Package: request-tracker4 Version: 4.0.5-1~bpo60+1 Severity: normal rt-crontool is not useable with users outside of user root (not recommended) and group www-data. The documentation of RT-Crontool specifies:
--- This tool allows the user to run arbitrary perl modules from within RT. If this tool were setgid, a hostile local user could use this tool to gain administrative access to RT. It is incredibly important that nonprivileged users not be allowed to run this tool. It is suggested that you create a non-privileged unix user with the correct group membership and RT access to run this tool (see User Configuration below). [...] rt-crontool should ideally be run by a special unprivileged operating system user who has also been entered in RT as a privileged user with global [= ModifyTicket ] and [= ShowTicket ] rights. If you have created an operating system user named rtcrontool, for instance, then create an RT user with Username and Unix login set to rtcrontool, check Let this user be granted rights, and assign a password. Then under Configuration/Global/User rights, add the two rights to the user you just created. This user should have read access to the RT files such as RT_Config.pm and RT_SiteConfig.pm. If, for example, the rt group has read access to all the installed RT files, you should assign your created user to that group (under UNIXen). http://requesttracker.wikia.com/wiki/UseRtCrontool --- It also seems, that runnint rt-crontool as root is inappropriate ("Somebody indicates that you can run the tool as root (uid 0), but that didn't work properly for me when using rt-crontool to do priority escalation."). In addition, simply using a unprivilged system account requires that account to be in the group www-data, which is doable, but not necessarily nice as the RT_SiteConfig.pm file's permissions prevent access from other users: -rw-r----- 1 root www-data 12405 29. Mär 17:09 RT_SiteConfig.pm If I read the aforementioned Wiki page right, the default way would be having RT have its own system group which owns the files in question. That again would need Apache to be in that system group, so I am not sure what the ideal solution here is as both Apache and rt-crontool need access to the configuration files. However, adding rt-crontool users to www-data definitly is a workaround to with. -- Package-specific info: Changed files: There are locally modified files in /usr/local/share/request-tracker4/, these may (or may not) be the source of the problem. -- System Information: Debian Release: 6.0.5 APT prefers stable APT policy: (990, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages request-tracker4 depends on: ii dbconfig-common 1.8.46+squeeze.0 common framework for packaging dat ii debconf [debconf- 1.5.36.1 Debian configuration management sy ii fonts-droid [ttf- 20101110+git-3~bpo60+1 handheld device font with extensiv ii libapache-session 1.87-1 Perl modules for keeping persisten ii libcache-simple-t 0.27-2 Perl module to cache and expire ke ii libcgi-emulate-ps 0.10-1~bpo60+1 PSGI adapter for CGI ii libcgi-pm-perl 3.49-1squeeze1 module for Common Gateway Interfac ii libcgi-psgi-perl 0.13-1~bpo60+1 Adapt CGI.pm to the PSGI protocol ii libclass-accessor 0.34-1 Perl module that automatically gen ii libclass-returnva 0.55-1 A return-value object that lets yo ii libconvert-color- 0.05-1 Perl module for color space conver ii libcss-squish-per 0.09-1 module to compact many CSS files i ii libdata-ical-perl 0.16+dfsg-1 Perl module for manipulating iCale ii libdatetime-local 1:0.45-1 Perl extension providing localizat ii libdatetime-perl 2:0.6100-2 module for manipulating dates, tim ii libdbi-perl 1.612-1 Perl Database Interface (DBI) ii libdbix-searchbui 1.59-2~bpo60+1 Perl implementation of a simple OR ii libdevel-globalde 0.02-1 Expose PL_dirty, the flag which ma ii libdevel-stacktra 1.2700-1~bpo60+1 Perl module containing stack trace ii libemail-address- 1.889-2 RFC 2822 Address Parsing and Creat ii libencode-perl 2.44-1~bpo60+1 module providing interfaces betwee ii libfcgi-procmanag 0.18-2 Functions for managing FastCGI app ii libfile-sharedir- 1.00-0.1 Locate per-dist and per-module sha ii libgd-graph-perl 1.44-3 Graph Plotting Module for Perl 5 ii libgd-text-perl 0.86-5 Text utilities for use with GD ii libgnupg-interfac 0.42-3 Perl interface to GnuPG ii libgraphviz-perl 2.04-1 Perl interface to the GraphViz gra ii libhtml-mason-per 1:1.44-1 HTML::Mason Perl module ii libhtml-mason-psg 0.52-1~bpo60+1 PSGI handler for HTML::Mason ii libhtml-quoted-pe 0.03-1~bpo60+1 extract structure of quoted HTML m ii libhtml-rewriteat 0.04-1~bpo60+1 concise attribute rewriting ii libhtml-scrubber- 0.08-4 Perl extension for scrubbing/sanit ii libipc-run3-perl 0.042-2 run a subprocess with input/ouput ii libjson-perl 2.21-1 Perl module to parse and convert t ii liblist-moreutils 0.25~02-1 Perl module with additional list f ii liblocale-maketex 0.10-1 Maketext from already interpolated ii liblocale-maketex 0.82-1 lexicon-handling backends for Loca ii liblog-dispatch-p 2.29-1~bpo60+1 message dispatcher to multiple Log ii libmailtools-perl 2.06-1 Manipulate email in perl programs ii libmime-tools-per 5.428-1 Perl5 modules for MIME-compliant m ii libmime-types-per 1.30-1 Perl extension for determining MIM ii libmodule-version 1.06-1 Report versions of all modules in ii libnet-cidr-perl 0.13-1 Manipulate IPv4/IPv6 netblocks in ii libperlio-eol-per 0.14-1+b1 PerlIO layer for normalizing line ii libplack-perl 0.9980-1~bpo60+2 interface between web servers and ii libregexp-common- 0.02-1~bpo60+1 provide patterns for CIDR blocks ii libregexp-common- 2010010201-1 module with common regular express ii libregexp-ipv6-pe 0.03-1~bpo60+1 Regular expression for IPv6 addres ii libtext-autoforma 1.669002-1 module for automatic text wrapping ii libtext-password- 0.28-1 Perl module to generate pronouncea ii libtext-quoted-pe 2.06-1 Perl module to extract the structu ii libtext-template- 1.45-1 Text::Template perl module ii libtext-wikiforma 0.78-1 translates Wiki formatted text int ii libtext-wrapper-p 1.02-1 Simple word wrapping routine ii libtime-modules-p 2006.0814-2 Various Perl modules for time/date ii libtimedate-perl 1.2000-1 collection of modules to manipulat ii libtree-simple-pe 1.18-1 A simple tree object ii libuniversal-requ 0.13-1 Load modules from a variable ii libxml-rss-perl 1.48-1 Perl module for managing RSS (RDF ii libxml-simple-per 2.18-3 Perl module for reading and writin ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction ii perl-modules [lib 5.10.1-17squeeze3 Core Perl modules ii postfix [mail-tra 2.7.1-1+squeeze1 High-performance mail transport ag ii rsyslog [system-l 4.6.4-2 enhanced multi-threaded syslogd ii rt4-apache2 4.0.5-1~bpo60+1 Apache 2 specific files for reques ii rt4-clients 4.0.5-1~bpo60+1 mail gateway and command-line inte ii rt4-db-postgresql 4.0.5-1~bpo60+1 PostgreSQL database backend for re ii ttf-droid 20101110+git-3~bpo60+1 transitional dummy package ii ucf 3.0025+nmu1 Update Configuration File: preserv Versions of packages request-tracker4 recommends: ii cron [cron-daemon] 3.0pl1-116 process scheduling daemon request-tracker4 suggests no packages. -- Configuration Files: /etc/request-tracker4/RT_SiteConfig.d/40-timezone [Errno 13] Keine Berechtigung: u'/etc/request-tracker4/RT_SiteConfig.d/40-timezone' -- debconf information excluded -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
