Modify

Opened 13 years ago

Closed 13 years ago

#32 closed defect (fixed)

permissions issue, email2trac config

Reported by: acgoss@… Owned by: bas
Priority: major Milestone:
Component: email2trac Version: 0.1
Keywords: Cc:

Description

I am currently attempting to implement trac on my system which is a CentOS 5 server, running Trac 0.10.4 and the newer email2trac from the svn. I am getting the following errors in my syslog when attempting to send mails via email2trac. When configured using postfix and run_email2trac in the aliases file I get:

TracError?: The user trac requires read _and_ write permission to the database file /var/www/trac/CNSEHelp/db/trac.db and the directory it is located in.

I installed using ./configure --with-trac_user=apache, which corresponds to my apache account.

When configured using postfix and a direct call to email2trac, I get the following error in syslog:

IOError: [Errno 13] Permission denied: '/var/www/trac/CNSEHelp/VERSION'

I have even gone so far as to chmod my trac project's db file and folder to 777 as well as the VERSION file, and in both cases with both the run_email2trac and email2trac calls, I still get the same errors, so I see no conceivable way this could be a security issue.

Attachments (4)

part0001.html (3.4 KB) - added by Adam Goss 13 years ago.
Added by email2trac
part0001.2.html (2.1 KB) - added by Adam Goss 13 years ago.
Added by email2trac
part0001.3.html (4.2 KB) - added by Adam Goss 13 years ago.
Added by email2trac
part0001.4.html (2.8 KB) - added by Adam Goss 13 years ago.
Added by email2trac

Download all attachments as: .zip

Change History (13)

comment:1 Changed 13 years ago by bas

  • Status changed from new to assigned

You can access the TRAC project with a web browser?

You can also run email2trac on the commandline:

email2trac --project=CNSEHelp < msg.txt

what is the output of:

ls -l /var/www/trac/CNSEHelp/VERSION

In the most distribution the user id is not apache, but www-data or nobody.

Changed 13 years ago by Adam Goss

Added by email2trac

comment:2 Changed 13 years ago by Adam Goss

The output of running email2trac --project=cnsehelp < msg.txt as my
user
(non-root) yieVlds the following output to syslog.

Nov  1 13:06:29 cnsetrac email2trac: Traceback (most recent call
last):
Nov  1 13:06:29 cnsetrac email2trac:   File
"/usr/local/bin/email2trac",
line 1060, in ?     env = Environment(settings['project'], create=0)
Nov  1 13:06:29 cnsetrac email2trac:   File
"/usr/lib/python2.4/site-packages/trac/env.py", line 147, in __init__
self.verify()
Nov  1 13:06:29 cnsetrac email2trac:   File
"/usr/lib/python2.4/site-packages/trac/env.py", line 195, in verify
fd =
open(os.path.join(self.path, 'VERSION'), 'r')
Nov  1 13:06:29 cnsetrac email2trac: IOError: [Errno 13] Permission
denied:
'/var/www/trac/CNSEHelp/VERSION'

running the same command as root yields no error and the ticket is
created.
running the same command as apache (via sudo -u apache email2trac
--project=cnsehelp < msg.txt) yields a ticket being created, but the
attachment cannot be created, which appears to be due to permissions
in the
attachments/ticket/# subfolder.

The output of ls -l /var/www/trac/CNSEHelp/VERSION is:
-rwxr-xr-x 1 apache trac 27 Oct 30 11:40
/var/www/trac/CNSEHelp/VERSION


On 11/1/07, email2trac <email2trac@sara.nl> wrote:
>
> #32: permissions issue, email2trac config
>
> -----------------------------+--------------------------------------
--------
> Reporter:  acgoss@gmail.com  |        Owner:  bas
>     Type:  defect            |       Status:  assigned
> Priority:  major             |    Component:  email2trac
> Version:  0.10              |   Resolution:
> Keywords:                    |
>
> -----------------------------+--------------------------------------
--------
> Changes (by bas):
>
>   * status:  new => assigned
>
> Comment:
>
> You can access the TRAC project with a web browser?
>
> You can also run email2trac on the commandline:
> {{{
> email2trac --project=CNSEHelp < msg.txt
> }}}
>
> what is the output of:
> {{{
> ls -l /var/www/trac/CNSEHelp/VERSION
> }}}
>
>
>
> In the most distribution the user id is not apache, but www-data or
> nobody.
>
> --
> Ticket URL:
<https://subtrac.rc.sara.nl/oss/email2trac/ticket/32#comment:1
> >
> email2trac <https://subtrac.sara.nl/oss/email2trac>
> Documentation server for email2trac

comment:3 Changed 13 years ago by bas

email2trac is working for root and apache user and you fixed the permissions for the attachment folder. Only run_email2trac is not working, Is run_email2trac suid root (4755 or 4111):

 ---s--x--x  1 root root 3964 Aug  8 14:03 /usr/bin/run_email2trac

Where did you installed the binary? Sometins certain filesystem (like NFS mouts) do allow to run suid programs.

Changed 13 years ago by Adam Goss

Added by email2trac

comment:4 Changed 13 years ago by Adam Goss

run_email2trac was installed in /usr/local/bin.
All three installed files belong to root.

On 11/2/07, email2trac <email2trac@sara.nl> wrote:
>
> #32: permissions issue, email2trac config
>
> -----------------------------+--------------------------------------
--------
> Reporter:  acgoss@gmail.com  |        Owner:  bas
>     Type:  defect            |       Status:  assigned
> Priority:  major             |    Component:  email2trac
> Version:  0.10              |   Resolution:
> Keywords:                    |
>
> -----------------------------+--------------------------------------
--------
> Comment (by bas):
>
> email2trac is working for root and apache user and you fixed the
> permissions for the attachment folder. Only run_email2trac is not
working,
> Is run_email2trac suid root (4755 or 4111):
> {{{
>   ---s--x--x  1 root root 3964 Aug  8 14:03 /usr/bin/run_email2trac
> }}}
>
> Where did you installed the binary? Sometins certain filesystem
(like NFS
> mouts) do allow to run
> suid programs.
>
> --
> Ticket URL:
<https://subtrac.rc.sara.nl/oss/email2trac/ticket/32#comment:3
> >
> email2trac <https://subtrac.sara.nl/oss/email2trac>
> Documentation server for email2trac

comment:5 Changed 13 years ago by bas

and run_email2trac is setuid root. If yes can you run run_email2trac in debug mode as the postfix user:

run_email2trac --project=<name> < msg.txt

There must be something wrong in switching from the postfix user to the apache user. There is also another setup for postfix without the need for run_email2trac did you tried that one?

Changed 13 years ago by Adam Goss

Added by email2trac

comment:6 Changed 13 years ago by Adam Goss

I have tried by having the alias directly call the email2trac script,
but
receive similar security notifications.
Copied below are two major possiblities.  The alias for trac directly
calls
email2trac in both cases.  In the first, root owns the email2trac
script, in
the second instance the email2trac script was chowned to apache user.

Nov  5 10:09:31 cnsetrac email2trac: Traceback (most recent call
last):
Nov  5 10:09:31 cnsetrac email2trac:   File
"/usr/local/bin/email2trac",
line 1060, in ?     env = Environment(settings['project'], create=0)
Nov  5 10:09:31 cnsetrac email2trac:   File
"/usr/lib/python2.4/site-packages/trac/env.py", line 147, in __init__
self.verify()
Nov  5 10:09:31 cnsetrac email2trac:   File
"/usr/lib/python2.4/site-packages/trac/env.py", line 195, in verify
fd =
open(os.path.join(self.path, 'VERSION'), 'r')
Nov  5 10:09:31 cnsetrac email2trac: IOError: [Errno 13] Permission
denied:
'/var/www/trac/CNSEHelp/VERSION'

Nov  5 10:10:49 cnsetrac email2trac: Traceback (most recent call
last):
Nov  5 10:10:49 cnsetrac email2trac:   File
"/usr/local/bin/email2trac",
line 1060, in ?     env = Environment(settings['project'], create=0)
Nov  5 10:10:49 cnsetrac email2trac:   File
"/usr/lib/python2.4/site-packages/trac/env.py", line 147, in __init__
self.verify()
Nov  5 10:10:49 cnsetrac email2trac:   File
"/usr/lib/python2.4/site-packages/trac/env.py", line 195, in verify
fd =
open(os.path.join(self.path, 'VERSION'), 'r')
Nov  5 10:10:49 cnsetrac email2trac: IOError: [Errno 13] Permission
denied:
'/var/www/trac/CNSEHelp/VERSION'


On 11/3/07, email2trac < email2trac@sara.nl> wrote:
>
> #32: permissions issue, email2trac config
> -----------------------------+--------------------------------------
--------
>
> Reporter:  acgoss@gmail.com  |        Owner:  bas
>     Type:  defect            |       Status:  assigned
> Priority:  major             |    Component:  email2trac
> Version:   0.10              |   Resolution:
> Keywords:                    |
>
> -----------------------------+--------------------------------------
--------
> Comment (by bas):
>
> and run_email2trac is setuid root. If yes can you run run_email2trac
in
> debug mode as the postfix user:
>
> run_email2trac --project=<name> < msg.txt
>
> There must be something wrong in switching from the postfix user to
the
> apache user. There is also another setup for postfix without the
need for
> run_email2trac did you tried that one?
>
> --
> Ticket URL:
<https://subtrac.rc.sara.nl/oss/email2trac/ticket/32#comment:5
> >
> email2trac < https://subtrac.sara.nl/oss/email2trac>
> Documentation server for email2trac

comment:7 Changed 13 years ago by bas

This setup will never work for root and apache, because the postfix user will start up email2trac and this userid has no write access to the trac-database. That is why you need run_email2trac for this. It will change the userid from <postfix> to the <apache> user. The process of changing user fails some how and i think it has to do with not allowing to run suid programs.

Can you just put this is /etc/aliases:

test: /var/tmp/test.sh

test.sh

/usr/bin/id > /var/tmp/postfix.user

else use the other postfix setup:

Changed 13 years ago by Adam Goss

Added by email2trac

comment:8 Changed 13 years ago by Adam Goss

I believe I have finally solved my own problem.  There were no AVC
messages
in the message log, but I dug into the audit log and found that the
reason
the service was being denied access to the files, even when they where
chmod
777 was SELinux.  I created a custom SELinux policy based on the
alerts
generated after a reboot and failed email2trac test and it appears to
have
fixed the problem.

On 11/5/07, email2trac <email2trac@sara.nl> wrote:
>
> #32: permissions issue, email2trac config
>
> -----------------------------+--------------------------------------
--------
> Reporter:  acgoss@gmail.com  |        Owner:  bas
>     Type:  defect            |       Status:  assigned
> Priority:  major             |    Component:  email2trac
> Version:  0.10              |   Resolution:
> Keywords:                    |
>
> -----------------------------+--------------------------------------
--------
> Comment (by bas):
>
> This setup will never work for root and apache, because the postfix
user
> will start up email2trac and this userid has no write access to the
trac-
> database. That is why you need run_email2trac for this. It will
change the
> userid from <postfix> to the <apache> user.  The process of changing
user
> fails some how and i think it has to do with not allowing to run
suid
> programs.
>
> Can you just put this is /etc/aliases:
> {{{
> test: /var/tmp/test.sh
> }}}
>
> test.sh
> {{{
> /usr/bin/id > /var/tmp/postfix.user
> }}}
>
> else use the other postfix setup:
>   *
> https://subtrac.sara.nl/oss/email2trac/wiki/Email2tracMta#Noteforpos
tfix
>
> --
> Ticket URL:
<https://subtrac.sara.nl/oss/email2trac/ticket/32#comment:7>
> email2trac <https://subtrac.sara.nl/oss/email2trac>
> Documentation server for email2trac

comment:9 Changed 13 years ago by bas

  • Resolution set to fixed
  • Status changed from assigned to closed

Thanks for the info, maybe i have to make some kind of FAQ to describe these kind of problems. I will close the ticket

Add Comment

Modify Ticket

Change Properties
Action
as closed The owner will remain bas.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.