Bug #15261: insufficient rights for weblate group on translate

Bug #15261

insufficient rights for weblate group on translate

Added by groente 2018-01-29 15:38:08 . Updated 2018-07-01 07:41:50 .

Status:

Resolved

Priority:

Normal

Assignee:

emmapeel

Category:

Infrastructure

Target version:

Tails_3.9

Start date:

2018-01-29

Due date:

% Done:

Feature Branch:

Type of work:

Sysadmin

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

directories in /var/lib/weblate/repositories/vcs have setgid set to group weblate, but the group doesn’t have execute permission on the subdirectories there, nor does it have write permission on many of the files.
we need to either fix the permissions so that group weblate actually profits from the setgid or put a setuid to weblate on directories under /var/lib/weblate/repositories/vcs

Subtasks

Related issues

Related to Tails - ~~Feature #15079~~: Integrate the platform with our Git and ikiwiki infrastructure

Resolved

2017-03-14

History

#1 Updated by groente 2018-01-29 15:39:11

related to ~~Feature #15079~~: Integrate the platform with our Git and ikiwiki infrastructure added

#2 Updated by emmapeel 2018-02-08 18:44:55

I am getting atm:


error: insufficient permission for adding an object to repository database .git/objects
fatal: failed to write commit object (128)

for user weblate in /var/lib/weblate/repositories/vcs/tails/index/

all the files under .git are owned by root:staff

#3 Updated by intrigeri 2018-02-09 07:38:13

Assignee changed from groente to emmapeel
QA Check set to Info Needed

> I am getting atm:
>


> error: insufficient permission for adding an object to repository database .git/objects
> fatal: failed to write commit object (128)

>

> for user weblate in /var/lib/weblate/repositories/vcs/tails/index/

Indeed, I see objects with 444 permissions e.g. in /var/lib/weblate/repositories/vcs/tails/index/.git/objects/00/. I have no idea where these read-only permissions come from and they’re not set by Puppet.

We manage the parent /var/lib/weblate/repositories/ directory with Puppet but its content is outside of the Puppet realm, and is the responsibility of the weblate admins. So the question is: do we need to do anything in Puppet to allow weblate admins to manage the content of /var/lib/weblate/repositories/ as needed?

As user weblate I’ve tried to fix the permissions and it mostly worked, except:

$ chmod -R o+rwX /var/lib/weblate/repositories/vcs/tails/index/.git
chmod: changing permissions of '/var/lib/weblate/repositories/vcs/tails/index/.git/objects/f0': Operation not permitted
chmod: changing permissions of '/var/lib/weblate/repositories/vcs/tails/index/.git/objects/f0/28707aac8dd041f962cddfea93cdc38976016b': Operation not permitted

… which is caused by:

$ ls -ld /var/lib/weblate/repositories/vcs/tails/index/.git/objects/f0
drwxr-sr-x 2 emmapeel weblate 4096 Feb  7 18:44 /var/lib/weblate/repositories/vcs/tails/index/.git/objects/f0

That is, a mistake by the weblate admins (doing stuff as the emmapeel user instead of the weblate user, which created files that the weblate user then cannot manage, hence the error message emmapeel now sees). To fix that mistake I did sudo chown -R weblate:weblate /var/lib/weblate/repositories/vcs/tails/index/.git, and then chmod -R o+rwX /var/lib/weblate/repositories/vcs/tails/index/.git worked just fine, which should fix this second problem I’m quoting above. Right?

Regarding the permissions matter this ticket was originally about i.e. “directories in /var/lib/weblate/repositories/vcs have setgid set to group weblate, but the group doesn’t have execute permission on the subdirectories there, nor does it have write permission on many of the files”: to me it looks like a result of how operations are done by the weblate admins or software they manage. If all members of the weblate group really need more access to these files, then I suggest setting a more relaxed umask (0002) when doing stuff in there as the weblate user. We could do this via Puppet for that user’s default shell but it won’t be taken account by operations that bypass the shell.

Taking a step back:

the weblate user itself will have access already since it owns these files
weblate admins have sudo credentials to run any command as the weblate user
the only members of the weblate group are the weblate user and the weblate admins

… so I don’t understand: what problem we would solve by giving more relaxed group permissions on these files?

#4 Updated by emmapeel 2018-02-09 23:53:11

Assignee changed from emmapeel to groente

intrigeri wrote:
> […]
>
> That is, a mistake by the weblate admins (doing stuff as the emmapeel user instead of the weblate user, which created files that the weblate user then cannot manage, hence the error message emmapeel now sees). To fix that mistake I did sudo chown -R weblate:weblate /var/lib/weblate/repositories/vcs/tails/index/.git, and then chmod -R o+rwX /var/lib/weblate/repositories/vcs/tails/index/.git worked just fine, which should fix this second problem I’m quoting above. Right?

Yes, also now I simply cannot run git as emmapeel so this problem should never happen again. Before once I created the file under my name I could not change ownership to weblate. I originally emailed admins for chowning everything to weblate.

#5 Updated by bertagaz 2018-05-10 11:09:31

Target version changed from Tails_3.7 to Tails_3.8

#6 Updated by intrigeri 2018-06-26 16:28:04

Target version changed from Tails_3.8 to Tails_3.9

#7 Updated by groente 2018-06-30 20:18:04

Assignee changed from groente to emmapeel

I assume this ticket can be closed?

#8 Updated by emmapeel 2018-07-01 07:41:50

Status changed from Confirmed to Resolved

Yes indeed.