chown local socket fails

Bug #1849712 reported by Kaloyan Petrov on 2019-10-24
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dkimpy-milter
High
Scott Kitterman

Bug Description

In Debian 10.1, dkimpy-milter-1.0.1-1

When I use a local socket, service fails to start.
The reason is we try to chwon the socket file, before its created.

Oct 24 19:47:19 localhost dkimpy-milter[18780]: File "/usr/lib/python2.7/dist-packages/dkimpy_milter/__init__.py", line 351, in main
Oct 24 19:47:19 localhost dkimpy-milter[18780]: own_socketfile(milterconfig)
Oct 24 19:47:19 localhost dkimpy-milter[18780]: File "/usr/lib/python2.7/dist-packages/dkimpy_milter/util.py", line 156, in own_socketfile
Oct 24 19:47:19 localhost dkimpy-milter[18780]: os.chown(milterconfig.get('Socket')[6:], user, group)
Oct 24 19:47:19 localhost dkimpy-milter[18780]: OSError: [Errno 2] No such file or directory: '/var/dkimpy-milter/dkimpy-milter.sock'
Oct 24 19:47:19 localhost dkimpy-milter[18780]: File "/usr/lib/python2.7/dist-packages/dkimpy_milter/__init__.py", line 351, in main
                                                 own_socketfile(milterconfig)
Oct 24 19:47:19 localhost dkimpy-milter[18780]: File "/usr/lib/python2.7/dist-packages/dkimpy_milter/util.py", line 156, in own_socketfile
                                                 os.chown(milterconfig.get('Socket')[6:], user, group)
Oct 24 19:47:19 localhost dkimpy-milter[18780]: OSError: [Errno 2] No such file or directory: '/var/dkimpy-milter/dkimpy-milter.sock'

Kaloyan Petrov (kpp85) wrote :
description: updated
Scott Kitterman (kitterman) wrote :

I agree on the bug, but not the solution. It turns out that libmilter will handle this itself based on umask:

https://www.mirbsd.org/htman/i386/manDOCS/milter/smfi_setconn.html

The default uMask setting should yield an appropriately owned socket. I think we can just drop own_socketfile(milterconfig) completely. The reason why your patch appears to work is that the permissions have already been set by the time own_socketfile(milterconfig) is run. Since the milter has already dropped privileges at that point, if the socket was still root owned, it would fail.

Thanks for the feedback. There's already a pending update in Debian (to 1.0.2) that doesn't address this issue, so don't be surprised when you get an update and this isn't fixed.

Changed in dkimpy-milter:
importance: Undecided → High
milestone: none → 1.2.0
status: New → Triaged
assignee: nobody → Scott Kitterman (kitterman)
Scott Kitterman (kitterman) wrote :

If you can try removing (or commenting out) the own_socket line without re-adding it and verify that works on 1.0, I'll see about getting another update into Debian 10 (Buster).

Kaloyan Petrov (kpp85) wrote :

Yes, it helps. Service started without issues, using local socket.

Scott Kitterman (kitterman) wrote :

Fix committed to master for version 1.2.0. Will cherry-pick for 1.1 and 1.0 stable branches.

Changed in dkimpy-milter:
status: Triaged → Fix Committed
Scott Kitterman (kitterman) wrote :

Committed for stable1.0 and stable1.1 also.

Scott Kitterman (kitterman) wrote :

1.1.4 2019-11-22
 - Make error logging more explicit to aid debugging
 - Delete own_socketfile to resolve race condition where the permissions
   change fails on a Unix socket because it hasn't been created yet (libmilter
   will do this correctly on its own based on umask, the milter doesn't need
   to do it) (LP: #1849712)

Changed in dkimpy-milter:
milestone: 1.2.0 → 1.1.4
status: Fix Committed → Won't Fix
status: Won't Fix → Fix Released
Scott Kitterman (kitterman) wrote :

I've also released 1.0.3 with this fix in it for python2 users. For Debian users, once 1.1.4 is in Testing, I plan to ask the release team for authorization to do a stable update with 1.0.3. Assuming that is approved, it would be in the next point release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers