[DRE-maint] Bug#999618: redmine.postinst runs bundle install as root user, this kills running it as any other user

Sat Nov 13 18:38:55 GMT 2021

Package: redmine
Version: 4.0.7-1
Severity: normal

At the redmine.postinst beginning there is:
if ! bundle --local --quiet; then
which currently equals to:
if ! bundle install --local --quiet; then
This after changing directory to /usr/share/redmine.

apt runs this command as root, thus when I run "bundle install" from
/usr/share/redmine as any other user than root with a redmine plugin (redmine_git_hosting
and its dependencies additionnals and redmine_bootstrap_kit which calls to git versions of gems)
I get the following error:

"
$ bundle install 
Your Gemfile lists the gem rubocop (>= 0) more than once.
You should probably keep only one of them.
Remove any duplicate entries and specify the gem only once.
While it's not a problem now, it could cause errors if you change the version of one of them later.
Your Gemfile lists the gem brakeman (>= 0) more than once.
You should probably keep only one of them.
Remove any duplicate entries and specify the gem only once.
While it's not a problem now, it could cause errors if you change the version of one of them later.
Following files may not be writable, so sudo is needed:
  /usr/local/bin
  /var/lib/gems/2.7.0
  /var/lib/gems/2.7.0/bin
  /var/lib/gems/2.7.0/build_info
  /var/lib/gems/2.7.0/bundler
  /var/lib/gems/2.7.0/cache
  /var/lib/gems/2.7.0/doc
  /var/lib/gems/2.7.0/extensions
  /var/lib/gems/2.7.0/gems
  /var/lib/gems/2.7.0/plugins
  /var/lib/gems/2.7.0/specifications
Fetching https://github.com/jbox-web/gitolite-rugged.git
error: cannot open .git/FETCH_HEAD: Permission denied

Retrying `git fetch --force --quiet --tags /opt/redmine/.bundle/cache/git/gitolite-rugged-f96eae3bf467935eea22ec876625e07825442454` at /var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06 due to error (2/4): Bundler::Source::Git::GitCommandError Git error: command `git fetch --force --quiet --tags /opt/redmine/.bundle/cache/git/gitolite-rugged-f96eae3bf467935eea22ec876625e07825442454` in directory /var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06 has failed.

If this error persists you could try removing the cache directory '/var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06'

Retrying `git fetch --force --quiet --tags /opt/redmine/.bundle/cache/git/gitolite-rugged-f96eae3bf467935eea22ec876625e07825442454` at /var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06 due to error (3/4): Bundler::Source::Git::GitCommandError Git error: command `git fetch --force --quiet --tags /opt/redmine/.bundle/cache/git/gitolite-rugged-f96eae3bf467935eea22ec876625e07825442454` in directory /var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06 has failed.

If this error persists you could try removing the cache directory '/var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06'

Retrying `git fetch --force --quiet --tags /opt/redmine/.bundle/cache/git/gitolite-rugged-f96eae3bf467935eea22ec876625e07825442454` at /var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06 due to error (4/4): Bundler::Source::Git::GitCommandError Git error: command `git fetch --force --quiet --tags /opt/redmine/.bundle/cache/git/gitolite-rugged-f96eae3bf467935eea22ec876625e07825442454` in directory /var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06 has failed.

If this error persists you could try removing the cache directory '/var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06'

Git error: command `git fetch --force --quiet --tags /opt/redmine/.bundle/cache/git/gitolite-rugged-f96eae3bf467935eea22ec876625e07825442454` in directory
/var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06 has failed.

If this error persists you could try removing the cache directory '/var/lib/gems/2.7.0/bundler/gems/gitolite-rugged-551741d1df06'
"

indeed /var/lib/gems/2.7.0/bundler/gems/ gems are owned by root as they where copied to bundler system folder by redmine.postinst "bundle install --local" call.

May you call "bundle install --local" with sudo as www-data as the "bundle exec rake" or as any other user as wishlist bug report
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606982 does.

Best regards
Alban

-- System Information:
Debian Release: 11.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (90, 'unstable'), (1, 'experimental')
Architecture: armhf (armv7l)

Kernel: Linux 5.10.0-9-armmp (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages redmine depends on:
ii  dbconfig-common                 2.0.19
ii  debconf [debconf-2.0]           1.5.77
ii  libjs-chart.js                  2.9.4+dfsg+~cs2.10.1-3
ii  libjs-jquery                    3.5.1+dfsg+~3.5.5-7
ii  libjs-jquery-ui                 1.12.1+dfsg-8
ii  libjs-raphael                   2.3.0-3
ii  libruby2.7 [ruby-csv]           2.7.4-1
ii  redmine-pgsql                   4.0.7-1
ii  ruby                            1:2.7+2
ii  ruby-actionpack-action-caching  1.2.1-1
ii  ruby-actionpack-xml-parser      2.0.1-4
ii  ruby-bundler                    2.2.5-2
ii  ruby-coderay                    1.1.3-4
ii  ruby-csv                        3.1.9-1
ii  ruby-i18n                       1.8.8-1
ii  ruby-jquery-rails               4.3.5-2
ii  ruby-mail                       2.7.1+dfsg1-1.1
ii  ruby-mime-types                 3.3.1-1
ii  ruby-mimemagic                  0.3.5+dfsg-1
ii  ruby-mini-mime                  1.0.2-1
ii  ruby-net-ldap                   0.16.1-1
ii  ruby-nokogiri                   1.11.1+dfsg-2
ii  ruby-rack                       2.1.4-3
ii  ruby-rack-test                  0.7.0-1.1
ii  ruby-rails                      2:6.0.3.7+dfsg-2
ii  ruby-rails-dom-testing          2.0.3-3
ii  ruby-rails-observers            0.1.5-1.1
ii  ruby-rbpdf                      1.20.1-1
ii  ruby-redcarpet                  3.5.1-1
ii  ruby-request-store              1.5.0-2
ii  ruby-rmagick                    2.16.0-7
ii  ruby-roadie                     4.0.0-1
ii  ruby-roadie-rails               2.1.1-2
ii  ruby-rouge                      3.21.0-1

Versions of packages redmine recommends:
pn  passenger  <none>

Versions of packages redmine suggests:
ii  brz [bzr]   3.1.0-8
ii  bzr         2.7.0+bzr6622+brz
pn  cvs         <none>
pn  darcs       <none>
ii  git         1:2.30.2-1
pn  mercurial   <none>
pn  ruby-fcgi   <none>
ii  subversion  1.14.1-3

-- Configuration Files:
/etc/default/redmine changed:
REDMINE_INSTANCES_OWNERSHIP=redmine:www-data
REDMINE_INSTANCES_FOLLOW_FHS=yes
REDMINE_INSTANCES_ROOT=/var/lib/redmine

-- debconf information:
* redmine/instances/default/database-type: pgsql
  redmine/instances/default/internal/skip-preseed: true
* redmine/instances/default/remote/host: localhost
  redmine/instances/default/pgsql/admin-user: debian-sys-maint
  redmine/instances/default/dbconfig-upgrade: true
  redmine/instances/default/db/basepath:
  redmine/missing-redmine-package:
  redmine/default-language: en
  redmine/instances/default/missing-db-package-error: abort
  redmine/instances/default/mysql/method: Unix socket
  redmine/instances/default/db/app-user: redmine_default at localhost
  redmine/instances/default/dbconfig-remove:
  redmine/instances/default/remote/port: 3306
  redmine/instances/default/pgsql/changeconf: false
  redmine/instances/default/internal/reconfiguring: false
  redmine/instances/default/remove-error: abort
  redmine/instances/default/pgsql/authmethod-admin: ident
  redmine/instances/default/upgrade-backup: true
  redmine/instances/default/pgsql/method: TCP/IP
  redmine/notify-migration:
  redmine/instances/default/pgsql/authmethod-user: password
  redmine/instances/default/default-language: en
  redmine/instances/default/db/dbname: redmine_default
  redmine/old-instances:
  redmine/current-instances: default
* redmine/instances/default/mysql/admin-user: debian-sys-maint
  redmine/instances/default/pgsql/manualconf:
  redmine/instances/default/passwords-do-not-match:
* redmine/instances/default/dbconfig-install: true
  redmine/instances/default/upgrade-error: abort
  redmine/instances/default/dbconfig-reinstall: false
  redmine/instances/default/pgsql/no-empty-passwords:
  redmine/instances/default/install-error: abort
  redmine/instances/default/purge: false
  redmine/instances/default/remote/newhost: localhost