apt-dater -- File Permission under etc/apt/apt.conf.d/

  • Hi Nuxwin,


    With the installation of i-MSCP you add 2 files (90imscp, 01norecommend) under the folder /apt/apt.conf.d/.
    The permission ist 640. But with this permission my central updater (apt-dater) does not work.
    I got every time permission denied. After chmod 644 everything works fine.
    Is the 640 needed?


    Every other file in this folder has the permission 644.


    Sascha

  • @TheCry


    Hmm.. The soft expect world-readable conffiles? Is there no way to sudo?


    umask 027 is part of our policy hardening. I'll investigate to see if there is another way to handle access for apt-dater user (or group) without making those file world-readable. I'm sure there is a way because in some distro, all conffiles are set with umask 027.


    @TheCry


    I did just tested. There is a simple fix ;) I'll post the howto in few minutes.


    @TheCry


    From my point of view, there is a bug in the current apt-dater-host perl script. It seems that not all commands are run through sudo when that is expected to be. Below comes a workaround for this issue:


    On your targets hosts, you should have the following file: /etc/sudoers.d/apt-dater-host which should looks as follows:


    Shell-Script
    1. # apt-dater-host sudoers.d config file# ------------------------------------## Please consider a look at /etc/sudoers.d/README howto enable this file.## Keep apt-dater's MAINTAINER environment variableDefaults env_keep += MAINTAINER# Allow members of group adm to execute the apt-get command%adm ALL=NOPASSWD: /usr/bin/apt-get,/usr/sbin/needrestart

    You must add the /usr/bin/apt-dater-host command in list of allowed commands:

    Shell-Script
    1. # apt-dater-host sudoers.d config file# ------------------------------------## Please consider a look at /etc/sudoers.d/README howto enable this file.## Keep apt-dater's MAINTAINER environment variableDefaults env_keep += MAINTAINER# Allow members of group adm to execute the apt-get command%adm ALL=NOPASSWD: /usr/bin/apt-dater-host,/usr/bin/apt-get,/usr/sbin/needrestart

    Then, on the updater (server from which you run apt-dater), you should have a file such as /home/nuxwin/.config/apt-dater/apt-dater.conf


    You must prepend the apt-dater-host command with sudo:

    Shell-Script
    1. ...[Commands]CmdRefresh=apt-dater-host refreshCmdUpgrade=apt-dater-host upgradeCmdInstall=apt-dater-host install %s...

    must become:

    Code
    1. ...
    2. [Commands]
    3. CmdRefresh=sudo apt-dater-host refresh
    4. CmdUpgrade=sudo apt-dater-host upgrade
    5. CmdInstall=sudo apt-dater-host install %s
    6. ...

    Result:
    apt-dater.png


    Note that I'll report the problem to the project maintainer.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @TheCry


    See also: https://github.com/DE-IBH/apt-dater/issues/133


    Of course, I'll relaxe permissions policy on the /etc/apt/apt.conf.d/* files in version 1.5.2 to simplify your life.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • A fix has been added in our development branch. See https://github.com/i-MSCP/imsc…d9dd1b768409b0c44f44fb193
    This fix will be part of next release.


    Thank you for your report.
    Thread closed.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206