Uploaded image for project: 'Hue'
  1. Hue
  2. HUE-1398

hue init.d script does not chuid

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Not A Bug
    • Affects Version/s: 2.2.0
    • Fix Version/s: 3.0.0
    • Component/s: app.hive
    • Labels:
    • Environment:

      Ubuntu 12.04.2 LTS
      CDH 4.2.1
      java version "1.6.0_32"

    • Target Version:
    • Easy:
      Easy

      Description

      Hi all!

      I'm having some really annoying permissions problems when hue starts up the beeswax server.

      I'm using MySQL as the hive-metastore, so hive-site.xml has database passwords in it on the hive server node. To protect those passwords, I've made hive-site.xml mode 440. It is owned as hive:hive.

      I'm trying to run hue on the same node that hive server is running on. Beeswax needs to be able to read hive-site.xml. I've added the hue user to the hive group. Since hive-site.xml is group-owned by hive, it should be able to read this file.

      However, the comments in /etc/init.d/hue are conflicting:

      DAEMONUSER=hue # Users to run the daemons as. If this value is set start-stop-daemon will chuid the server

      And then in start_server():

      1. dont setuid, since supervisor will drop privileges on its own

      Looking in /usr/share/hue/desktop/core/src/desktop/supervisor.py, there is this comment:

      1. User and group to setuid/setgid down to for any supervisees that don't have
      2. the drop_root option set to False
        SETUID_USER = "hue"
        SETGID_GROUP = "hue"

      It seems that the original intention was to honor the init.d scripts $DAEMONUSER variable, but clearly this isn't happening. Since the init script does not pass --chuid $DAEMONUSER to start-stop-daemon, the hue processes will always run as the hue user. This is obviously wrong, but wouldn't be a problem for me if supervisor.py also kept supplemental gids when calling os.setgid(gr.gr_gid).

      supervisor.py seems smart enough not to setuid if already not running as root. Shouldn't the hue init.d script just pass --chuid $DAEMONUSER to start-stop-daemon?

        Attachments

          Activity

            People

            • Assignee:
              romain Romain Rigaux
              Reporter:
              otto Andrew Otto
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: