View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006008 | Taler | deployment and operations | public | 2019-12-23 15:42 | 2021-08-24 16:23 |
Reporter | Marcello Stanisci | Assigned To | Florian Dold | ||
Priority | high | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Target Version | 0.8 | Fixed in Version | 0.8 | ||
Summary | 0006008: fix permissions on keys for blue/green demo setup | ||||
Description | Deployed keys should be assigned to the 'demo' group and only have read/write permissions. The attached script addresses this; should be applied and tested. | ||||
Tags | No tags attached. | ||||
Attached Files | permissions.diff (3,463 bytes)
diff --git a/bin/taler-deployment-keyup b/bin/taler-deployment-keyup index 76de9c3..45f99f8 100755 --- a/bin/taler-deployment-keyup +++ b/bin/taler-deployment-keyup @@ -15,6 +15,7 @@ if ! test -f $HOME/.config/taler.conf; then exit 1 fi +DEPLOYMENT_DATA=$(taler-config -s paths -o taler_deployment_data -f) DATESALT=$(date +%s%N) AUDITOR_REQUEST_DIR=$(taler-config -s exchangedb -o auditor_inputs -f) AUDITOR_BASE_DIR=$(taler-config -s exchangedb -o auditor_base_dir -f) @@ -33,53 +34,52 @@ MERCHANT_TALER_PRIV=$(taler-config -s instance-Taler -o keyfile -f) MERCHANT_FSF_PRIV=$(taler-config -s instance-FSF -o keyfile -f) MERCHANT_GNUNET_PRIV=$(taler-config -s instance-GNUnet -o keyfile -f) + +# NOTE: all the steps below will only work IF /home/demo/taler-data/ +# allows already writes from the demo group. And that it is not (yet?) +# automated. +chmod g+s $DEPLOYMENT_DATA/ + # Deploying merchant tip-reserve priv. if ! test -f $MERCHANT_TIP_RESERVE_PRIV ; then mkdir -p $(dirname $MERCHANT_TIP_RESERVE_PRIV) cp $HOME/deployment/private-keys/default-tip.priv $MERCHANT_TIP_RESERVE_PRIV - chmod 440 $MERCHANT_TIP_RESERVE_PRIV fi # Deploying merchant default priv. if ! test -f $MERCHANT_DEFAULT_PRIV ; then mkdir -p $(dirname $MERCHANT_DEFAULT_PRIV) cp $HOME/deployment/private-keys/default.priv $MERCHANT_DEFAULT_PRIV - chmod 440 $MERCHANT_DEFAULT_PRIV fi # Deploying merchant tutorial priv. if ! test -f $MERCHANT_TUTORIAL_PRIV ; then mkdir -p $(dirname $MERCHANT_TUTORIAL_PRIV) cp $HOME/deployment/private-keys/tutorial.priv $MERCHANT_TUTORIAL_PRIV - chmod 440 $MERCHANT_TUTORIAL_PRIV fi # Deploying merchant Tor priv. if ! test -f $MERCHANT_TOR_PRIV ; then mkdir -p $(dirname $MERCHANT_TOR_PRIV) cp $HOME/deployment/private-keys/tor.priv $MERCHANT_TOR_PRIV - chmod 440 $MERCHANT_TOR_PRIV fi # Deploying merchant Taler priv. if ! test -f $MERCHANT_TALER_PRIV ; then mkdir -p $(dirname $MERCHANT_TALER_PRIV) cp $HOME/deployment/private-keys/taler.priv $MERCHANT_TALER_PRIV - chmod 440 $MERCHANT_TALER_PRIV fi # Deploying merchant FSF priv. if ! test -f $MERCHANT_FSF_PRIV ; then mkdir -p $(dirname $MERCHANT_FSF_PRIV) cp $HOME/deployment/private-keys/fsf.priv $MERCHANT_FSF_PRIV - chmod 440 $MERCHANT_FSF_PRIV fi # Deploying merchant GNUnet priv. if ! test -f $MERCHANT_GNUNET_PRIV ; then mkdir -p $(dirname $MERCHANT_GNUNET_PRIV) cp $HOME/deployment/private-keys/gnunet.priv $MERCHANT_GNUNET_PRIV - chmod 440 $MERCHANT_GNUNET_PRIV fi @@ -87,14 +87,12 @@ fi if ! test -f $EXCHANGE_PRIV ; then mkdir -p $(dirname $EXCHANGE_PRIV) cp $HOME/deployment/private-keys/${TALER_ENV_NAME}-exchange-master.priv $EXCHANGE_PRIV - chmod 440 $EXCHANGE_PRIV fi # Deploying Auditor's priv. if ! test -f $AUDITOR_PRIV; then mkdir -p $(dirname $AUDITOR_PRIV) cp $HOME/deployment/private-keys/auditor.priv $AUDITOR_PRIV - chmod 440 $AUDITOR_PRIV fi mkdir -p $AUDITOR_REQUEST_DIR @@ -104,9 +102,6 @@ taler-exchange-keyup \ # or-ing with true as user A won't be able to # change permissions for user B's files. -chmod -R 440 $EXCHANGE_LIVE_KEYS/* || true - -chmod -R 440 $EXCHANGE_WIREFEES/* || true taler-auditor-exchange \ -m $EXCHANGE_PUB \ @@ -129,3 +124,5 @@ if [[ -s $AUDITOR_REQUEST_DIR/auditor_request-${DATESALT} ]]; then -o "$AUDITOR_BASE_DIR/$DATESALT" \ -c ${HOME}/.config/taler.conf fi + +chmod -R 660 $DEPLOYMENT_DATA/ | ||||
|
The chmod -R was pretty fatal, it removed -x from directories... Also, 440 is not ok, as some of our tools like to open for writing and fail if they cannot (possibly unnecessarily so, but that's another issue for later!). |
|
There should be two parts to this fix: * alias taler-exchange-keyup in ~/activate to something that first runs they keyup command and then fixes up permissions * add some logic in taler-deployment-start to check if the permissions are correct, and then give a nice warning |
|
This "task" has no context. > Deployed keys Deployed where? > should be assigned to the 'demo' group Well that's probably on taler.net right? Okay, and this is something root user can do. > and only have read/write permissions. For the group only? > The attached script addresses this What script? > should be applied and tested. Applied in what context? As in, by which user on which server? This may be answered by answering the above. |
|
Deployed on taler.net, using the scripts in deployment.git/bin/, which for the demo are (to be) run manually following the procedure in the onboarding/developer manual as per the demo upgrade procedure, which is documented here: https://docs.taler.net/developers-manual.html#demo-upgrade-procedure |
|
I've already fixed this out of necessity while doing a new demo deployment about 3 days ago: https://git.taler.net/deployment.git/commit/?id=1889794f88dac0cac98da7d180a617f8750b1091 |
Date Modified | Username | Field | Change |
---|---|---|---|
2019-12-23 15:42 | Marcello Stanisci | New Issue | |
2019-12-23 15:42 | Marcello Stanisci | File Added: permissions.diff | |
2019-12-23 15:42 | Marcello Stanisci | Priority | normal => high |
2019-12-24 00:33 | Christian Grothoff | Note Added: 0015217 | |
2020-04-01 16:28 | Christian Grothoff | Assigned To | => buckE |
2020-04-01 16:28 | Christian Grothoff | Status | new => assigned |
2020-04-10 10:58 | Florian Dold | Note Added: 0015609 | |
2020-05-11 09:12 | buckE | Note Added: 0015880 | |
2020-05-11 09:55 | Christian Grothoff | Note Added: 0015883 | |
2020-05-11 11:23 | Florian Dold | Assigned To | buckE => Florian Dold |
2020-05-11 11:23 | Florian Dold | Status | assigned => confirmed |
2020-05-11 11:23 | Florian Dold | Note Added: 0015884 | |
2020-05-11 11:24 | Florian Dold | Status | confirmed => resolved |
2020-05-11 11:24 | Florian Dold | Resolution | open => fixed |
2020-07-24 11:56 | Christian Grothoff | Target Version | => 0.8 |
2020-07-24 11:56 | Christian Grothoff | Fixed in Version | => 0.8 |
2021-08-24 16:23 | Christian Grothoff | Status | resolved => closed |