Bug#921953: apacheds: Further analysis
On Sun, Feb 10, 2019 at 09:25:30PM +0100, Johan Grip wrote: > Hi. > > Looked at it a bit more and found the following things. > > ApacheDS have moved it's configuration to a dynamic schema based setup, like > OpenLDAP. > As part of the startup it tries to migrate the config.ldif to a folder based > setup > in ou=config. Since the user it runs as doesn't have write permission for > /etc/apacheds > it fails and then gives up starting. > > Additionally, once the permission issue is sorted the current systemd unit > checks for the > existance of the config.ldif file which will be renamed as part of the > migration so it will > not start the server. > > The patch below fixes both but I'm not sure if services are supposed to > write in /etc. Hi Johan, Thank you for the analysis and the patch. I adjusted the permissions slightly based on [1]. I'm not completely sure that the directory shouldn't also be world-readable given that the configuration created by apacheds when it does start correctly is world readable anyway, but I didn't change that. Also, as I interpret Debian Policy 10.7.2 [2], the files are in the desired location. Since I'm not normally an uploader of apacheds, I'm going to give the normal uploaders a couple days to comment before proceeding. I am keen on getting this RC bug addressed, since it will remove several other packages from Debian, including zookeeper. Cheers, tony [1] https://www.debian.org/doc/debian-policy/ch-files.html#permissions-and-owners [2] https://www.debian.org/doc/debian-policy/ch-files.html#location signature.asc Description: PGP signature
Bug#921953: apacheds: Further analysis
Hi. Looked at it a bit more and found the following things. ApacheDS have moved it's configuration to a dynamic schema based setup, like OpenLDAP. As part of the startup it tries to migrate the config.ldif to a folder based setup in ou=config. Since the user it runs as doesn't have write permission for /etc/apacheds it fails and then gives up starting. Additionally, once the permission issue is sorted the current systemd unit checks for the existance of the config.ldif file which will be renamed as part of the migration so it will not start the server. The patch below fixes both but I'm not sure if services are supposed to write in /etc. -- diff -ur apache-directory-server-2.0.0~M15/debian/apacheds.postinst apache-directory-server-2.0.0~M15-mod/debian/apacheds.postinst --- apache-directory-server-2.0.0~M15/debian/apacheds.postinst 2015-07-01 22:22:10.0 +0200 +++ apache-directory-server-2.0.0~M15-mod/debian/apacheds.postinst 2019-02-10 21:07:19.687924216 +0100 @@ -32,7 +32,9 @@ # Fix directory permissions chown -R $APACHEDS_USER:$APACHEDS_GROUP /var/log/apacheds || true chown -R $APACHEDS_USER:$APACHEDS_GROUP /var/lib/apacheds || true +chown $APACHEDS_USER:$APACHEDS_GROUP /etc/apacheds chown $APACHEDS_USER:$APACHEDS_GROUP /etc/apacheds/* +chmod 640 /etc/apacheds chmod 640 /etc/apacheds/* ;; diff -ur apache-directory-server-2.0.0~M15/debian/apacheds.service apache-directory-server-2.0.0~M15-mod/debian/apacheds.service --- apache-directory-server-2.0.0~M15/debian/apacheds.service 2015-07-01 22:22:10.0 +0200 +++ apache-directory-server-2.0.0~M15-mod/debian/apacheds.service 2019-02-10 21:04:28.228844408 +0100 @@ -1,7 +1,8 @@ [Unit] Description=Apache Directory Server After=network.target -ConditionPathExists=/etc/apacheds/config.ldif +ConditionPathExists=|/etc/apacheds/config.ldif +ConditionPathIsDirectory=|/etc/apacheds/ou=config [Service] Type=simple Regards, Johan
