View Issue Details

IDProjectCategoryView StatusLast Update
0006008Talerdeployment and operationspublic2020-05-11 11:24
ReporterMarcello StanisciAssigned ToFlorian Dold 
PriorityhighSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Product Version 
Target VersionFixed in Version 
Summary0006008: fix permissions on keys for blue/green demo setup
DescriptionDeployed keys should be assigned to the 'demo' group and only have read/write permissions.
The attached script addresses this; should be applied and tested.
TagsNo tags attached.

Activities

Marcello Stanisci

2019-12-23 15:42

manager  

permissions.diff (3,463 bytes)
diff --git a/bin/taler-deployment-keyup b/bin/taler-deployment-keyup
index 76de9c3..45f99f8 100755
--- a/bin/taler-deployment-keyup
+++ b/bin/taler-deployment-keyup
@@ -15,6 +15,7 @@ if ! test -f $HOME/.config/taler.conf; then
   exit 1
 fi
 
+DEPLOYMENT_DATA=$(taler-config -s paths -o taler_deployment_data -f)
 DATESALT=$(date +%s%N)
 AUDITOR_REQUEST_DIR=$(taler-config -s exchangedb -o auditor_inputs -f)
 AUDITOR_BASE_DIR=$(taler-config -s exchangedb -o auditor_base_dir -f)
@@ -33,53 +34,52 @@ MERCHANT_TALER_PRIV=$(taler-config -s instance-Taler -o keyfile -f)
 MERCHANT_FSF_PRIV=$(taler-config -s instance-FSF -o keyfile -f)
 MERCHANT_GNUNET_PRIV=$(taler-config -s instance-GNUnet -o keyfile -f)
 
+
+# NOTE: all the steps below will only work IF /home/demo/taler-data/
+# allows already writes from the demo group.  And that it is not (yet?)
+# automated.
+chmod g+s $DEPLOYMENT_DATA/
+
 # Deploying merchant tip-reserve priv.
 if ! test -f $MERCHANT_TIP_RESERVE_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TIP_RESERVE_PRIV)
   cp $HOME/deployment/private-keys/default-tip.priv $MERCHANT_TIP_RESERVE_PRIV
-  chmod 440 $MERCHANT_TIP_RESERVE_PRIV
 fi
 
 # Deploying merchant default priv.
 if ! test -f $MERCHANT_DEFAULT_PRIV ; then
   mkdir -p $(dirname $MERCHANT_DEFAULT_PRIV)
   cp $HOME/deployment/private-keys/default.priv $MERCHANT_DEFAULT_PRIV
-  chmod 440 $MERCHANT_DEFAULT_PRIV
 fi
 
 # Deploying merchant tutorial priv.
 if ! test -f $MERCHANT_TUTORIAL_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TUTORIAL_PRIV)
   cp $HOME/deployment/private-keys/tutorial.priv $MERCHANT_TUTORIAL_PRIV
-  chmod 440 $MERCHANT_TUTORIAL_PRIV
 fi
 
 # Deploying merchant Tor priv.
 if ! test -f $MERCHANT_TOR_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TOR_PRIV)
   cp $HOME/deployment/private-keys/tor.priv $MERCHANT_TOR_PRIV
-  chmod 440 $MERCHANT_TOR_PRIV
 fi
 
 # Deploying merchant Taler priv.
 if ! test -f $MERCHANT_TALER_PRIV ; then
   mkdir -p $(dirname $MERCHANT_TALER_PRIV)
   cp $HOME/deployment/private-keys/taler.priv $MERCHANT_TALER_PRIV
-  chmod 440 $MERCHANT_TALER_PRIV
 fi
 
 # Deploying merchant FSF priv.
 if ! test -f $MERCHANT_FSF_PRIV ; then
   mkdir -p $(dirname $MERCHANT_FSF_PRIV)
   cp $HOME/deployment/private-keys/fsf.priv $MERCHANT_FSF_PRIV
-  chmod 440 $MERCHANT_FSF_PRIV
 fi
 
 # Deploying merchant GNUnet priv.
 if ! test -f $MERCHANT_GNUNET_PRIV ; then
   mkdir -p $(dirname $MERCHANT_GNUNET_PRIV)
   cp $HOME/deployment/private-keys/gnunet.priv $MERCHANT_GNUNET_PRIV
-  chmod 440 $MERCHANT_GNUNET_PRIV
 fi
 
 
@@ -87,14 +87,12 @@ fi
 if ! test -f $EXCHANGE_PRIV ; then
   mkdir -p $(dirname $EXCHANGE_PRIV)
   cp $HOME/deployment/private-keys/${TALER_ENV_NAME}-exchange-master.priv $EXCHANGE_PRIV
-  chmod 440 $EXCHANGE_PRIV
 fi
 
 # Deploying Auditor's priv.
 if ! test -f $AUDITOR_PRIV; then
   mkdir -p $(dirname $AUDITOR_PRIV)
   cp $HOME/deployment/private-keys/auditor.priv $AUDITOR_PRIV
-  chmod 440 $AUDITOR_PRIV
 fi
 
 mkdir -p $AUDITOR_REQUEST_DIR
@@ -104,9 +102,6 @@ taler-exchange-keyup \
 
 # or-ing with true as user A won't be able to
 # change permissions for user B's files.
-chmod -R 440 $EXCHANGE_LIVE_KEYS/* || true
-
-chmod -R 440 $EXCHANGE_WIREFEES/* || true
 
 taler-auditor-exchange \
   -m $EXCHANGE_PUB \
@@ -129,3 +124,5 @@ if [[ -s $AUDITOR_REQUEST_DIR/auditor_request-${DATESALT} ]]; then
     -o "$AUDITOR_BASE_DIR/$DATESALT" \
     -c ${HOME}/.config/taler.conf
 fi
+
+chmod -R 660 $DEPLOYMENT_DATA/
permissions.diff (3,463 bytes)

Christian Grothoff

2019-12-24 00:33

manager   ~0015217

The chmod -R was pretty fatal, it removed -x from directories... Also, 440 is not ok, as some of our tools like to open for writing and fail if they cannot (possibly unnecessarily so, but that's another issue for later!).

Florian Dold

2020-04-10 10:58

manager   ~0015609

There should be two parts to this fix:

* alias taler-exchange-keyup in ~/activate to something that first runs they keyup command and then fixes up permissions
* add some logic in taler-deployment-start to check if the permissions are correct, and then give a nice warning

buckE

2020-05-11 09:12

developer   ~0015880

This "task" has no context.

> Deployed keys

Deployed where?

> should be assigned to the 'demo' group

Well that's probably on taler.net right? Okay, and this is something root user can do.

> and only have read/write permissions.

For the group only?

> The attached script addresses this

What script?

> should be applied and tested.

Applied in what context? As in, by which user on which server? This may be answered by answering the above.

Christian Grothoff

2020-05-11 09:55

manager   ~0015883

Deployed on taler.net, using the scripts in deployment.git/bin/, which for the demo are (to be) run manually following the procedure in the onboarding/developer manual as per the demo upgrade procedure, which is documented here:
 https://docs.taler.net/developers-manual.html#demo-upgrade-procedure

Florian Dold

2020-05-11 11:23

manager   ~0015884

I've already fixed this out of necessity while doing a new demo deployment about 3 days ago:

https://git.taler.net/deployment.git/commit/?id=1889794f88dac0cac98da7d180a617f8750b1091

Issue History

Date Modified Username Field Change
2019-12-23 15:42 Marcello Stanisci New Issue
2019-12-23 15:42 Marcello Stanisci File Added: permissions.diff
2019-12-23 15:42 Marcello Stanisci Priority normal => high
2019-12-24 00:33 Christian Grothoff Note Added: 0015217
2020-04-01 16:28 Christian Grothoff Assigned To => buckE
2020-04-01 16:28 Christian Grothoff Status new => assigned
2020-04-10 10:58 Florian Dold Note Added: 0015609
2020-05-11 09:12 buckE Note Added: 0015880
2020-05-11 09:55 Christian Grothoff Note Added: 0015883
2020-05-11 11:23 Florian Dold Assigned To buckE => Florian Dold
2020-05-11 11:23 Florian Dold Status assigned => confirmed
2020-05-11 11:23 Florian Dold Note Added: 0015884
2020-05-11 11:24 Florian Dold Status confirmed => resolved
2020-05-11 11:24 Florian Dold Resolution open => fixed