Appy & LibreOffice running as different users leads to tmp directory permission issues

Asked by Ryan Dibble on 2012-12-12

Setup:

 In Ubuntu 12.04, default LibreOffice installed, running appy 0.8.1 we downloaded and installed by hand.

Goal:

We want to the python code using appy run as one user while the libreoffice runs as another user. How do we get the two user setup to work? (Read below before you answer.)

Problem:

In our development environments we run a python based web application that calls appy and uses libreoffice to generate PDFs and other .doc and .odt files. In the development environment the web app and libreoffice run as the same linux level user and everything works fine. However in our testing area, where we have a two user setup, there is file permission related issues discussed in detail below.

Details:

In our testing (and production) environments, to enhance compartmentalization, we run the web app and libreoffce as separate (non-root) users. The webapp runs under the user www-data. The libreoffice runs under the user officeuser. (As an experiment, we ran them both as root everything works fine, and if we run them as the same user everything works fine, but neither solution is acceptable for us because we want them to run as separate users.)

When the system runs as two separate users, appy fails with an exception (see the very bottom of this message) when trying to make things like the PDFs. We traced it down to what appears to be file permissions issue on temp directory (under the final output file location) that is created by appy. It appears that something (office? appy?) needs write access to that tree which was not allowed by the default setup and permission with these two user accounts. (The by default the dir would be owned by the www-data without group or other write permission). Our solution was the following:

1. make a linux group called "cache", put both the www-data and the officeuser as members

2. set the group set id bit on the main tmp directory -- to force group ownership of all new files/directories to be the cache group

3. made the following change around appy/pod/renderer.py line 353: (to make the new directory with write on the group cache)

         absResult = os.path.abspath(self.result)
         self.tempFolder = '%s.%f' % (absResult, time.time())
         try:
            #os.mkdir(self.tempFolder) # OLD LINE
            os.umask(0o002) # NEW LINE to override umask to allow for group writting and setuid to work
            os.mkdir(self.tempFolder,0o6775) # NEW LINE to override the permission created on the new directory
         except OSError, oe:
             raise PodError(CANT_WRITE_TEMP_FOLDER % (self.result, oe))

4. run webapp as www-data & libreoffice as officeuser ... now they can communicate and share the tmp space

Questions:

(A) Does anyone have another solution that will achieve the two separate users (without making changes to appy above)?
(B) Is there another way to achieve the umask and file permissions effect without modifing appy directly with some shell magic?
(C) We would prefer not to have to modify appy every time there is an update. Are the appy authors aware of an alternative?
(D) Is it assumed by appy that it will run as the same user as libreoffice/openofficet?

All the best,

Ryan

=== Exception BEGIN ===
...
  File "/home/ryan/webapp/code/printing.py", line 48, in run_appy_pod_renderer
    renderer.run()
  File "/home/ryan/webapp/local/lib/python2.7/site-packages/appy/pod/renderer.py", line 394, in run
    self.finalize()
  File "/home/ryan/webapp/local/lib/python2.7/site-packages/appy/pod/renderer.py", line 543, in finalize
    raise PodError(CONVERT_ERROR % output)
PodError: An error occurred during the conversion.
Traceback (most recent call last):
  File "/home/ryan/webapp/local/lib/python2.7/site-packages/appy/pod/converter.py", line 288, in <module>
    ConverterScript().run()
  File "/home/ryan/webapp/local/lib/python2.7/site-packages/appy/pod/converter.py", line 279, in run
    converter.run()
  File "/home/ryan/webapp/local/lib/python2.7/site-packages/appy/pod/converter.py", line 247, in run
    self.convertDocument()
  File "/home/ryan/webapp/local/lib/python2.7/site-packages/appy/pod/converter.py", line 241, in convertDocument
    self.doc.storeToURL(self.resultUrl, tuple(properties))
__main__.ErrorCodeIOException
=== Exception END ===

Question information

Language:
English Edit question
Status:
Expired
For:
Appy Edit question
Assignee:
No assignee Edit question
Last query:
2012-12-12
Last reply:
2013-01-04

Hi Ryan,
Thanks for this detailed report.
With earlier versions of OpenOffice, we were forced to run it as root. Otherwise, calling it from appy.pod to perform conversions to PDF, etc, did not work. Now things have changed. But in my own deployments, it is true that I still run LibreOffice as root, so personally (I am the lead appy.pod developer, I also own a company that develops appy-based webapps) I've never encountered this problem. If the port running OO/LO is not open to the outside world, does it represent a security problem according to your own perception?

My first question is: is this problem still there if you generate the pod result in /tmp (does it make any difference if the pod temp folder lies somewhere within /tmp) ?

If it does not change anything, I could apply your patch to pod. But I have some questions:
- Are your 2 lines required? In the doc for os.mkdir on python.org, they say: "On some systems, mode is ignored. Where it is used, the current umask value is first masked out". Does it mean that changing umask before calling os.mkdir has no effet? Sorry I'm not familiar with umask and setuid.
- In this doc, they say that the default mode is 0777. So the group should by defaut be able to write in it?

Thanks !
Gaetan

Launchpad Janitor (janitor) said : #2

This question was expired because it remained in the 'Needs information' state without activity for the last 15 days.