** Description changed: + === SRU Information === + [Impact] + Systems installed using curtin inadvertantly have a default set of acl applied + to the root directory. Those default acl can wreak havoc with seemingly + sane expectations of users or packages or administrators. + + For example, the problem that was noticed essentially boiled down to a + program doing: + ( umask 0066 ; rm -f secret-file; echo "passw0rd" > secret-file ) + and then later that program checked permissions of the file + and found: + $ ls -l secret-file + -rw-r--r-- 1 smoser smoser 0 Oct 27 12:00 secret-file + instead of + -rw------- 1 smoser smoser 0 Oct 27 12:00 secret-file + And raised exception. + + This is not at all an unreasonable expectation. + Essentially, this boils down to all packages not being ready to handle + having filesystem ACL in place. Additionally curtin did not intend on + installing the target with default ACLs that was a unexpected behavior of + tar (raised in bug 1386237) + + [Test Case] + * Install system with MAAS and fast path installer (curtin). + * mkdir /tmp/mydir + * cd /tmp/mydir + * ( umask 0066 ; rm -f secret-file; echo "passw0rd" > secret-file ) + * ls -l secret-file + + Expected output is that file has 600 permissions. Failure case, is 644. + + [Regression Potential] + Fairly small chance for regression as the tar files created for consumption + are not created with acl information inside. Generally ubuntu installations + do not have default ACL in place on /, and thus the change creates less + chance for unexpected behavior than is currently present. + + [Other Info] + This bug is not actually present in the version of curtin in trusty. + However, the fix for this issue is in the code added to fix bug 1313550. + The bug is present in utopic's version of curtin. + + === End SRU Information === + openstack-dashboard 1:2014.2-0ubuntu1~cloud0 from http://ppa.launchpad.net/ubuntu-cloud-archive/juno-staging/ubuntu/ Got this during installation with the charm: (...) 2014-10-17 17:17:07 INFO install Setting up openstack-dashboard (1:2014.2-0ubuntu1~cloud0) ... 2014-10-17 17:17:07 INFO install Collecting and compressing static assets... 2014-10-17 17:17:07 INFO install Traceback (most recent call last): 2014-10-17 17:17:07 INFO install File "manage.py", line 25, in <module> 2014-10-17 17:17:07 INFO install execute_from_command_line(sys.argv) 2014-10-17 17:17:07 INFO install File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 399, in execute_from_command_line 2014-10-17 17:17:07 INFO install utility.execute() 2014-10-17 17:17:07 INFO install File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 392, in execute 2014-10-17 17:17:07 INFO install self.fetch_command(subcommand).run_from_argv(self.argv) 2014-10-17 17:17:07 INFO install File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 261, in fetch_command 2014-10-17 17:17:07 INFO install commands = get_commands() 2014-10-17 17:17:07 INFO install File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 107, in get_commands 2014-10-17 17:17:07 INFO install apps = settings.INSTALLED_APPS 2014-10-17 17:17:07 INFO install File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 54, in __getattr__ 2014-10-17 17:17:07 INFO install self._setup(name) 2014-10-17 17:17:07 INFO install File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 49, in _setup 2014-10-17 17:17:07 INFO install self._wrapped = Settings(settings_module) 2014-10-17 17:17:07 INFO install File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 128, in __init__ 2014-10-17 17:17:07 INFO install mod = importlib.import_module(self.SETTINGS_MODULE) 2014-10-17 17:17:07 INFO install File "/usr/lib/python2.7/dist-packages/django/utils/importlib.py", line 40, in import_module 2014-10-17 17:17:07 INFO install __import__(name) 2014-10-17 17:17:07 INFO install File "/usr/share/openstack-dashboard/openstack_dashboard/settings.py", line 316, in <module> 2014-10-17 17:17:07 INFO install from local.local_settings import * # noqa 2014-10-17 17:17:07 INFO install File "/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py", line 98, in <module> 2014-10-17 17:17:07 INFO install SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key') 2014-10-17 17:17:07 INFO install File "/usr/lib/python2.7/dist-packages/horizon/utils/secret_key.py", line 61, in generate_or_read_from_file 2014-10-17 17:17:07 INFO install raise FilePermissionError("Insecure key file permissions!") 2014-10-17 17:17:07 INFO install horizon.utils.secret_key.FilePermissionError: Insecure key file permissions! 2014-10-17 17:17:07 INFO install dpkg: error processing package openstack-dashboard (--configure): 2014-10-17 17:17:07 INFO install subprocess installed post-installation script returned error exit status 1 2014-10-17 17:17:07 INFO install dpkg: dependency problems prevent configuration of openstack-dashboard-ubuntu-theme: 2014-10-17 17:17:07 INFO install openstack-dashboard-ubuntu-theme depends on openstack-dashboard (= 1:2014.2-0ubuntu1~cloud0); however: 2014-10-17 17:17:07 INFO install Package openstack-dashboard is not configured yet. 2014-10-17 17:17:07 INFO install 2014-10-17 17:17:07 INFO install dpkg: error processing package openstack-dashboard-ubuntu-theme (--configure): 2014-10-17 17:17:07 INFO install dependency problems - leaving unconfigured 2014-10-17 17:17:07 INFO install No apport report written because the error message indicates its a followup error from a previous failure. 2014-10-17 17:17:07 INFO install Errors were encountered while processing: 2014-10-17 17:17:07 INFO install openstack-dashboard 2014-10-17 17:17:07 INFO install openstack-dashboard-ubuntu-theme 2014-10-17 17:17:08 INFO install E: Sub-process /usr/bin/dpkg returned an error code (1) Full logs attached. - - Related Bugs: - * bug 1382632: horizon insecure key file permissions - * bug 1386237: tar strange behavior with --acl - * bug 1313550: ping broken (xattrs lost in tar extraction)
-- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to horizon in Ubuntu. https://bugs.launchpad.net/bugs/1382632 Title: Insecure key file permissions To manage notifications about this bug go to: https://bugs.launchpad.net/curtin/+bug/1382632/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs