Re: [EXT] Re: regular yum symas-openldap-servers update breaks permissions on /var/symas/openldap-data
Hi Ulrich, I thought the same, but it seems yum/dnf do not have a post-install 'hook', like debian has with DPkg::Pre-Install-Pkgs & DPkg::Post-Invoke, that allows you to define commands/scripts to run before and after. Not sure how to do something similar on RHEL. I have now excluded openldap from auto updates, and added instructions on our manual update.instructions. Any ideas here..? On Wed, 11 Oct 2023 at 11:05, Windl, Ulrich wrote: > I wonder: > Couldn't some RPM "pre-script" remember the current permissions for some > RPM "post script" to restore them (after they were messed up)? > > -Original Message- > From: cYuSeDfZfb cYuSeDfZfb > Sent: Thursday, September 21, 2023 10:54 AM > To: Ondřej Kuzník > Cc: openldap-technical@openldap.org; Dimitar Stoychev > > Subject: [EXT] Re: regular yum symas-openldap-servers update breaks > permissions on /var/symas/openldap-data > > Hi Ondřej, > > Thanks for your reply. > > Yes, we are putting our (single file) mdb straight in > /var/symas/openldap-data, using subdirs never crossed our minds. > > Anyway, we just have to document this behaviour in our upgrade > documentation. > > Must say: the behaviour, for us, is a little bit unexcpected. We didn't > expect rpm upgrades to "mess" with fs permissions, but we can simply work > around it. > > Thanks again for your reply, appreciated! > > > On Wed, 13 Sept 2023 at 12:25, Ondřej Kuzník on...@mistotebe.net> > wrote: > > > On Tue, Sep 12, 2023 at 04:44:15PM +0200, cYuSeDfZfb cYuSeDfZfb > wrote: > > Hi, > > > > We're seeing this quite consistently. > > > > Before updating: > > [root@ldaps01 log]# ls -l > > /var/symas/ drwx--. 3 ldap ldap 50 Aug 28 16:28 openldap-data > > > > After updating: > > [root@ldaps01 log]# ls -l > > /var/symas/ drwx--. 3 root root 50 Aug 28 16:28 openldap-data > > > > And afterwards symas-openldap-server (running as ldap:ldap) no > longer > > starts, since permission denied on /var/symas/openldap-data. > > > > Reverting the permissions back to ldap:ldap solves it. But...WHY > is this > > happening. > > > > Are we somehow encouraged to run openldap as root..? > > > > Why would a post-install script reset permissions on > > /var/symas/openldap-data? > > Hi, > openldap-data is owned by the package and as such you'll have to > tell > rpm somehow (a trigger, ...) that you don't want it to mess with > it. > AFAIK there's work ongoing to make the directory 711 which should > sort > things for you. > > That's unless you're putting the databases directly into > /var/symas/openldap-data, we advise you create a subdirectory per > DB, > e.g. /var/symas/openldap-data/dc=example,dc=com or > /var/symas/openldap-data/cn=accesslog. > > Regards, > > -- > Ondřej Kuzník > Senior Software Engineer > Symas Corporation http://www.symas.com > Packaged, certified, and supported LDAP solutions powered by > OpenLDAP > > >
Re: regular yum symas-openldap-servers update breaks permissions on /var/symas/openldap-data
Hi Ondřej, Thanks for your reply. Yes, we are putting our (single file) mdb straight in /var/symas/openldap-data, using subdirs never crossed our minds. Anyway, we just have to document this behaviour in our upgrade documentation. Must say: the behaviour, for us, is a little bit unexcpected. We didn't expect rpm upgrades to "mess" with fs permissions, but we can simply work around it. Thanks again for your reply, appreciated! On Wed, 13 Sept 2023 at 12:25, Ondřej Kuzník wrote: > On Tue, Sep 12, 2023 at 04:44:15PM +0200, cYuSeDfZfb cYuSeDfZfb wrote: > > Hi, > > > > We're seeing this quite consistently. > > > > Before updating: > > [root@ldaps01 log]# ls -l > > /var/symas/ drwx--. 3 ldap ldap 50 Aug 28 16:28 openldap-data > > > > After updating: > > [root@ldaps01 log]# ls -l > > /var/symas/ drwx--. 3 root root 50 Aug 28 16:28 openldap-data > > > > And afterwards symas-openldap-server (running as ldap:ldap) no longer > > starts, since permission denied on /var/symas/openldap-data. > > > > Reverting the permissions back to ldap:ldap solves it. But...WHY is this > > happening. > > > > Are we somehow encouraged to run openldap as root..? > > > > Why would a post-install script reset permissions on > > /var/symas/openldap-data? > > Hi, > openldap-data is owned by the package and as such you'll have to tell > rpm somehow (a trigger, ...) that you don't want it to mess with it. > AFAIK there's work ongoing to make the directory 711 which should sort > things for you. > > That's unless you're putting the databases directly into > /var/symas/openldap-data, we advise you create a subdirectory per DB, > e.g. /var/symas/openldap-data/dc=example,dc=com or > /var/symas/openldap-data/cn=accesslog. > > Regards, > > -- > Ondřej Kuzník > Senior Software Engineer > Symas Corporation http://www.symas.com > Packaged, certified, and supported LDAP solutions powered by OpenLDAP >
Re: regular yum symas-openldap-servers update breaks permissions on /var/symas/openldap-data
On Tue, Sep 12, 2023 at 04:44:15PM +0200, cYuSeDfZfb cYuSeDfZfb wrote: > Hi, > > We're seeing this quite consistently. > > Before updating: > [root@ldaps01 log]# ls -l > /var/symas/ drwx--. 3 ldap ldap 50 Aug 28 16:28 openldap-data > > After updating: > [root@ldaps01 log]# ls -l > /var/symas/ drwx--. 3 root root 50 Aug 28 16:28 openldap-data > > And afterwards symas-openldap-server (running as ldap:ldap) no longer > starts, since permission denied on /var/symas/openldap-data. > > Reverting the permissions back to ldap:ldap solves it. But...WHY is this > happening. > > Are we somehow encouraged to run openldap as root..? > > Why would a post-install script reset permissions on > /var/symas/openldap-data? Hi, openldap-data is owned by the package and as such you'll have to tell rpm somehow (a trigger, ...) that you don't want it to mess with it. AFAIK there's work ongoing to make the directory 711 which should sort things for you. That's unless you're putting the databases directly into /var/symas/openldap-data, we advise you create a subdirectory per DB, e.g. /var/symas/openldap-data/dc=example,dc=com or /var/symas/openldap-data/cn=accesslog. Regards, -- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP
Re: regular yum symas-openldap-servers update breaks permissions on /var/symas/openldap-data
Hi, We're seeing this quite consistently. Before updating: [root@ldaps01 log]# ls -l /var/symas/ drwx--. 3 ldap ldap 50 Aug 28 16:28 openldap-data After updating: [root@ldaps01 log]# ls -l /var/symas/ drwx--. 3 root root 50 Aug 28 16:28 openldap-data And afterwards symas-openldap-server (running as ldap:ldap) no longer starts, since permission denied on /var/symas/openldap-data. Reverting the permissions back to ldap:ldap solves it. But...WHY is this happening. Are we somehow encouraged to run openldap as root..? Why would a post-install script reset permissions on /var/symas/openldap-data? Thanks!
