[Bug 1842408] Re: rabbitmq-server writes to /etc/rabbitmq

Wed Sep 4 19:16:28 UTC 2019

Designwise I agree it would be preferable for /etc to be unwriteable by services.
The one thing I'm unclear about is:

"So if the /etc/rabbitmq belongs root, rabbitmq-plugins can write only
if run as root, but then it issues error message because ownership
trouble with rabbitmq daemon, which expects things to be rabbitmq."

Since rabbitmq can't be logged into (by default), an administrator would
only be running rabbitmq-plugins directly as root or sudo.  Does the
rabbitmq daemon call rabbitmq-plugins directly, itself?  I haven't
reproduced that aspect of the problem, so can you provide additional
directions on how to reproduce an error by the service itself?

** Changed in: rabbitmq-server (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to rabbitmq-server in Ubuntu.
https://bugs.launchpad.net/bugs/1842408

Title:
  rabbitmq-server writes to /etc/rabbitmq

Status in rabbitmq-server package in Ubuntu:
  Incomplete

Bug description:
  Hi, 
  I just ran into a design problem of the ubuntu/debian installation of rabbitmq-server.

  I tried to configure rabbitmq with puppet, it didn't work, and I
  debugged it.

  Problem: the puppet plugin changes ownership of /etc/rabbitmq to root,
  while the ubuntu/debian package requires it to be rabbitmq.rabbitmq,
  because the tool rabbitmq-plugins needs to write to
  /etc/rabbitmq/enabled_plugins and create
  /etc/rabbitmq/enabled_plugins.tmp

  So if the /etc/rabbitmq belongs root, rabbitmq-plugins can write only if run as root, but then it issues error message because ownership trouble with rabbitmq daemon, which expects things to be rabbitmq. 

  It is definitely a poor and insecure idea to give an /etc directory
  ownership to a daemon and use it to store state information.
  /etc/rabbitmq/enabled_plugins definitely belongs to /var/lib/rabbitmq,
  and as far as I know, this is what linux design guides say.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: rabbitmq-server 3.6.10-1
  ProcVersionSignature: Ubuntu 4.15.0-58.64-generic 4.15.18
  Uname: Linux 4.15.0-58-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.9-0ubuntu7.7
  Architecture: amd64
  CurrentDesktop: LXDE
  Date: Tue Sep  3 12:17:42 2019
  InstallationDate: Installed on 2018-04-30 (491 days ago)
  InstallationMedia: Lubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  PackageArchitecture: all
  SourcePackage: rabbitmq-server
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.default.rabbitmq-server: [modified]
  mtime.conffile..etc.default.rabbitmq-server: 2019-09-02T17:17:09.167373

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/1842408/+subscriptions