Closed DavidePrincipi closed 1 month ago
Test case
failure with bash +x install.sh ghcr.io/nethserver/core:2.8.0-dev.3
I try : bash +x install.sh ghcr.io/nethserver/core:2.8.0-dev.5
bash +x install.sh ghcr.io/nethserver/core:2.8.0-dev.6 create-cluster R4-pve.rocky9-pve4.org:55820 10.5.4.0/24 Nethesis,1234
[root@R4-pve ~]# ls -ld /var/lib/nethserver/*/state
drwx------. 2 root root 42 May 7 14:58 /var/lib/nethserver/cluster/state
drwx------. 2 root root 63 May 7 14:58 /var/lib/nethserver/node/state
[root@R4-pve ~]# api-cli run update-core --data '{"core_url":"ghcr.io/nethserver/core:2.8.0-dev.6","nodes":[1]}'
Warning: using user "cluster" credentials from the environment
_acontrol_task request attempt failed (Connection closed by server.). Retrying...
_acontrol_task request recovered successfully at attempt 2
_acontrol_task request attempt failed (Connection closed by server.). Retrying...
_acontrol_task request recovered successfully at attempt 2
<7>run-scriptdir /var/lib/nethserver/cluster/update-core-pre-modules.d/
Running /var/lib/nethserver/cluster/update-core-pre-modules.d/50update_grants...
<7>run-scriptdir /var/lib/nethserver/cluster/update-core-post-modules.d/
""
[root@R4-pve ~]# ls -ld /var/lib/nethserver/*/state
drwx------. 2 root root 42 May 7 14:51 /var/lib/nethserver/cluster/state
drwx------. 3 root root 116 May 7 14:52 /var/lib/nethserver/node/state
Sorry there is a mistake, please repeat the test :weary:
In testing 2.8.0-dev.6
test case 1 and test case 2 verified with ghcr.io/nethserver/core:2.8.0-dev.6
The directory permissions of cluster and node agent are too wide, compared to the state dir of (similar) rootfull modules. For security reasons, the state/ dirs must be not accessible by non-root users.
Steps to reproduce
Always reproducible
Expected behavior
The
state/
dirs of cluster and node agents are not accessible.Actual behavior
The
state/
dirs are world-readable.Components
core 2.7.0