Landscape Client

landscape-config problem with hardened umask 027

Bug #2065879 reported by appe on 2024-05-16

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Landscape Client	Triaged	High	Unassigned

Bug Description

It is not possible to register a new server with "landscape-config" when using hardened umask. We use umask 027 due to CIS requirements, this creates files under /var/lib/landscape/client/ which the landscape user cant read, which causes the service fail to start.

How to reproduce:
# umask 027
# landscape-config --computer-title test--account-name standalone --url https://test.net/message-system --ping-url http://test.net/ping --ssl-public-key /etc/landscape/test.pem

Fails with:
Traceback (most recent call last):
Failure: twisted.internet.error.ConnectError: An error occurred while connecting: 2: No such file or directory.

# ls -l /var/lib/landscape/client/
total 52
drwxr-xr-x 2 landscape landscape 4096 May 16 13:53 annotations.d
-rw-r----- 1 root root 33 May 16 13:54 broker.bpickle
-rw-r----- 1 root root 47 May 16 13:53 broker.bpickle.old
drwxr-xr-x 2 landscape root 4096 May 16 13:53 custom-graph-scripts
-rw-r--r-- 1 root root 12288 May 16 13:53 manager.database
drwxr-xr-x 2 landscape root 4096 May 16 13:53 messages
-rw-r--r-- 1 landscape landscape 23 May 16 13:53 monitor.bpickle
-rw-r--r-- 1 landscape landscape 23 May 16 13:53 monitor.bpickle.old
drwxr-xr-x 5 landscape root 4096 May 16 13:53 package
drwxr-x--- 2 landscape root 4096 May 16 13:53 sockets
-rwxr-xr-x 1 landscape root 100 May 16 13:52 user-update-flag

Rerun with umask 022:
#umask 022
# landscape-config --computer-title test--account-name standalone --url https://test.net/message-system --ping-url http://test.net/ping --ssl-public-key /etc/landscape/test.pem

Registration request sent successfully.

# ls -l /var/lib/landscape/client/
total 60
drwxr-xr-x 2 landscape landscape 4096 May 16 13:53 annotations.d
-rw-r--r-- 1 landscape landscape 364 May 16 13:56 broker.bpickle
-rw-r--r-- 1 landscape landscape 1085 May 16 13:56 broker.bpickle.old
drwxr-xr-x 2 landscape root 4096 May 16 13:53 custom-graph-scripts
-rw-r--r-- 1 root root 12288 May 16 13:53 manager.database
drwxr-xr-x 3 landscape root 4096 May 16 13:56 messages
-rw-r--r-- 1 landscape landscape 12602 May 16 13:56 monitor.bpickle
-rw-r--r-- 1 landscape landscape 23 May 16 13:56 monitor.bpickle.old
drwxr-xr-x 5 landscape root 4096 May 16 13:56 package
drwxr-x--- 2 landscape root 4096 May 16 13:56 sockets

System info:
root@ubuntu2404:~# dpkg -l |grep landsca
ii landscape-client 24.02-0ubuntu5 amd64 Landscape administration system client
ii landscape-common 24.02-0ubuntu5 amd64 Landscape

Distributor ID: Ubuntu
Description: Ubuntu 24.04 LTS
Release: 24.04
Codename: noble

Tags:

Mitch Burton (mitchburton) on 2024-05-31

Changed in landscape-client:
status:	New → Triaged
importance:	Undecided → High

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.