[DRE-maint] Bug#926232: obs-api: should not install files owned by 'nobody'
Simon McVittie
smcv at collabora.com
Tue Apr 2 12:03:34 BST 2019
Package: obs-api
Version: 2.7.1-10
Severity: normal
Tags: upstream
Prompted by #926198, I looked at /usr/share/obs/api/script/rake-tasks.sh
and found that it has:
chown nobody:www-data /etc/obs/api/config/database.yml
chown nobody:www-data /var/log/obs/backend_access.log
chown nobody:www-data /var/log/obs/production.log
There should not be any files on a Debian system owned by uid 65534/nobody
(or group-owned by gid 65534/nogroup, but OBS correctly doesn't do that).
The purpose of this uid and gid is that they have permission to read
world-readable files, and nothing else. Having files owned by this uid
or gid defeats that purpose.
If the intention of this ownership is to let the web server (uid www-data,
gid www-data) write to the files but not own them (so that it cannot,
for example, change their permissions), then they should be owned by
root:www-data or similar.
If the intention of this ownership is to let an OBS component that runs
as uid 'nobody' write to them, then that component should run as its own
uid instead (similar to the obsrun and obsworker uids used by other
packages in the OBS family), and the files should be owned by that uid.
Regards,
smcv
More information about the Pkg-ruby-extras-maintainers
mailing list