MAAS doesn't have permissions to write in /etc/bind/maas

Bug #1042868 reported by Andres Rodriguez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Invalid
Critical
Unassigned
maas (Ubuntu)
Fix Released
High
Unassigned

Bug Description

MAAS needs permissions to write in /etc/bind/maas, however, MAAS is not run as root.

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/celery/execute/trace.py", line 47, in trace
    return cls(states.SUCCESS, retval=fun(*args, **kwargs))
  File "/usr/lib/python2.7/dist-packages/celery/app/task/__init__.py", line 247, in __call__
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/celery/app/__init__.py", line 175, in run
    return fun(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/provisioningserver/tasks.py", line 192, in write_full_dns_config
    dns_config.write_config(**kwargs)
  File "/usr/lib/python2.7/dist-packages/provisioningserver/dns/config.py", line 156, in write_config
    atomic_write(rendered, self.target_path, overwrite=overwrite)
  File "/usr/lib/python2.7/dist-packages/provisioningserver/utils.py", line 84, in atomic_write
    temp_file = _write_temp_file(content, filename)
  File "/usr/lib/python2.7/dist-packages/provisioningserver/utils.py", line 60, in _write_temp_file
    prefix=".%s." % os.path.basename(filename))
  File "/usr/lib/python2.7/tempfile.py", line 300, in mkstemp
    return _mkstemp_inner(dir, prefix, suffix, flags)
  File "/usr/lib/python2.7/tempfile.py", line 235, in _mkstemp_inner
    fd = _os.open(file, flags, 0600)
OSError: [Errno 13] Permission denied

Related branches

Changed in maas:
importance: Undecided → Critical
Revision history for this message
Julian Edwards (julian-edwards) wrote :

When the package creates this directory, can't it just make it owned/writable by the maas user?

Changed in maas:
status: New → Triaged
status: Triaged → Incomplete
Revision history for this message
Julian Edwards (julian-edwards) wrote :

To clarify, the code was written in such a way as to make a separately writable file possible, which should be included from the main named.conf.

Revision history for this message
Julian Edwards (julian-edwards) wrote :

Andres said he'd make the directory writable by the package.

Changed in maas:
status: Incomplete → Invalid
Revision history for this message
Andres Rodriguez (andreserl) wrote :
Download full text (4.0 KiB)

Julian,

So I made the directory to be owned by maas user, root group, and this is the outcome:

ubuntu@maas:/etc/bind$ ls -l maas/
total 12
-rw-r--r-- 1 root root 99 Aug 29 08:57 named.conf.maas
-rw-r--r-- 1 root root 193 Aug 29 08:57 named.conf.rndc.maas
-rw-r--r-- 1 root root 539 Aug 29 08:57 rndc.conf.maas
ubuntu@maas:/etc/bind$ sudo chown -R maas:root maas
ubuntu@maas:/etc/bind$ ls -l maas/
total 12
-rw-r--r-- 1 maas maas 99 Aug 29 09:05 named.conf.maas
-rw-r--r-- 1 maas root 193 Aug 29 08:57 named.conf.rndc.maas
-rw-r--r-- 1 maas root 539 Aug 29 08:57 rndc.conf.maas

Now, I re-enabled the DNS server from the WebUI , the following error was seen in the celery.log. Additionally, I noticed that permissions on named.conf.maas were changed, causing bind9 to fail reloading the configuration file:

== Incorrect file permissions ==
ubuntu@maas:/etc/bind$ ls -l maas/
total 12
-rw------- 1 maas maas 99 Aug 29 09:05 named.conf.maas
-rw-r--r-- 1 maas root 193 Aug 29 08:57 named.conf.rndc.maas
-rw-r--r-- 1 maas root 539 Aug 29 08:57 rndc.conf.maas

=== bind failure (syslog) ===

Aug 29 09:05:33 maas named[23407]: received control channel command 'reload'
Aug 29 09:05:33 maas named[23407]: loading configuration from '/etc/bind/named.conf'
Aug 29 09:05:33 maas named[23407]: /etc/bind/named.conf.local:9: open: /etc/bind/maas/named.conf.maas: permission denied
Aug 29 09:05:33 maas named[23407]: reloading configuration failed: permission denied

=== celery error log ===

[2012-08-29 09:05:33,405: INFO/MainProcess] Got task from broker: provisioningserver.tasks.write_full_dns_config[3b7fe6ce-380f-442c-a9[67/784]
0e71313]
[2012-08-29 09:05:33,446: INFO/MainProcess] Got task from broker: provisioningserver.tasks.rndc_command[86c0d418-cb60-4720-b051-212b0f891782]
[2012-08-29 09:05:33,451: INFO/MainProcess] Task provisioningserver.tasks.write_full_dns_config[3b7fe6ce-380f-442c-a9fe-56fcd0e71313] succeede
d in 0.0323147773743s: None
[2012-08-29 09:05:33,498: ERROR/MainProcess] Task provisioningserver.tasks.rndc_command[86c0d418-cb60-4720-b051-212b0f891782] raised exception
: UnpickleableExceptionWrapper('subprocess', 'CalledProcessError', (), 'CalledProcessError()')
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/celery/execute/trace.py", line 47, in trace
    return cls(states.SUCCESS, retval=fun(*args, **kwargs))
  File "/usr/lib/python2.7/dist-packages/celery/app/task/__init__.py", line 247, in __call__
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/celery/app/__init__.py", line 175, in run
    return fun(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/provisioningserver/tasks.py", line 165, in rndc_command
    execute_rndc_command(arguments)
  File "/usr/lib/python2.7/dist-packages/provisioningserver/dns/config.py", line 110, in execute_rndc_command
    stdout=devnull)
  File "/usr/lib/python2.7/subprocess.py", line 511, in check_call
    raise CalledProcessError(retcode, ...

Read more...

Revision history for this message
Julian Edwards (julian-edwards) wrote : Re: [Bug 1042868] Re: MAAS doesn't have permissions to write in /etc/bind/maas

ARGH. The umask is messing us around again, it's the same problem for maas-
import-ephemerals. The reason it changes on an existing file is because it
gets renamed from a temp file (for atomic write purposes).

Do you know where the umask is getting set for the maas user?

Revision history for this message
Andres Rodriguez (andreserl) wrote :

Julian,

we do not set a umask for the maas user. It uses the default on user creation. however, we should not rely on changing the umask for the maas user, but rather, this should be fixed setting the correct permissions when copying over the file.

Revision history for this message
Andres Rodriguez (andreserl) wrote :

Also not that on maas-dns install, I had to fix those permissions, but they keep being changed:

 # fix permissions
        if [ -f /etc/bind/maas/named.conf.maas ]; then
                chmod 644 /etc/bind/maas/named.conf.maas
        fi

Revision history for this message
Julian Edwards (julian-edwards) wrote :

On Wednesday 29 August 2012 14:43:31 you wrote:
> Also not that on maas-dns install, I had to fix those permissions, but
> they keep being changed:
>
>
> # fix permissions
> if [ -f /etc/bind/maas/named.conf.maas ]; then
> chmod 644 /etc/bind/maas/named.conf.maas
> fi

Yeah that's due to the atomic way of writing with a temp rename. We'll make
it chmod.

Revision history for this message
Andres Rodriguez (andreserl) wrote :

Hi Julian

Already proposed a branch to fix that! :-)

Cheers
On Aug 29, 2012 8:15 PM, "Julian Edwards" <email address hidden>
wrote:

> On Wednesday 29 August 2012 14:43:31 you wrote:
> > Also not that on maas-dns install, I had to fix those permissions, but
> > they keep being changed:
> >
> >
> > # fix permissions
> > if [ -f /etc/bind/maas/named.conf.maas ]; then
> > chmod 644 /etc/bind/maas/named.conf.maas
> > fi
>
> Yeah that's due to the atomic way of writing with a temp rename. We'll
> make
> it chmod.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1042868
>
> Title:
> MAAS doesn't have permissions to write in /etc/bind/maas
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/maas/+bug/1042868/+subscriptions
>

James Page (james-page)
Changed in maas (Ubuntu):
importance: Undecided → High
status: New → Triaged
Revision history for this message
Andres Rodriguez (andreserl) wrote :

Ok so, this needs to be looked at. MAAS modifies the files and the permissions end up being:

ubuntu@maas:/etc/bind/maas$ ls -l
total 12
-rwxr--r-- 1 maas maas 99 Aug 31 10:44 named.conf.maas
-rw-r--r-- 1 root root 193 Aug 31 10:12 named.conf.rndc.maas
-rw------- 1 root root 539 Aug 31 10:12 rndc.conf.maas

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas - 0.1+bzr971+dfsg-0ubuntu1

---------------
maas (0.1+bzr971+dfsg-0ubuntu1) quantal; urgency=low

  * New upstream release (LP: #1044367)

  [ Julian Edwards ]
  * Fix 02-pserv-config.patch to handle new default tftp directory

  [ Andres Rodriguez ]
  * debian/maas.postinst:
    - include '/MAAS' for DEFAULT_MAAS_URL.(LP: #1033956)
    - Update bzr version to safely upgrade.
  * Add maas-dns package that configures DNS in MAAS (LP: #1030860)
  * Remove cobbler related bits
    - debian/maas.postinst: Drop cobbler configuration
    - debian/maas.install: Drop installation of snippets/preseeds.
    - debian/control:
      + Drop Depends on maas-provision. (LP: #975473)
      + Depends on bind9utils.
      + Depends on python-lockfile (LP: #1037400)
      Add necessary Conflicts/Replaces. Add conflicts to tftpd-hpa and dnsmasq.
      Depends on isc-dhcp-server for maas-dhcp, and syslinux-common.
    - debian/extras/maas-provision: Add missing "$@" (LP: #1040462)
    - debian/patches:
      + 02-pserv-config.patch: Updated. Do not patch cobbler related bits.
        patch tftp config to default.
  * maas-dhcp: Re-add to handle initial configuration of MAAS DHCP server.
  * Allow restart of 'isc-dhcp-server' by adding a sudoers file:
    - debian/extras/99-maas-sudoers: Added.
    - debian/maas.install: Install 99-maas-sudoers
  * Minor improvements on dbconfig-common handling:
    - debian/maas.config: Only call dbc_go when scripts present.
    - debian/maas.postrm: Only call dbc_go when config file exists.
  * debian/maas.maas-celery.upstart: Enable Beat and set scheduler db file.
  * debian/maas-dns.postinst: Set correct permissions. (LP: #1042868)
  * debian/maas-dhcp.config:
    - Ask whether we want to enable DHCP (LP: #1044229)
    - Add debconf question for network interfaces
  * debian/maas.prerm: Stop services before removing database (LP: #1044559)
 -- Andres Rodriguez <email address hidden> Thu, 02 Aug 2012 09:01:43 -0400

Changed in maas (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.