Bug#613648: ganeti2: Wrong permissions for /var/lock after gnt-node add

2011-02-16 Thread Ronny Lindner 
Package: ganeti2
Version: 2.1.6-1
Severity: critical
Tags: patch upstream
Justification: breaks unrelated software


The command gnt-node add changes the permissions of /var/lock to d-wxrwS--t
(3661 octal, 1777 decimal!). Other programs are not able to create a lockfile
anymore. That was tested with logcheck, which did not work after adding a
ganeti node.

The fix is really simple: there are 3 occurences of 1777 in
/usr/sbin/ganeti-confd and /usr/sbin/ganeti-noded . They must be changed to
01777 .

-- System Information:
Debian Release: 6.0
  APT prefers squeeze-updates
  APT policy: (500, 'squeeze-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/24 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ganeti2 depends on:
ii  bridge-utils1.4-5Utilities for configuring the Linu
ii  iproute 20100519-3   networking and traffic control too
ii  iputils-arping  3:20100418-3 Tool to send ICMP echo requests to
ii  libjs-jquery1.4.2-2  JavaScript library for dynamic web
ii  lvm22.02.66-5The Linux Logical Volume Manager
ii  openssh-client  1:5.5p1-6secure shell (SSH) client, for sec
ii  openssh-server  1:5.5p1-6secure shell (SSH) server, for sec
ii  openssl 0.9.8o-4 Secure Socket Layer (SSL) binary a
ii  python  2.6.6-3+squeeze5 interactive high-level object-orie
ii  python-openssl  0.10-1   Python wrapper around the OpenSSL 
ii  python-pyinotify0.8.9-1  simple Linux inotify Python bindin
ii  python-pyparsing1.5.2-2  Python parsing module
ii  python-simplejson   2.1.1-1  simple, fast, extensible JSON enco
ii  python-support  1.0.10   automated rebuilding support for P
ii  socat   1.7.1.3-1multipurpose relay for bidirection

Versions of packages ganeti2 recommends:
ii  drbd8-utils2:8.3.7-2.1   RAID 1 over tcp/ip for Linux utili
ii  ganeti-instance-debootstra 0.9-3 debootstrap-based instance OS defi
ii  qemu-kvm   0.12.5+dfsg-5 Full virtualization on x86 hardwar

Versions of packages ganeti2 suggests:
pn  drbd8-module-source   none (no description available)

-- no debconf information
diff -u /usr/sbin/ganeti-confd /usr/sbin/ganeti-confd.new
--- /usr/sbin/ganeti-confd	2011-02-16 13:18:03.0 +0100
+++ /usr/sbin/ganeti-confd.new	2011-02-16 13:17:50.0 +0100
@@ -288,7 +288,7 @@
 constants.RELEASE_VERSION)
 
   dirs = [(val, constants.RUN_DIRS_MODE) for val in constants.SUB_RUN_DIRS]
-  dirs.append((constants.LOCK_DIR, 1777))
+  dirs.append((constants.LOCK_DIR, 01777))
   daemon.GenericMain(constants.CONFD, parser, dirs, CheckConfd, ExecConfd)
 
 
diff -u /usr/sbin/ganeti-noded /usr/sbin/ganeti-noded.new
--- /usr/sbin/ganeti-noded	2011-02-16 13:17:58.0 +0100
+++ /usr/sbin/ganeti-noded.new	2011-02-16 13:17:50.0 +0100
@@ -893,7 +893,7 @@
 
   dirs = [(val, constants.RUN_DIRS_MODE) for val in constants.SUB_RUN_DIRS]
   dirs.append((constants.LOG_OS_DIR, 0750))
-  dirs.append((constants.LOCK_DIR, 1777))
+  dirs.append((constants.LOCK_DIR, 01777))
   daemon.GenericMain(constants.NODED, parser, dirs, CheckNoded, ExecNoded,
  console_logging=True)

Bug#613648: ganeti2: Wrong permissions for /var/lock after gnt-node add

2011-02-16 Thread Ronny Lindner 
I attached another patch against the source package of ganeti.

Cu, Ronny
--- daemons/ensure-dirs.in	2011-02-16 14:27:07.0 +0100
+++ daemons/ensure-dirs.in.new	2011-02-16 14:42:37.0 +0100
@@ -138,7 +138,7 @@
 }
 
 _ensure_lockdir() {
-  _ensure_dir ${LOCKDIR} 1777 
+  _ensure_dir ${LOCKDIR} 01777 
 }
 
 _operate_while_hold() {

Bug#613648: [Pkg-ganeti-devel] Bug#613648: ganeti2: Wrong permissions for /var/lock after gnt-node add

2011-02-16 Thread Iustin Pop 
On Wed, Feb 16, 2011 at 01:29:16PM +0100, Ronny Lindner wrote:
 Package: ganeti2
 Version: 2.1.6-1
 Severity: critical
 Tags: patch upstream
 Justification: breaks unrelated software
 
 
 The command gnt-node add changes the permissions of /var/lock to 
 d-wxrwS--t
 (3661 octal, 1777 decimal!). Other programs are not able to create a lockfile
 anymore. That was tested with logcheck, which did not work after adding a
 ganeti node.
 
 The fix is really simple: there are 3 occurences of 1777 in
 /usr/sbin/ganeti-confd and /usr/sbin/ganeti-noded . They must be changed to
 01777 .

Thanks for the fix. Will prepare a package and sent for stable update.

On Wed, Feb 16, 2011 at 02:54:39PM +0100, Ronny Lindner wrote:
 I attached another patch against the source package of ganeti.
 
 Cu, Ronny

 --- daemons/ensure-dirs.in2011-02-16 14:27:07.0 +0100
 +++ daemons/ensure-dirs.in.new2011-02-16 14:42:37.0 +0100
 @@ -138,7 +138,7 @@
  }
  
  _ensure_lockdir() {
 -  _ensure_dir ${LOCKDIR} 1777 
 +  _ensure_dir ${LOCKDIR} 01777 

Actually, this is wrong. _ensure_dir uses chown, and chown always uses
octal (“A numeric mode is from one to  four  octal  digits  (0-7)”); so
5 digits is wrong…

Speaking as upstream, will review the rest of the code to make sure we
don't have this issue in other places. And sorry for this bug!

thanks,
iustin


signature.asc
Description: Digital signature