search

theforeman / puppet-foreman

Puppet module for Foreman
GNU General Public License v3.0
104 stars 271 forks source link

Permissions for foreman::app_root not set correctly #934

Open promasu opened 3 years ago

promasu commented 3 years ago

Version: mod 'theforeman-foreman', '16.1.0'

When using

class { 'foreman':
    app_root => '/srv/some_dir',
}

the folder is created with the root user and not with the user specified by foreman. This breaks the whole argument.

ekohl commented 3 years ago

The relevant code is here: https://github.com/theforeman/puppet-foreman/blob/a2fe4c903967d61d0b23453b4bff3aba7eaa4ff0/manifests/config.pp#L71-L73

In production deployments it should be owned by root:root so always making Foreman the owner would lead to less security. I wonder what you would expect here. Also interested in how you'd like to manage content of that app root.

Overall I've been thinking of dropping management of that direcotry, especially after https://github.com/theforeman/puppet-foreman/pull/928 is merged. What are your thoughts on it?

promasu commented 3 years ago

That directory is created by the installation of the foreman package if I see it correctly. It's then owned by foreman:foreman. If app_root is not set the default folder is created by the statement you stated and therefor owned by root:root.

When using app_root the class Foreman::Database/Foreman::Rake[db:migrate]/Exec[foreman-rake-db:migrate] failes for example as the folder is not writable (and readable) by the user foreman.

ekohl commented 3 years ago

That directory is created by the installation of the foreman package if I see it correctly. It's then owned by foreman:foreman.

$ ls -l /usr/share/foreman -d
drwxr-xr-x. 14 root root 4096 Mar 24 11:34 /usr/share/foreman

There are some directories which should be writable. However, in production deployment we symlink those. So:

$ ls -l /usr/share/foreman
total 100
drwxr-xr-x. 15 root    root  4096 Mar 19 16:37 app
drwxr-xr-x.  2 root    root  4096 Mar 24 11:34 bin
drwxr-xr-x.  2 root    root  4096 Mar 24 11:34 bundler.d
drwxr-xr-x.  7 root    root  4096 Mar 24 11:34 config
-rw-r--r--.  1 foreman root   383 Mar 19 16:37 config.ru
lrwxrwxrwx.  1 root    root    19 Mar 24 11:34 db -> /var/lib/foreman/db
drwxr-xr-x.  6 root    root  4096 Mar 24 11:34 extras
-rw-r--r--.  1 root    root  1855 Mar 19 16:37 Gemfile.in
drwxr-xr-x.  7 root    root  4096 Mar 24 11:34 lib
drwxr-xr-x. 20 root    root  4096 Mar 24 11:34 locale
lrwxrwxrwx.  1 root    root    16 Mar 24 11:34 log -> /var/log/foreman
drwxr-xr-x.  2 root    root 40960 Mar 24 11:34 migrate
drwxr-xr-x.  2 root    root  4096 Mar 22 12:07 plugins
lrwxrwxrwx.  1 root    root    23 Mar 24 11:34 public -> /var/lib/foreman/public
-rw-r--r--.  1 root    root   198 Mar 19 16:37 Rakefile
drwxr-xr-x.  5 root    root  4096 Mar 24 11:34 script
drwxr-xr-x.  2 root    root  4096 Mar 24 11:34 seeds.d
-rw-r--r--.  1 root    root   482 Mar 19 16:37 seeds.rb
lrwxrwxrwx.  1 root    root    16 Mar 24 11:34 tmp -> /var/run/foreman
-rw-r--r--.  1 root    root     6 Mar 19 16:37 VERSION
$ ls -ld /usr/share/foreman/{db,log,public,tmp}/
drwxr-xr-x. 2 foreman foreman 4096 Mar 24 11:34 /usr/share/foreman/db/
drwxr-x---. 3 foreman foreman 4096 Apr  6 05:15 /usr/share/foreman/log/
drwxr-xr-x. 7 foreman foreman 4096 Mar 24 11:34 /usr/share/foreman/public/
drwxr-x---. 5 foreman foreman  120 Apr  6 17:11 /usr/share/foreman/tmp/

I think config.ru is owned by Foreman because Passenger needed it but shouldn't be needed by a Puma deployment.

Does this help?