[SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path

Bug #1765191 reported by Felipe Reyes on 2018-04-18
20
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
High
Unassigned
Ocata
High
Unassigned
Pike
High
Unassigned
Queens
High
Unassigned
horizon (Ubuntu)
Status tracked in Cosmic
Artful
High
Felipe Reyes
Bionic
High
Felipe Reyes
Cosmic
High
Felipe Reyes

Bug Description

[Impact]

When upgrading from mitaka to pike horizon stops working because Apache can't read the static assets anymore

[Wed Apr 04 11:22:37.470451 2018] [core:error] [pid 17924:tid 140071592240896] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to /static/dashboard/img/favicon.ico denied (filesystem path '/var/lib/openstack-dashboard/static') because search permissions are missing on a component of the path

In xenial the home for the horizon user is /usr/share/openstack-dashboard, and /var/lib/openstack-dashboard permissions are changed to 700 to secure the secret_key, while in artful/pike only the secret_key file is set to 700

# ls -ld /var/lib/openstack-dashboard/
drwxr-xr-x 4 horizon horizon 4096 Apr 18 18:49 /var/lib/openstack-dashboard/
# ls -ld /var/lib/openstack-dashboard/secret_key
-rw------- 1 horizon horizon 64 Apr 18 18:47 /var/lib/openstack-dashboard/secret_key
# apt-cache policy openstack-dashboard
openstack-dashboard:
  Installed: 3:12.0.2-0ubuntu1
  Candidate: 3:12.0.2-0ubuntu1
  Version table:
 *** 3:12.0.2-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3:12.0.0-0ubuntu2.1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu artful/main amd64 Packages

So during the upgrade of the package /var/lib/openstack-dashboard is left to 700

xenial -> debian/openstack-dashboard.postinst
...
if [ -d /var/lib/openstack-dashboard ] ; then
# Generated secret storage for single node use - see local_settings.py
# for more details of SECRET_KEY
chmod 0700 /var/lib/openstack-dashboard
if [ -f /etc/openstack-dashboard/secret_key ]; then
mv /etc/openstack-dashboard/secret_key /var/lib/openstack-dashboard
fi
chown -R horizon:horizon /var/lib/openstack-dashboard
fi
....

artful -> debian/openstack-dashboard.postinst
...
if ! getent passwd horizon > /dev/null 2>&1 ; then
adduser --system --home /var/lib/openstack-dashboard --ingroup horizon \
--no-create-home --shell /bin/false horizon
fi
...

[Test Case]

* deploy openstack
  juju deploy ./xenial-mitaka.yaml # http://paste.ubuntu.com/p/7XtXRvf4cT/

* upgrade openstack-dashboard to ocata, pike or queens
  juju deploy openstack-dashboard openstack-origin="cloud:xenial-ocata" # for -proposed use "cloud:xenial-ocata/proposed"

Expected result:

http://`juju-deployer -f openstack-dashboard`/horizon/auth/login is displayed with all the correct css/js/etc assets

Actual result:

http://`juju-deployer -f openstack-dashboard`/horizon/auth/login cannot load the static assets (javascript/css/etc)

[Regression Potential]

* Users who may have customized /var/lib/openstack-dashboard permissions to comply with some specific security policy will see changes in the permissions when they upgrade, but this is a common situation when packages are upgraded.

[Other Info]
N/A

Felipe Reyes (freyes) wrote :

I think the fix should be that in debian/openstack-dashboard.postinst script for newton, ocata, pike and queens, we should enforce 755 for /var/lib/openstack-dashboard and 700 for /var/lib/openstack-dashboard/secret_key

thoughts?

tags: added: sts
Felipe Reyes (freyes) on 2018-04-18
Changed in horizon (Ubuntu):
assignee: nobody → Felipe Reyes (freyes)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in horizon (Ubuntu):
status: New → Confirmed
Corey Bryant (corey.bryant) wrote :

Hi Felipe,

Thanks for reporting this.

I was able to recreate your scenario and I also attempted a step upgrade from mitaka->newton->ocata, and the upgrade from newton->ocata runs into permissions errors for /var/lib/openstack-dashboard/static as well. https://paste.ubuntu.com/p/4ntKjw3pxN/

I'm not sure why an upgrade would cause these errors vs a fresh install to ocata or pike. I'll dig in some more. The fix may be along the lines of what you suggested, in updating the postinst script with:

sudo chmod -R 755 /var/lib/openstack-dashboard/
sudo chmod 600 /var/lib/openstack-dashboard/secret_key

Corey

Corey Bryant (corey.bryant) wrote :

Note: The switch to storing static assets in /var/lib vs /usr/share occurred in zesty (ocata).

On Tue, Apr 24, 2018 at 08:13:55PM -0000, Corey Bryant wrote:
> Hi Felipe,
>
> Thanks for reporting this.
>
> I was able to recreate your scenario and I also attempted a step upgrade
> from mitaka->newton->ocata, and the upgrade from newton->ocata runs into
> permissions errors for /var/lib/openstack-dashboard/static as well.
> https://paste.ubuntu.com/p/4ntKjw3pxN/
>
> I'm not sure why an upgrade would cause these errors vs a fresh install
> to ocata or pike. I'll dig in some more. The fix may be along the lines
> of what you suggested, in updating the postinst script with:
>
> sudo chmod -R 755 /var/lib/openstack-dashboard/
> sudo chmod 600 /var/lib/openstack-dashboard/secret_key

great, I will prepare the patch/SRU with this.

Great, thanks Felipe. I think we may want to limit this to:

sudo chmod -R 755 /var/lib/openstack-dashboard/static
sudo chmod 600 /var/lib/openstack-dashboard/secret_key

On Wed, Apr 25, 2018 at 05:52:06PM -0000, Corey Bryant wrote:
> Great, thanks Felipe. I think we may want to limit this to:
>
> sudo chmod -R 755 /var/lib/openstack-dashboard/static

I have doubts about making it recursive, I don't have an installation around, but I think 755 only to /var/lib/openstack-dashboard/static should be enough.

Felipe Reyes (freyes) on 2018-04-25
Changed in horizon (Ubuntu Artful):
assignee: nobody → Felipe Reyes (freyes)

I'd prefer non-recursive as well if that fixes it.

Changed in horizon (Ubuntu Artful):
status: New → Triaged
Changed in horizon (Ubuntu Bionic):
status: Confirmed → Triaged
Changed in horizon (Ubuntu Artful):
importance: Undecided → High
Changed in horizon (Ubuntu Bionic):
importance: Undecided → High
Felipe Reyes (freyes) wrote :
Felipe Reyes (freyes) wrote :
Felipe Reyes (freyes) wrote :
Felipe Reyes (freyes) wrote :

Here are the patches, it's pending to add the SRU template.

It wasn't required to change the permissions recursively, the files inside .../openstack-dashboard/static already have the expected permissions to let apache read them.

tags: added: patch
Felipe Reyes (freyes) on 2018-04-26
description: updated
description: updated
summary: - (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to
+ [SRU] (13)Permission denied: [client 1.2.3.4:60750] AH00035: access to
/static/dashboard/img/favicon.ico denied (filesystem path '/var/lib
/openstack-dashboard/static') because search permissions are missing on
a component of the path
Felipe Reyes (freyes) wrote :
Changed in horizon (Ubuntu Cosmic):
assignee: nobody → Felipe Reyes (freyes)
Corey Bryant (corey.bryant) wrote :

Thanks Felipe. I've uploaded new package versions with your patches to all affected releases (note minor change to correct the bug # in d/changelog) where most (except ocata) are awaiting review by the SRU team.

On Thu, May 10, 2018 at 08:26:12PM -0000, Corey Bryant wrote:
> Thanks Felipe. I've uploaded new package versions with your patches to
> all affected releases (note minor change to correct the bug # in
> d/changelog) where most (except ocata) are awaiting review by the SRU
> team.

awesome,thanks for the update.

Hello Felipe, or anyone else affected,

Accepted horizon into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-ocata-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package horizon - 3:13.0.0-0ubuntu2

---------------
horizon (3:13.0.0-0ubuntu2) cosmic; urgency=medium

  * d/openstack-dashboard.postinst: Make sure that /var/lib/openstack-dashboard/
    and /var/lib/openstack-dashboard/secret_key have the appropriate permissions
    (LP: #1765191).

 -- Felipe Reyes <email address hidden> Thu, 10 May 2018 15:43:41 -0300

Changed in horizon (Ubuntu Cosmic):
status: Triaged → Fix Released
Timo Aaltonen (tjaalton) wrote :

Hello Felipe, or anyone else affected,

Accepted horizon into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/horizon/3:12.0.2-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in horizon (Ubuntu Artful):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-artful
Changed in horizon (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed-bionic
Timo Aaltonen (tjaalton) wrote :

Hello Felipe, or anyone else affected,

Accepted horizon into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/horizon/3:13.0.0-0ubuntu1.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Corey Bryant (corey.bryant) wrote :

Hello Felipe, or anyone else affected,

Accepted horizon into pike-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:pike-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-pike-needed to verification-pike-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-pike-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-pike-needed
Corey Bryant (corey.bryant) wrote :

Hello Felipe, or anyone else affected,

Accepted horizon into queens-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:queens-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-queens-needed to verification-queens-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-queens-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-queens-needed
Changed in cloud-archive:
status: Triaged → Fix Committed
Felipe Reyes (freyes) wrote :

openstack-dashboard-ubuntu-theme needs to be updated to depend on 3:13.0.0-0ubuntu1, I wonder if we could relax this dependency a bit, something like:

Depends: openstack-dashboard (>= 3:13.0.0, <= 3:14.0.0)

The problem would be that this kind of change may not be SRUable, and this is a dummy package, so maybe we should just bite the bullet and everytime bump up the version in the openstack-dashboard we need to remember to do update openstack-dashboard-ubuntu-theme as well.

# apt-get install openstack-dashboard openstack-dashboard-ubuntu-theme
Reading package lists... Done
Building dependency tree
Reading state information... Done
openstack-dashboard-ubuntu-theme is already the newest version (3:13.0.0-0ubuntu1).
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 openstack-dashboard-ubuntu-theme : Depends: openstack-dashboard (= 3:13.0.0-0ubuntu1) but 3:13.0.0-0ubuntu1.1 is to be installed
E: Unable to correct problems, you have held broken packages.

Felipe Reyes (freyes) wrote :

I just noticed that openstack-dashboard-ubuntu-theme is a binary package built out from the horizon source package, just like openstack-dashboard, but it comes from universe and universe-proposed was not enabled in this node. so disregard my previous comment.

# apt policy openstack-dashboard-ubuntu-theme
openstack-dashboard-ubuntu-theme:
  Installed: 3:13.0.0-0ubuntu1
  Candidate: 3:13.0.0-0ubuntu1
  Version table:
 *** 3:13.0.0-0ubuntu1 500
        500 http://nova.clouds.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
        100 /var/lib/dpkg/status

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers