[
https://issues.apache.org/jira/browse/TC-171?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
John Rushford updated TC-171:
-----------------------------
It looks very similar, probably the same underlying cause, if they were running
CentOS 7.2. It’s a change in the behavior of the link system call in CentOS
7.2, a security change
Anyway, my pr fixes the art script in a different area. replace_cfg_file(). In
mine, anytime a traffic server config file is replaced, the ownership is
changed on the coffin file. I think TC-115 is only fixing cert files.
Lets review in the morning.
John
> ort script should chown ats configuration files.
> ------------------------------------------------
>
> Key: TC-171
> URL: https://issues.apache.org/jira/browse/TC-171
> Project: Traffic Control
> Issue Type: Bug
> Components: Traffic Ops ORT
> Affects Versions: 1.8.0
> Reporter: John Rushford
> Original Estimate: 1m
> Remaining Estimate: 1m
>
> In the current version of the ort script, trafficserver config file ownership
> is not changed to the ats user id. With Centos 7.2 this presents a problem
> if a config file is owned by root. ATS uses the link(2) system call to make
> backup copies of config files. In Centos 7.2, if an ats config file is owned
> by root, ats will fail in creating backup config files and loading new config
> files if the are not owned by the traffic server effective user due to
> security tightening under Centos 7.2. The previous Centos 6.2 behavior may
> be with the symlinks and hardlink system calls may be restored by setting
> these sysctl settings to the value shown:
> CentOS sysctl settings
> fs.protected_hardlinks = 0
> fs.protected_symlinks = 0
> In any event, the ort script should explicitly chown the ownership of config
> files to the effective user of trafficserver. I'll submit a PR to correct
> this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
