Bug#809351: coquelicot is executed as root: can't delete its own files

Tue, 29 Dec 2015 10:21:47 -0800 

Package: coquelicot
Version: 0.9.2-4
Severity: important

Dear Maintainer,

Having this error in the log: 
/usr/lib/ruby/vendor_ruby/coquelicot/stored_file.rb:85:in `initialize': 
Permission denied @ rb_sysopen - 
/var/lib/coquelicot/nzw6fx6wsyfpxn6adwpe.content (Errno::EACCES)

I've ls -l /var/lib/coquelicot/nzw6fx6wsyfpxn6adwpe.content. This file belongs 
to "root".

I've ls -l /var/lib/coquelicot. This directory belongs to "coquelicot".

So I've looked at cron.d/coquelicot. The "garbage collector" script is execute 
by user "coquelicot" which explains the error message.

So I ps -ef | grep coquelicot and observe the coquelicot daemon is run by 
"root".

Looking at /etc/init.d.coquelicot, I observe nothing is done to run the daemon 
as "coquelicot".

So I wonder:
 * Is the daemon made to run as "root" or "coquelicot"?
 * If made to be run as "coquelicot" is there a potential security hole?
 * If made to be run as "root" then why the garbage script run as coquelicot?

By the way, this leads to receive cron email every 15 minutes.

Best regards,


-- System Information:
Debian Release: 8.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages coquelicot depends on:
ii  adduser                       3.113+nmu3
ii  libjs-jquery                  1.7.2+dfsg-3.2
ii  lsb-base                      4.1+Debian13+nmu1
ii  rainbows                      4.6.1-1
ii  ruby                          1:2.1.5+deb8u1
ii  ruby-fast-gettext             0.9.0-1
ii  ruby-haml                     4.0.5-2
ii  ruby-haml-magic-translations  4.0.3-2
ii  ruby-json                     1.8.1-1+b2
ii  ruby-lockfile                 2.1.3-1
ii  ruby-maruku                   0.7.1-1
ii  ruby-moneta                   0.7.20-2.2
ii  ruby-multipart-parser         0.1.1-2
ii  ruby-rack                     1.5.2-3+deb8u1
ii  ruby-sass                     3.4.6-2
ii  ruby-sinatra                  1.4.5-1
ii  ruby-sinatra-contrib          1.4.2-1
ii  ruby-upr                      0.3.0-2
ii  ruby2.1 [ruby-interpreter]    2.1.5-2+deb8u2

Versions of packages coquelicot recommends:
ii  apache2  2.4.10-10+deb8u3

coquelicot suggests no packages.

-- Configuration Files:
/etc/coquelicot/settings.yml [Errno 13] Permission denied: 
u'/etc/coquelicot/settings.yml'

-- no debconf information

Reply via email to