Menu
▾
▴
#3870 hostkeys/certificates having execute flag
A customer reported that the permissions in /install/postscripts, the permissions of all the files are getting changed to executable, whereas some of these files should not be included in this.
The files in particular
/install/postscripts/_ssh/authorized_keys /install/postscripts/_xcat/ca.pem /install/postscripts/ca/ca-cert.pem /install/postscripts/hostkeys/ssh_host_dsa_key.pub /install/postscripts/hostkeys/ssh_host_key.pub /install/postscripts/hostkeys/ssh_host_rsa_key.pub
The culprit code is in /opt/xcat/lib/perl/xCAT_plugin/updatenode.pm
#if the postscripts directory exists then make sure it is
# world readable and executable by root
my $postscripts = "$installdir/postscripts";
if (-e $postscripts)
{
my $cmd = "chmod -R u+x,a+r $postscripts";
xCAT::Utils->runcmd($cmd, 0);
my $rsp = {};
if ($::RUNCMD_RC != 0)
{
$rsp->{data}->[0] = "$cmd failed.\n";
xCAT::MsgUtils->message("E", $rsp, $callback);
}
}
which is recursively changing the permissions.
Should this be the case?
Lissa,
Yes, we probably need to be more granular about which files we set to executable and which we don't. You can probably use the find command with appropriate arguments to exclude what you want and then pipe it into xargs chmod.
Arif,
Lissa is out for a couple weeks, so you won't see a response from her until then, but i assume this bug isn't urgent.
If we can get a general timeline on when the likelihood it will appear, I can then let the customer know.
The customer found the problem when they were storing the keys in a git repository for the purpose of backup, and noticed the change.
If this was done for 2.8.4, then that would also help them, when we fix the networks.nameservers issue at the same time
Ok. Yes, i expect that this can be fixed in 2.8.4, but can't make any promises until lissa is back and gives her assessment.
We can exclude these directories. We create them and they should be correct. The change was made to make sure a customer did not add a postscript file under /install/postscripts that was not world readable/executable. IF I remember if we had even one file there not propoerly defined then That made us fail in the wget or executing the postscript from a mounted /install directory. This made us fail updatenode -P for example.
We wanted change the files in all the directories and subdirectories under /install/postscripts because we had customers adding postscripts in subdirectories.
I am not sure how we determine what files are postscripts and what are not.
There have been complaints about this before, because originally some people were putting all their rysnc setup under /install/postscripts.
One option would be to only change /install/postscripts and no subdirectories. We sort of say postscripts should be added to /install/postscripts anyway.
Lissa,
Is executable really required to keep wget from failing? Or just world readable? If it is just the latter, the you could change "chmod -R u+x,a+r" to just "chmod -R a+r". The postscripts we put in there should be executable already, right? If a customer puts a postscript in there that's not executable, then that's there own fault (as long as it doesn't cause things to fail for others by making the whole wget fail).
2.9
commit f1311c0aa863ecbb410a76675466c9cdeb839cb2
2.8.4
commit 9578417eae9983d260a16f2f7229c7b0603fce28
Changed to chmod -R a+r
The customer mentioned that the comment in the code never got changed to reflect the changes, I would propose the following change
http://gitlab.ocf.co.uk/aali/xcat-core/commit/3da921c1f804b82755599678ed50c2741c34fee7
Fixed in 2.8.5
commit 83f874bb47458287567911ac0835af8ac7d39eb5
and 2.9
commit da17bda0a5a12f075fd0aa21bf296571f1edd6bb