Edgewall Software
Modify

Opened 16 years ago

Closed 16 years ago

Last modified 15 years ago

#8367 closed defect (fixed)

TracError: The user root requires read _and_ write permission to the database file

Reported by: JoelKoglin@… Owned by: Christian Boos
Priority: normal Milestone: 0.11.5
Component: web frontend/mod_python Version: 0.11.2
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Christian Boos)

Traceback (most recent call last):
  File "/usr/lib/python2.5/site-packages/trac/web/api.py", line 367, in send_error
    'text/html')
  File "/usr/lib/python2.5/site-packages/trac/web/chrome.py", line 688, in render_template
    data = self.populate_data(req, data)
  File "/usr/lib/python2.5/site-packages/trac/web/chrome.py", line 596, in populate_data
    d['chrome'].update(req.chrome)
  File "/usr/lib/python2.5/site-packages/trac/web/api.py", line 194, in __getattr__
    value = self.callbacks[name](self)
  File "/usr/lib/python2.5/site-packages/trac/web/chrome.py", line 464, in prepare_request
    for category, name, text in contributor.get_navigation_items(req):
  File "/usr/lib/python2.5/site-packages/trac/ticket/web_ui.py", line 162, in get_navigation_items
    if 'TICKET_CREATE' in req.perm:
  File "/usr/lib/python2.5/site-packages/trac/perm.py", line 523, in has_permission
    return self._has_permission(action, resource)
  File "/usr/lib/python2.5/site-packages/trac/perm.py", line 537, in _has_permission
    check_permission(action, perm.username, resource, perm)
  File "/usr/lib/python2.5/site-packages/trac/perm.py", line 424, in check_permission
    perm)
  File "/usr/lib/python2.5/site-packages/trac/perm.py", line 282, in check_permission
    get_user_permissions(username)
  File "/usr/lib/python2.5/site-packages/trac/perm.py", line 357, in get_user_permissions
    for perm in self.store.get_user_permissions(username):
  File "/usr/lib/python2.5/site-packages/trac/perm.py", line 173, in get_user_permissions
    db = self.env.get_db_cnx()
  File "/usr/lib/python2.5/site-packages/trac/env.py", line 264, in get_db_cnx
    return DatabaseManager(self).get_connection()
  File "/usr/lib/python2.5/site-packages/trac/db/api.py", line 76, in get_connection
    return self._cnx_pool.get_cnx(self.timeout or None)
  File "/usr/lib/python2.5/site-packages/trac/db/pool.py", line 174, in get_cnx
    return _backend.get_cnx(self._connector, self._kwargs, timeout)
  File "/usr/lib/python2.5/site-packages/trac/db/pool.py", line 107, in get_cnx
    cnx = connector.get_connection(**kwargs)
  File "/usr/lib/python2.5/site-packages/trac/db/sqlite_backend.py", line 126, in get_connection
    return SQLiteConnection(path, params)
  File "/usr/lib/python2.5/site-packages/trac/db/sqlite_backend.py", line 168, in __init__
    % (getuser(), path))

TracError: The user root requires read _and_ write permission to the database file /var/lib/trac/ncix/db/trac.db and the directory it is located in.

the file is owned by root and apache as the group permissions are 0664

/var/lib/trac/ncix/db folders are world read and executable

running on gentoo

Portage 2.1.6.13 (hardened/linux/x86/2008.0, gcc-3.4.6, glibc-2.9_p20081201-r0, 2.6.18-xen-r12 i686)
=================================================================
System uname: Linux-2.6.18-xen-r12-i686-Intel-R-_Pentium-R-_4_CPU_2.40GHz-with-glibc2.3.2
Timestamp of tree: Sat, 06 Jun 2009 20:20:01 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 2.1.7
dev-lang/python:     2.4.4-r6, 2.5.4-r2
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63
sys-devel/automake:  1.7.9-r1, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium4 -O2 -pipe -fomit-frame-pointer -mno-tls-direct-seg-refs"
CHOST="i686-pc-linux-gnu"

apps

www-servers/apache-2.2.11
www-apps/trac-0.11.2
dev-lang/python-2.5.4-r2
www-apache/mod_python-3.3.1-r1

running apache modules

core worker http_core mod_so mod_actions mod_alias mod_auth_basic mod_authn_alias mod_authn_anon mod_authn_dbm mod_authn_default mod_authn_file mod_authz_dbm mod_authz_default mod_authz_groupfile mod_authz_host mod_authz_owner mod_authz_user mod_autoindex mod_cgid mod_deflate mod_dir mod_env mod_expires mod_ext_filter mod_filter mod_headers mod_include mod_info mod_log_config mod_logio mod_mime mod_mime_magic mod_negotiation mod_rewrite mod_setenvif mod_speling mod_unique_id mod_usertrack mod_vhost_alias mod_python mod_php5

Attachments (1)

getuser-uses-geteuid-r8262.diff (2.4 KB ) - added by Christian Boos 16 years ago.
Fix display of the user name in the system permission error message

Download all attachments as: .zip

Change History (14)

in reply to:  description ; comment:1 by Christian Boos, 16 years ago

Description: modified (diff)

Replying to JoelKoglin@…:

… and the directory it is located in.

Did you also verify that?

in reply to:  1 ; comment:2 by anonymous, 16 years ago

Replying to cboos:

Replying to JoelKoglin@…:

… and the directory it is located in.

Did you also verify that?

All directories from / to /var/lib/trac/ncix/db are globally read and executable drwxr-xr-x 16 root root 4096 Jun 6 12:06 var drwxr-xr-x 24 root root 4096 Jun 9 12:33 lib drwxr-xr-x 4 root apache 61 Jun 9 14:05 trac drwxr-xr-x 9 root apache 140 Jun 9 14:16 ncix drwxr-xr-x 2 root apache 20 Jun 9 12:49 db -rw-rw-r— 1 root apache 348160 Jun 9 12:49 trac.db

in reply to:  2 comment:3 by anonymous, 16 years ago

Replying to anonymous:

Replying to cboos: Replying to JoelKoglin@…:

… and the directory it is located in.

Did you also verify that?

All directories from / to /var/lib/trac/ncix/db are globally read and executable
drwxr-xr-x 16 root root 4096 Jun 6 12:06 var
drwxr-xr-x 24 root root 4096 Jun 9 12:33 lib
drwxr-xr-x 4 root apache 61 Jun 9 14:05 trac
drwxr-xr-x 9 root apache 140 Jun 9 14:16 ncix
drwxr-xr-x 2 root apache 20 Jun 9 12:49 db
-rw-rw-r— 1 root apache 348160 Jun 9 12:49 trac.db

(sorry im a little new to wiki formatting and I forgot to preview)

comment:4 by Christian Boos, 16 years ago

Description: modified (diff)
Milestone: 0.11.5
Owner: set to Christian Boos
Status: newassigned

Well, the message said "read _and_ write permission to … and the directory it is located in.".

Please try setting +gw to /var/lib/trac/ncix/db.

If that works, the question would be why did we show "root" instead of "apache". getpass.getuser seems to be the wrong way.

by Christian Boos, 16 years ago

Fix display of the user name in the system permission error message

comment:5 by Christian Boos, 16 years ago

If you don't mind, before fixing the permissions, you could test the patch above.

in reply to:  5 ; comment:6 by anonymous, 16 years ago

Replying to cboos:

If you don't mind, before fixing the permissions, you could test the patch above.

I applied the patch and deleted respective pyc files before chmod g+w and got the same error as above.
after adding g+w to the containing directory it worked (i think… no python errors anyways)
I will clean and reemerge trac to test it unpatched with the proper directory permissions to see if it was the patch, the new directory permissions or both that fixed the problem.

Thanks cboos

in reply to:  6 ; comment:7 by Christian Boos, 16 years ago

Replying to anonymous:

Replying to cboos:

If you don't mind, before fixing the permissions, you could test the patch above.

I applied the patch and deleted respective pyc files before chmod g+w and got the same error as above.

Exact same? I was expecting you to see:

The user apache requires read _and_ write permissions to the database file

Note that if you see "permission" instead of "permissions", it's still the unpatched code running…

/var/lib/trac/ncix/db/trac.db and the directory it is located in.

in reply to:  7 ; comment:8 by anonymous, 16 years ago

Replying to cboos:

Replying to anonymous:

Replying to cboos:

If you don't mind, before fixing the permissions, you could test the patch above.

I applied the patch and deleted respective pyc files before chmod g+w and got the same error as above.

Exact same? I was expecting you to see:

The user apache requires read _and_ write permissions to the database file

Note that if you see "permission" instead of "permissions", it's still the unpatched code running…

/var/lib/trac/ncix/db/trac.db and the directory it is located in.

unfortunately I already reinstalled. I ran

chown -R root:apache /var/lib/trac
chmod -R 775 /var/lib/trac

and after doing so it worked. Is the ncix folder created when i execute "tracadmin /var/lib/trac/ncix initenv"? Is it then a bug in tracadmin that creates the folder with the wrong permissions?

in reply to:  8 ; comment:9 by Christian Boos, 16 years ago

Replying to anonymous:

The user apache requires read _and_ write permissions to the database file

unfortunately I already reinstalled.

Maybe you can still find that message in your var/lib/trac/ncix/log/trac.log file?

Is the ncix folder created when i execute "tracadmin /var/lib/trac/ncix initenv"? Is it then a bug in tracadmin that creates the folder with the wrong permissions?

Well, trac-admin has no chance to know how you're going to use your environment, which web-frontend and what effective user will be used… So it creates the environment and sets the permissions for the current user (e.g. root).

in reply to:  9 ; comment:10 by anonymous, 16 years ago

Replying to cboos:

Replying to anonymous:

The user apache requires read _and_ write permissions to the database file

unfortunately I already reinstalled.

Maybe you can still find that message in your var/lib/trac/ncix/log/trac.log file?

Is the ncix folder created when i execute "tracadmin /var/lib/trac/ncix initenv"? Is it then a bug in tracadmin that creates the folder with the wrong permissions?

Well, trac-admin has no chance to know how you're going to use your environment, which web-frontend and what effective user will be used… So it creates the environment and sets the permissions for the current user (e.g. root).

I reinstalled to test what fixed the problem. That file was erased when I cleaned trac off my system.

Thanks for helping me with this

in reply to:  10 comment:11 by Christian Boos, 16 years ago

Replying to anonymous:

Replying to cboos:

Maybe you can still find that message in your var/lib/trac/ncix/log/trac.log file?

I reinstalled to test what fixed the problem. That file was erased when I cleaned trac off my system.

Too bad… I guess I have to test by myself then ;-) Patch committed as [8264].

comment:12 by Christian Boos, 16 years ago

Resolution: fixed
Status: assignedclosed

Fix now tested on Linux and confirmed to work.

comment:13 by mjt@…, 15 years ago

If you're running SELinux in enforcing mode ("cat /selinux/enforce" to find out) you may need to check system logs for "setroubleshoot" entries. Run any "sealert" command given in the logs for an explanation of what happened and a suggestion for a fix.

What worked for me on Fedora 12 was:

chcon -t httpd_var_lib_t /var/lib/trac/myproject/db/trac.db

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Christian Boos.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Christian Boos to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.