Flapjack 1.2.0 ignoring umask and creating world writable log files
20 views
Skip to first unread message
Barney Sowood
Nov 18, 2014, 1:37:32 PM11/18/14
to flapjack...@googlegroups.com
Hi,
I'm seeing an issue where flapjack is creating logs that are world writeable. It looks like it may be resetting the umask incorrectly. I'm running the packaged version of 1.2.0, Ubuntu Trusty. Fresh install using the default package config -
root@flapjack-test:/var/log/flapjack# umask
0022
root@flapjack-test:/var/log/flapjack# ls -l
total 4
-rw-rw---- 1 flapjack flapjack 1807 Nov 18 18:31 redis-flapjack.log
root@flapjack-test:/var/log/flapjack# /opt/flapjack/bin/flapjack server start
Flapjack starting...Daemon has started successfully
done.
root@flapjack-test:/var/log/flapjack# ls -l
total 24
-rw-r--r-- 1 root root 5022 Nov 18 18:34 flapjack.log
-rw-rw-rw- 1 root root 66 Nov 18 18:34 jsonapi_access.log
-rw-rw-rw- 1 root root 66 Nov 18 18:34 notification.log
-rw-rw---- 1 flapjack flapjack 1807 Nov 18 18:31 redis-flapjack.log
-rw-rw-rw- 1 root root 66 Nov 18 18:34 web_access.log
root@monitoring-test:/var/log/flapjack#
Anyone else seeing this issue? I can't currently see an open issue, but thought I'd check here before opening.
Thanks,
Barney.
I'm seeing an issue where flapjack is creating logs that are world writeable. It looks like it may be resetting the umask incorrectly. I'm running the packaged version of 1.2.0, Ubuntu Trusty. Fresh install using the default package config -
root@flapjack-test:/var/log/flapjack# umask
0022
root@flapjack-test:/var/log/flapjack# ls -l
total 4
-rw-rw---- 1 flapjack flapjack 1807 Nov 18 18:31 redis-flapjack.log
root@flapjack-test:/var/log/flapjack# /opt/flapjack/bin/flapjack server start
Flapjack starting...Daemon has started successfully
done.
root@flapjack-test:/var/log/flapjack# ls -l
total 24
-rw-r--r-- 1 root root 5022 Nov 18 18:34 flapjack.log
-rw-rw-rw- 1 root root 66 Nov 18 18:34 jsonapi_access.log
-rw-rw-rw- 1 root root 66 Nov 18 18:34 notification.log
-rw-rw---- 1 flapjack flapjack 1807 Nov 18 18:31 redis-flapjack.log
-rw-rw-rw- 1 root root 66 Nov 18 18:34 web_access.log
root@monitoring-test:/var/log/flapjack#
Anyone else seeing this issue? I can't currently see an open issue, but thought I'd check here before opening.
Thanks,
Barney.
Sarah Kowalik
Nov 18, 2014, 11:09:24 PM11/18/14
to flapjack...@googlegroups.com
Good catch!
I can reproduce this on our Centos builds as well.
That's definitely issue worthy - I believe those files should also be created by the flapjack user as well.
Sarah
I can reproduce this on our Centos builds as well.
That's definitely issue worthy - I believe those files should also be created by the flapjack user as well.
Sarah
Barney Sowood
Nov 19, 2014, 7:10:33 AM11/19/14
to flapjack...@googlegroups.com
Sarah,
Thanks for the speedy response.
On Wednesday, November 19, 2014 4:09:24 AM UTC, Sarah Kowalik wrote:
Thanks.
Thanks for the speedy response.
On Wednesday, November 19, 2014 4:09:24 AM UTC, Sarah Kowalik wrote:
Good catch
Thanks.
I can reproduce this on our Centos builds as well.
That's definitely issue worthy - I believe those files should also be created by the flapjack user as well.
Ok, so I think there's a separate issue there - the flapjack server process is running as root -
# ps aux | grep flapjack
flapjack 1395 0.2 0.3 35168 1844 ? Ssl 11:57 0:01 /opt/flapjack/embedded/bin/redis-server 0.0.0.0:6380
root 1474 1.1 13.2 182776 66580 ? Sl 11:57 0:05 /opt/flapjack/embedded/bin/ruby /opt/flapjack/bin/flapjack server start
There's nothing in the init script to cause that to run as the flapjack user. Is that expected, or is there some logic with flapjack that should shed privilege to run as the flapjack user after startup?
Any steer on whether the perms and user issues should be opened as separate issues or one issue would be gratefully received.
Thanks,
Barney.
Jesse Reynolds
Nov 19, 2014, 7:45:35 AM11/19/14
to flapjack...@googlegroups.com
Hi Barney,
> On 19 Nov 2014, at 10:40 pm, Barney Sowood <bar...@lucidnetworks.co.uk> wrote:
> Ok, so I think there's a separate issue there - the flapjack server process is running as root -
>
> # ps aux | grep flapjack
> flapjack 1395 0.2 0.3 35168 1844 ? Ssl 11:57 0:01 /opt/flapjack/embedded/bin/redis-server 0.0.0.0:6380
> root 1474 1.1 13.2 182776 66580 ? Sl 11:57 0:05 /opt/flapjack/embedded/bin/ruby /opt/flapjack/bin/flapjack server start
>
> There's nothing in the init script to cause that to run as the flapjack user. Is that expected, or is there some logic with flapjack that should shed privilege to run as the flapjack user after startup?
Flapjack itself can be run as whoever, but the package installer doesn’t set up the permissions and so on in order to have it run as a non-privileged user. This is tracked in the following omnibus-flapjack issue:
https://github.com/flapjack/omnibus-flapjack/issues/31
>
> Any steer on whether the perms and user issues should be opened as separate issues or one issue would be gratefully received.
I think it’s just the world writeable logs we need an issue for. Thanks for finding and reporting this.
Cheers
Jesse
> On 19 Nov 2014, at 10:40 pm, Barney Sowood <bar...@lucidnetworks.co.uk> wrote:
> Ok, so I think there's a separate issue there - the flapjack server process is running as root -
>
> # ps aux | grep flapjack
> flapjack 1395 0.2 0.3 35168 1844 ? Ssl 11:57 0:01 /opt/flapjack/embedded/bin/redis-server 0.0.0.0:6380
> root 1474 1.1 13.2 182776 66580 ? Sl 11:57 0:05 /opt/flapjack/embedded/bin/ruby /opt/flapjack/bin/flapjack server start
>
> There's nothing in the init script to cause that to run as the flapjack user. Is that expected, or is there some logic with flapjack that should shed privilege to run as the flapjack user after startup?
https://github.com/flapjack/omnibus-flapjack/issues/31
>
> Any steer on whether the perms and user issues should be opened as separate issues or one issue would be gratefully received.
Cheers
Jesse
Barney Sowood
Nov 19, 2014, 7:52:50 AM11/19/14
to flapjack...@googlegroups.com
Hi,
On Wed, Nov 19, 2014 at 11:15:28PM +1030, Jesse Reynolds wrote:
> Flapjack itself can be run as whoever, but the package installer
> doesn???t set up the permissions and so on in order to have it run as
possibly run it under supervisor.
> >
> > Any steer on whether the perms and user issues should be opened as separate issues or one issue would be gratefully received.
>
> I think it???s just the world writeable logs we need an issue
Thanks for your swift responses and efforts on Flapjack!
Regards,
Barney.
On Wed, Nov 19, 2014 at 11:15:28PM +1030, Jesse Reynolds wrote:
> Flapjack itself can be run as whoever, but the package installer
> a non-privileged user. This is tracked in the following
> omnibus-flapjack issue:
>
>
> https://github.com/flapjack/omnibus-flapjack/issues/31
Ah, ok - that explains it. I'll look at modifying the init script, or
> omnibus-flapjack issue:
>
>
> https://github.com/flapjack/omnibus-flapjack/issues/31
possibly run it under supervisor.
> >
> > Any steer on whether the perms and user issues should be opened as separate issues or one issue would be gratefully received.
>
> > for. Thanks for finding and reporting this.
Opened that as https://github.com/flapjack/flapjack/issues/708
Thanks for your swift responses and efforts on Flapjack!
Regards,
Barney.
Reply all
Reply to author
Forward
0 new messages