sources.list rewrite doesn't preserve original permissions

Bug #804548 reported by Andreas Hasenack on 2011-07-01
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Client
Medium
Alberto Donato

Bug Description

With the repository profiles feature, /etc/apt/sources.list gets populated by landscape. Due to the use of mkstemp() and os.rename(), however, the file ends up having too tight permissions: root:root 0600.

The original ownership and permissions of the file, and the ones in sources.list.d (didn't check) should be preserved.

An example of a bad consequence of the tighter permissions can be seen on a desktop system. Pretty soon the user will see a big red "forbidden" icon in the notification area complaining about problems reading sources.list (see attached screenshot).

Andreas Hasenack (ahasenack) wrote :
tags: added: squad-gama theme-repo-management
tags: added: squad-gamma
removed: squad-gama
Andreas Hasenack (ahasenack) wrote :

As a side note, os.rename() doesn't work accross devices, so if /tmp happens to be on a different partition, something common in certain server installations, the operation would fail.

    def _handle_sources(self, ignored, sources):
        """Handle sources repositories."""
        fd, path = tempfile.mkstemp()
(...)
        os.rename(path, self.SOURCES_LIST)

Example:
>>> import os,tempfile
>>> fd,path = tempfile.mkstemp()
>>> os.close(fd)
>>> path
'/tmp/tmp57KbcG'
>>> os.rename(path,"/home/andreas/foo")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: [Errno 18] Invalid cross-device link
>>>

From the docs at http://docs.python.org/library/os.html?highlight=os.rename#os.rename:
"The operation may fail on some Unix flavors if src and dst are on different filesystems"

tags: added: story-apt-sources
removed: theme-repo-management
Changed in landscape-client:
milestone: backlog → 11.07.1
Alberto Donato (ack) on 2011-07-04
Changed in landscape-client:
status: New → In Progress
assignee: nobody → Alberto Donato (ack)
Alberto Donato (ack) on 2011-07-06
Changed in landscape-client:
status: In Progress → Fix Committed
Alberto Donato (ack) wrote :

Need to fix ownership as well.

Changed in landscape-client:
status: Fix Committed → In Progress
Alberto Donato (ack) on 2011-07-07
Changed in landscape-client:
status: In Progress → Fix Committed
tags: added: verified

Hello Andreas, or anyone else affected,

Accepted landscape-client into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Andreas Hasenack (ahasenack) wrote :

Verified with the landscape-client-11.07.1.1-0ubuntu0.10.04.0 package in lucid-proposed:

root@ls1-lucid:/etc/apt# apt-cache policy landscape-client
landscape-client:
  Installed: 11.07.1.1-0ubuntu0.10.04.0
  Candidate: 11.07.1.1-0ubuntu0.10.04.0
  Version table:
 *** 11.07.1.1-0ubuntu0.10.04.0 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid-proposed/main Packages
        100 /var/lib/dpkg/status
     11.02-0ubuntu0.10.04.1 0
        500 http://security.ubuntu.com/ubuntu/ lucid-updates/main Packages
     1.5.0.1-0ubuntu0.10.04.0 0
        500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages

Permissions mangled to be root:landscape 0755 before, and remained like that after:

# l /etc/apt/sources.list
-rwxr-xr-x 1 root landscape 1.2K 2011-07-27 21:44 /etc/apt/sources.list

Chris Halse Rogers (raof) wrote :

Thanks for testing!

tags: added: verification-done
removed: verification-needed
Martin Pitt (pitti) wrote :

Hello Andreas, or anyone else affected,

Accepted landscape-client into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: removed: verification-done
tags: added: verification-needed
Martin Pitt (pitti) wrote :

Hello Andreas, or anyone else affected,

Accepted landscape-client into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Andreas Hasenack (ahasenack) wrote :

Verified in Maverick and Natty, using the proposed packages, that the permissions and ownership of the sources.list and sources.list.d/* files are preserved after a repository profile is applied.

Changed in landscape-client:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers