Ubuntu
keystone package

keystone user should not have a primary group of nogroup

Bug #941905 reported by Andrew Glen-Young
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystone (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

The keystone package creates a keystone user who's primary (and only) group membership is 'nogroup'. This results in files/directories created by the keystone user having 'nogroup' group ownership. This is considered a bad thing.

The keystone user should have it's primary group set to 'keystone'.

I am currently using Precise and keystone-light, however the current keystone package seems to be affected as well.

$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu precise (development branch)"

$ apt-cache madison keystone
  keystone | 2012.1+git201202210954-0ubuntu1 | http://ppa.launchpad.net/openstack-ubuntu-testing/openstack-ksl-testing/ubuntu/ precise/main amd64 Packages
  keystone | 2012.1~e4~20120203.1574-0ubuntu3 | http://archive.ubuntu.com/ubuntu/ precise/universe amd64 Packages

I have attached a patch for keystone-light which should fix the problem (liberally cribbed from the nova packages).

--- Tests ---

$ id keystone
uid=112(keystone) gid=65534(nogroup) groups=65534(nogroup)

$ getent passwd keystone
keystone:x:112:65534::/var/lib/keystone:/bin/false

$ getent group keystone
keystone:x:119:

Tags: patch
Revision history for this message
Andrew Glen-Young (aglenyoung) wrote :
Revision history for this message
Andrew Glen-Young (aglenyoung) wrote :

New patch attached. Removes my redundant setting of permissions on files/directories.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "keystone-group.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Serge Hallyn (serge-hallyn)
Changed in keystone (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keystone - 2012.1~e4-0ubuntu1

---------------
keystone (2012.1~e4-0ubuntu1) precise; urgency=low

  [ Chuck Short ]
  * New upstream release.
  * debian/keystone.upstart: Update for ksl.
  * debian/control: Add python-keystoneclient as dependency.
  * debian/control: Fix typo.
  * debian/keystone.postinst: Update due to redux branch change.
  * debian/keystone.templates, debian/keystone.preinst, debian/kestone.postinst,
    debian/keystone.config, debian/README.Debian: Make keystone installation
    less interactive. (LP: #931236)
  * debian/keystone.postinst: Don't create users or run a database sync
    since its not working correctly.
  * debian/control: Dropped python-coverage and python-nosexcover.
  * debian/changelog: Fixed changelog.
  * debian/keystone.templates: Set it to false.
  * debian/control: Fix lintian warnings.
  * debian/patches/keystone-auth.patch: Backport auth token improvements,
    this can be dropped in the next snapshot.
  * debian/control: Add python-memcache as a build dependency.
  * debian/keystone-doc.docs: Fix keystone doc builds.
  * debian/rules: Temporarily disable doc install.
  * debian/control: Add python-ldap and python-lxml.

  [ Joseph Heck ]
  * debian/control: Dropped python-cli.

  [ Adam Gandelman ]
  * debian/control: Alphabetize python depends
  * debian/control: Add python-{eventlet, greenlet, passlib} to keystone
    depends
  * debian/control: Add python-lxml to python-keystone Depends
  * Drop 0001-Fix-keystone-all-failure-to-start.patch
  * debian/logging.conf: Temporarily use old logging.conf until upstream
    ships something usable
  * debain/patches/sql_connection.patch: Switch backends to use SQL backends
  * debian/keystone.preinst: Create directories
  * debian/keystone.postinst: Remove create_users stuff, add call to 'db_sync'
    on install

  [ Dave Walker ]
  * debian/patches/sql_connection.patch: Refreshed and reintroduced DEP-3
    headers.
  * debian/control: Added Vcs-Bzr field.

  [ Andrew Glen-Young ]
  * debian/keystone.preinst: Set the primary group to keystone. (LP: #941905)
 -- Chuck Short <email address hidden> Fri, 02 Mar 2012 09:55:24 -0500

Changed in keystone (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.