Differences between revisions 24 and 29 (spanning 5 versions)
Revision 24 as of 2009-05-10 05:07:04
Size: 2936
Editor: Unw
Comment:
Revision 29 as of 2009-05-13 06:27:46
Size: 3967
Editor: adsl-074-183-015-058
Comment:
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
  * edit an existing page, save, and not changes   * edit an existing page, save, and note changes
Line 21: Line 21:
 User Documentation:: [[HowTo/Install MoinMoin under setuid or setgid wrapper|HelpOnInstalling/SetuidWrapperOnPosix]] Rationale  User Documentation:: [[HowTo/Install MoinMoin under setuid or setgid wrapper|HelpOnInstalling/SetuidWrapperOnPosix]]
Line 23: Line 23:
== Rationale ==
Line 44: Line 45:
 * os.access remaining
  * Unw <<DateTime(2009-04-25T22:40:23Z)>>
   * Three files continue to use os.access.
    * {{{moin-1.8.2/MoinMoin/logfile/__init__.py}}}
    * {{{moin-1.8.2/MoinMoin/script/export/dump.py}}}
    * {{{moin-1.8.2/MoinMoin/server/__init__.py}}}
   * At this time I don't know how (or if) they should be altered.		  * Three files continue to use os.access.
  * At this time I don't know how (or if) they should be altered.
   * {{{moin-1.8.2/MoinMoin/logfile/__init__.py}}}
   * {{{moin-1.8.2/MoinMoin/script/export/dump.py}}}
   * {{{moin-1.8.2/MoinMoin/server/__init__.py}}}
   . -- [[Unw]] <<DateTime(2009-04-25T22:40:23Z)>>
  * Note about incomplete patches: if there is a fundamental problem with os.access, then '''all''' os.access usage would have to get removed from moin, not just some.
   . Further, I got some feedback on IRC from BastianBlank that calling the Python interpreter that way (with UID != EUID) shouldn't be a supported configuration (maybe he could add a comment here, I guess he can explain that better than I could).
  . -- <<DateTime(2009-05-11T00:00:01Z)>>
  * In the last two weeks, I've looked at the remaining os.access usage. I haven't assembled a test environment, but it looks like all three should in fact be removed and replaced. The problem is depending on os.access() for a side-effect (logical and of file permissions mask) rather than its design purpose (report of user authority). See http://linux.die.net/man/2/access for details.
   . -- [[Unw]] <<DateTime(2009-05-11T02:40:23Z)>>

  * I would appreciate BastianBlank's explanation.
   . -- [[Unw]] <<DateTime(2009-05-12T00:40:23Z)>>
Line 56: Line 64:
 * Status:  * Status: patches exist, but are incomplete

Details

Applies to
1.8.2 and later (unix installations)
Purpose

bug fix - Unable to install under setuid/setgid wrapper.

Description

This patch replaces disrecommended os.access() usage with recommended feckless open.

Testing
Limited testing has been performed.
  • edit an existing page, save, and note changes
  • attempt to edit a protected (Help) page (note "Immutable Page")
  • create a new page, save, and note changes

Target

Tested

Tested

Test Date

2009-04-26 20:00:00

2009-04-23 20:00:00

MoinMoin Version

1.8.2

1.8.2

OS and Version

POSIX

linux-2.6.13-15

linux-2.4.18

Python Version

>2.0.0

2.4.1

2.4.3

Web Server

any

apache2-2.0.54

apache2-2.2.3

Host Type

any

workstation

intranet dmz

Setuid Wrapper

any

MoinMoin

MoinMoin

User Documentation

HelpOnInstalling/SetuidWrapperOnPosix

Rationale

os.access(...W_OK...) does not report whether or not the current process is able to write. Rather it reports whether the login process (i.e. web server agent) is able to write.

Improper use of os.access() in Page.py prevents adding pages or saving changes if moin.cgi is installed under setuid wrapper.

The danger of granting write privilege to the web server agent is that it gives wiki file ownership to the web server agent and so overrides wiki security settings. Denying write privilege to the web server agent, without this patch, prevents the wiki from adding or changing pages.

Patch

Rather than mark a page immutable if the web server cannot write it, mark it immutable if an attempt to open it (for appending nothing) fails.

Toggle line numbers 
   1 --- moin-1.8.2/MoinMoin/Page.py	2009-02-07 20:31:01.000000000 -0500
   2 +++ moin-1.8.2/MoinMoin/Page.py	2009-04-26 16:43:48.000000000 -0400
   3 @@ -598,7 +598,16 @@
   4          @rtype: bool
   5          @return: true, if this page is writable or does not exist
   6          """
   7 -        return os.access(self._text_filename(), os.W_OK) or not self.exists()
   8 +        result = True
   9 +        if self.exists():
  10 +            try:
  11 +                # Attempt to append nothing fecklessly
  12 +                open(self._text_filename(), 'a').close()
  13 +            except IOError:
  14 +                # Failed open should return errno.EACCES
  15 +                # Any repeatable error will prevent edit/creation
  16 +                result = False
  17 +        return result
  18  
  19      def isUnderlayPage(self, includeDeleted=True):
  20          """ Does this page live in the underlay dir?

Page.py.patch

Include read-only dictionaries in those searched.

Toggle line numbers 
   1 --- moin-1.8.2/MoinMoin/action/SpellCheck.py	2009-01-06 19:26:50.000000000 -0500
   2 +++ moin-1.8.2/MoinMoin/action/SpellCheck.py	2009-04-22 00:49:12.000000000 -0400
   3 @@ -39,7 +39,7 @@
   4      # validate candidate list (leave out directories!)
   5      wordsfiles = []
   6      for f in candidates:
   7 -        if os.path.isfile(f) and os.access(f, os.F_OK | os.R_OK):
   8 +        if os.path.isfile(f):
   9              wordsfiles.append(f)
  10  
  11      # return validated file list

SpellCheck.py.patch

Don't fail to start just because pages directory is read-only.

Toggle line numbers 
   1 --- moin-1.8.2/MoinMoin/config/multiconfig.py	2009-01-23 23:39:19.000000000 -0500
   2 +++ moin-1.8.2/MoinMoin/config/multiconfig.py	2009-04-27 09:21:47.000000000 -0400
   3 @@ -535,7 +535,6 @@
   4          Both data and underlay should exists and allow read, write and
   5          execute.
   6          """
   7 -        mode = os.F_OK | os.R_OK | os.W_OK | os.X_OK
   8          for attr in ('data_dir', 'data_underlay_dir'):
   9              path = getattr(self, attr)
  10  
  11 @@ -544,7 +543,7 @@
  12                  continue
  13  
  14              path_pages = os.path.join(path, "pages")
  15 -            if not (os.path.isdir(path_pages) and os.access(path_pages, mode)):
  16 +            if not os.path.isdir(path_pages):
  17                  msg = """
  18  %(attr)s "%(path)s" does not exist, or has incorrect ownership or
  19  permissions.

multiconfig.py.patch

Discussion

  • Historical (resolved) issues on separate page

  • Three files continue to use os.access.
    • At this time I don't know how (or if) they should be altered.

      • moin-1.8.2/MoinMoin/logfile/__init__.py

      • moin-1.8.2/MoinMoin/script/export/dump.py

      • moin-1.8.2/MoinMoin/server/__init__.py

      • -- Unw 2009-04-25 22:40:23

    • Note about incomplete patches: if there is a fundamental problem with os.access, then all os.access usage would have to get removed from moin, not just some.

      • Further, I got some feedback on IRC from BastianBlank that calling the Python interpreter that way (with UID != EUID) shouldn't be a supported configuration (maybe he could add a comment here, I guess he can explain that better than I could).

    • -- 2009-05-11 00:00:01

    • In the last two weeks, I've looked at the remaining os.access usage. I haven't assembled a test environment, but it looks like all three should in fact be removed and replaced. The problem is depending on os.access() for a side-effect (logical and of file permissions mask) rather than its design purpose (report of user authority). See http://linux.die.net/man/2/access for details.

      • -- Unw 2009-05-11 02:40:23

    • I would appreciate BastianBlank's explanation.

      • -- Unw 2009-05-12 00:40:23

Plan

  • Priority:
  • Assigned to:
  • Status: patches exist, but are incomplete

CategoryMoinMoinPatch

MoinMoin: MoinMoinPatch/SetuidFixReplaceOsAccess (last edited 2009-05-13 06:27:46 by adsl-074-183-015-058)