesystem (like NFS > mouts) do allow to run > suid programs. > > -- > Ticket URL: <https://subtrac.rc.sara.nl/oss/email2trac/ticket/32#comment:3 > > > email2trac <https://subtrac.sara.nl/oss/email2trac> > Documentation server for email2trac
comment:5 Changed 16 years ago by bas
and run_email2trac is setuid root. If yes can you run run_email2trac in debug mode as the postfix user:
run_email2trac --project=<name> < msg.txt
There must be something wrong in switching from the postfix user to the apache user. There is also another setup for postfix without the need for run_email2trac did you tried that one?
comment:6 Changed 16 years ago by Adam Goss
I have tried by having the alias directly call the email2trac script, but receive similar security notifications. Copied below are two major possiblities. The alias for trac directly calls email2trac in both cases. In the first, root owns the email2trac script, in the second instance the email2trac script was chowned to apache user. Nov 5 10:09:31 cnsetrac email2trac: Traceback (most recent call last): Nov 5 10:09:31 cnsetrac email2trac: File "/usr/local/bin/email2trac", line 1060, in ? env = Environment(settings['project'], create=0) Nov 5 10:09:31 cnsetrac email2trac: File "/usr/lib/python2.4/site-packages/trac/env.py", line 147, in __init__ self.verify() Nov 5 10:09:31 cnsetrac email2trac: File "/usr/lib/python2.4/site-packages/trac/env.py", line 195, in verify fd = open(os.path.join(self.path, 'VERSION'), 'r') Nov 5 10:09:31 cnsetrac email2trac: IOError: [Errno 13] Permission denied: '/var/www/trac/CNSEHelp/VERSION' Nov 5 10:10:49 cnsetrac email2trac: Traceback (most recent call last): Nov 5 10:10:49 cnsetrac email2trac: File "/usr/local/bin/email2trac", line 1060, in ? env = Environment(settings['project'], create=0) Nov 5 10:10:49 cnsetrac email2trac: File "/usr/lib/python2.4/site-packages/trac/env.py", line 147, in __init__ self.verify() Nov 5 10:10:49 cnsetrac email2trac: File "/usr/lib/python2.4/site-packages/trac/env.py", line 195, in verify fd = open(os.path.join(self.path, 'VERSION'), 'r') Nov 5 10:10:49 cnsetrac email2trac: IOError: [Errno 13] Permission denied: '/var/www/trac/CNSEHelp/VERSION' On 11/3/07, email2trac < email2trac@sara.nl> wrote: > > #32: permissions issue, email2trac config > -----------------------------+-------------------------------------- -------- > > Reporter: acgoss@gmail.com | Owner: bas > Type: defect | Status: assigned > Priority: major | Component: email2trac > Version: 0.10 | Resolution: > Keywords: | > > -----------------------------+-------------------------------------- -------- > Comment (by bas): > > and run_email2trac is setuid root. If yes can you run run_email2trac in > debug mode as the postfix user: > > run_email2trac --project=<name> < msg.txt > > There must be something wrong in switching from the postfix user to the > apache user. There is also another setup for postfix without the need for > run_email2trac did you tried that one? > > -- > Ticket URL: <https://subtrac.rc.sara.nl/oss/email2trac/ticket/32#comment:5 > > > email2trac < https://subtrac.sara.nl/oss/email2trac> > Documentation server for email2trac
comment:7 Changed 16 years ago by bas
This setup will never work for root and apache, because the postfix user will start up email2trac and this userid has no write access to the trac-database. That is why you need run_email2trac for this. It will change the userid from <postfix> to the <apache> user. The process of changing user fails some how and i think it has to do with not allowing to run suid programs.
Can you just put this is /etc/aliases:
test: /var/tmp/test.sh
test.sh
/usr/bin/id > /var/tmp/postfix.user
else use the other postfix setup:
comment:8 Changed 16 years ago by Adam Goss
I believe I have finally solved my own problem. There were no AVC messages in the message log, but I dug into the audit log and found that the reason the service was being denied access to the files, even when they where chmod 777 was SELinux. I created a custom SELinux policy based on the alerts generated after a reboot and failed email2trac test and it appears to have fixed the problem. On 11/5/07, email2trac <email2trac@sara.nl> wrote: > > #32: permissions issue, email2trac config > > -----------------------------+-------------------------------------- -------- > Reporter: acgoss@gmail.com | Owner: bas > Type: defect | Status: assigned > Priority: major | Component: email2trac > Version: 0.10 | Resolution: > Keywords: | > > -----------------------------+-------------------------------------- -------- > Comment (by bas): > > This setup will never work for root and apache, because the postfix user > will start up email2trac and this userid has no write access to the trac- > database. That is why you need run_email2trac for this. It will change the > userid from <postfix> to the <apache> user. The process of changing user > fails some how and i think it has to do with not allowing to run suid > programs. > > Can you just put this is /etc/aliases: > {{{ > test: /var/tmp/test.sh > }}} > > test.sh > {{{ > /usr/bin/id > /var/tmp/postfix.user > }}} > > else use the other postfix setup: > * > https://subtrac.sara.nl/oss/email2trac/wiki/Email2tracMta#Noteforpos tfix > > -- > Ticket URL: <https://subtrac.sara.nl/oss/email2trac/ticket/32#comment:7> > email2trac <https://subtrac.sara.nl/oss/email2trac> > Documentation server for email2trac
comment:9 Changed 16 years ago by bas
- Resolution set to fixed
- Status changed from assigned to closed
Thanks for the info, maybe i have to make some kind of FAQ to describe these kind of problems. I will close the ticket
You can access the TRAC project with a web browser?
You can also run email2trac on the commandline:
what is the output of:
In the most distribution the user id is not apache, but www-data or nobody.