The permissions on /srv/odcs odcs_target_dir are too broad (777). I set them this way in 00be7fd514ff30d0aceafefbb7ddd896e8e8ecab.
odcs_target_dir
I was having trouble getting the backend and the frontend to share the gluster serve. The frontend serves composes from that share running as apache. The backend populates composes into that share, running as the fedmsg user. The uid/gids seem to not match between the frontend and backend, which complicates things.
Any ideas for how to resolve this?
Metadata Update from @ralph: - Issue tagged with: odcs, security
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review)
I think the correct fix here would be to update the ODCS package to add a user with a well-known UID (https://fedoraproject.org/wiki/PackageUserRegistry), and then make sure the mod_wsgi application gets configured to use that uid as well.
Any movement here? Should we file this upstream somewhere?
I am not sure where upstream is. :)
@jkaluza @lsedlar Where can I add a ticket/bug/issue to fix this?
ODCS upstream is at https://pagure.io/odcs/
Thanks, filed https://pagure.io/odcs/issue/302 about this.
However, we should probibly try and fix it sooner in our infra if there's not a desire to fix this upstream...
Can you wait with this after I upgrade ODCS in prod to latest version too? I'm upgrading in staging and I was rewriting the playbooks/roles.
Sure, we have waited this long.
@jkaluza any news here?
Assign this to @jkaluza so it is clear that this is being worked on
Metadata Update from @cverna: - Issue assigned to jkaluza
I'm working on that right now. Staging should have this fixed later today. it should be part of next prod update which I'm going to do after the freeze.
So, I did series of commits in ansible.git which does following (summary):
This is deployed on ODCS staging. I will close this ticket as soon as I deploy this on prod after the freeze.
Cool! Freeze is over now, so deploy at your leasure. ;)
This is fixed.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.