Bug #134
Permissions on Default Lockfile Make Running oned Under Unprivileged User Impossible
| Status: | Closed | Start date: | 08/21/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Jaime Melis | % Done: | 0% | |
| Category: | Core & System | |||
| Target version: | Release 1.4 | |||
| Resolution: | fixed | Pull request: | ||
| Affected Versions: |
Description
By default the lockfile for oned is set to /var/lock/one when installing in system wide mode. Since /var/lock is not writable by unprivileged users, it is impossible to start oned.
Suggested fix is to create a /var/lock/one/ directory owned by the user/group set as one admin and place the lock file in this directory as /var/lock/one/one. I've attached a simple patch to affect this fix.
oned.lockfile.patch 
(105 Bytes)
Associated revisions
Moved the lock in system-wide installation mode. Fixed occi-server and econe-server scripts for system-wide installations #134
git-svn-id: http://svn.opennebula.org/one/branches/one-1.4@931 3034c82b-c49b-4eb3-8279-a7acafdc01c0
History
#1
Updated by Ruben S. Montero almost 12 years ago
- Category set to Core & System
- Assignee set to Jaime Melis
- Target version set to Release 1.4
#2
Updated by Jaime Melis over 11 years ago
- Status changed from New to Closed
- Resolution set to worksforme
We have not been able to reproduce the bug. When installed in system-wide mode the /var/lock/one file is succesfully chown'd to the user referred to by the -u flag in the install.sh, therefore that user can start oned without any problems.
#3
Updated by Tres Wong-Godfrey over 11 years ago
Hi Jamie,
Thanks for checking into this. I took a look at install.sh from the latest RC and here's what I see for install locations:
if [ -z "$ROOT" ] ; then
BIN_LOCATION="/usr/bin"
LIB_LOCATION="/usr/lib/one"
ETC_LOCATION="/etc/one"
LOG_LOCATION="/var/log/one"
VAR_LOCATION="/var/lib/one"
RUN_LOCATION="/var/run/one"
INCLUDE_LOCATION="/usr/include"
SHARE_LOCATION="/usr/share/doc/opennebula"
Notice that there is no reference to a lock file at all.
If I grep -i "lock" i get nothing out of install.sh.
In the install.sh script I have, the CHOWN_DIRS variable is defined:
CHOWN_DIRS="$LOG_LOCATION $VAR_LOCATION $RUN_LOCATION"
So, I'm not sure if I'm overlooking something, or if there's a different install script that I'm not using.
Thanks again for your time and your help.
Regards,
Tres
#4
Updated by Jaime Melis over 11 years ago
Hi,
actually, the lock file gets created in /var/run/one/ , which is a directory that belongs to the ONE user after applying the chown you pointed out: CHOWN_DIRS="$LOG_LOCATION $VAR_LOCATION $RUN_LOCATION".
Does it make sense now?
#5
Updated by Tres Wong-Godfrey over 11 years ago
Hi Jamie,
The version of OpenNebula I have uses /var/lock/one for the lock file. Check out line 118 of one-1.3.90/src/nebula/oned.cc:
lockfile = "/var/lock/one";If the lock file is supposed to be under /var/run, then it would appear that oned.cc needs to be updated to reflect that.
Thanks again for your time.
Regards,
Tres
#6
Updated by Jaime Melis over 11 years ago
- Resolution changed from worksforme to fixed
Hi Tres,
You were very right. The reason why it was working for us is because in debian based distributions:
(debian) $ ls -ld /var/lock
drwxrwxrwt 3 root root 4096 2009-12-02 11:45 /var/lock
while in redhat/fedora:
(redhat/fedora) # ls -ld /var/lock
drwxrwxr-x 5 root lock 4096 Dec 2 12:46 /var/lock
So in debian based distributions the oneadmin user had permissions to write in /var/lock.
In any case we considered your suggestion to be the best option here, so we have commited the patch you attached and applied a few extra modifications for everything to be coherent.
Thank you very much for your great feedback.