Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-2222

Applying permissions recursively on a directory can fail with 'Permission denied' in 3.7.2

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.7.3
    • Component/s: Promise type: files
    • Labels:
      None
    • Platform:
      Debian

      Description

      Since the change introduced in #7030, so as of CFEngine 3.7.2, applying permissions recursively to a directory can fail.

      For example given a layout like this:

      <pre>
      13000869 4 drwxrwxrwt 3 root root 4096 Dec 5 14:26 tmp/
      13000883 4 d--------- 4 root root 4096 Dec 5 14:26 tmp/test
      13000884 4 d--------- 2 root root 4096 Dec 5 14:26 tmp/test/dir1
      13000885 4 d--------- 2 root root 4096 Dec 5 14:26 tmp/test/dir2
      </pre>

      A promise that does:

      <pre>
      ".../tmp/test"
      create => "false",
      perms => mog("750", "2", "2"),
      depth_search => recurse_with_base("inf"),
      file_select => dirs;
      </pre>

      Will fail:

      <pre>
      info: Owner of '/home/jclarke/COMMUNAUTES/ncf/tests/acceptance/workdir/__30_generic_methods_permissions_dirs_recurse_cf/tmp/test/file1' was 0, setting to 2
      info: Group of '/home/jclarke/COMMUNAUTES/ncf/tests/acceptance/workdir/__30_generic_methods_permissions_dirs_recurse_cf/tmp/test/file1' was 0, setting to 2
      error: chmod failed on '/home/jclarke/COMMUNAUTES/ncf/tests/acceptance/workdir/__30_generic_methods_permissions_dirs_recurse_cf/tmp/test/file1'. (chmod: Permission denied)
      info: Owner of '/home/jclarke/COMMUNAUTES/ncf/tests/acceptance/workdir/__30_generic_methods_permissions_dirs_recurse_cf/tmp/test' was 0, setting to 2
      info: Group of '/home/jclarke/COMMUNAUTES/ncf/tests/acceptance/workdir/__30_generic_methods_permissions_dirs_recurse_cf/tmp/test' was 0, setting to 2
      info: Cannot set ownership on file '/home/jclarke/COMMUNAUTES/ncf/tests/acceptance/workdir/__30_generic_methods_permissions_dirs_recurse_cf/tmp/test'. (chown: Permission denied)
      info: Object '/home/jclarke/COMMUNAUTES/ncf/tests/acceptance/workdir/__30_generic_methods_permissions_dirs_recurse_cf/tmp/test' had permission 0000, changed it to 0750
      </pre>

      The reason for this is that the sub-directories test1 and test2 are under a directory whose permissions forbid entering it.

      CFEngine used to used to open() the target for a chmod/chown, then use fchmod()/fchown() with a file descriptor. Running as root, this worked, and bypassed the permissions on the parent dir. However, since #7030, fchmodat()/fchownat() are used, by passing the path directly - and these functions fail with a "permission denied" error because of the perms of the intermediary directory.

      Consequently, it is impossible to repair the permissions of a whole directory recursively. This is obviously rather bothersome.

      Note: CFEngine will converge eventually, because as you can see in the output above, the top directory's permissions were fixed - last. So on the next run, the next level down will be fixed (last again), and so on.

      I see two options for fixing this:

      1. Change the order files are called to change their perms (top down instead of bottom up)
      2. Go back to open() the target for a chmod/chown, then use fchmod()/fchown(), unless we're dealing with a FIFO

      I think 2 is preferable, because that is simply reverting to the old behaviour in 3.7.1, and not changing a whole different bit of code. I am working on a proposed patch for 2 to at least show where the problem is, and a test to demonstrate this.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                a10040 Kristian Amlie
                Reporter:
                jooooooon Jonathan Clarke
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Summary Panel