[Bug 1842408] Re: rabbitmq-server writes to /etc/rabbitmq

Thu Sep 5 10:25:42 UTC 2019

Well, it might help if I point out the background of trouble and
confusion.

I tried to configure rabbitmq automatically with puppet, using the
officially recommended plugin, see

https://forge.puppet.com/puppetlabs/rabbitmq
https://github.com/voxpupuli/puppet-rabbitmq

Two problems came together then:

Problem 1:
The plugin is not really compatible with ubuntu/debian, and was obviously written for some other distribution (red hat I guess), and enforces the ownership the plugin authors believed to be correct, i.e. changes /etc/rabbitmq and it's contents to be owned by root. 

Problem 2:
The system I was testing this on has for security reasons an umask of 027 (instead of the usual 022) for root, and both puppet and this plugin forgot to set a proper umask. 

The result was that rabbitmq did not work anymore, since /etc/rabbitmq
was owned by root and lost public read access.

My problem then was: How to repair? I didn't find a hint about what it was supposed to be. 

Making it all readable did not help:

Running rabbitmq-plugins as root renders rabbitmq dead probably because
of the umask 027, file becomes undreadable.

running rabbitmq-plugins as

su -c "rabbitmq-plugins ..." -s /bin/sh rabbitmq

doesn't work either if /etc/rabbitmq is owned by root, because rabbitmq-
plugins wants to write a temporary /etc/rabbitmq/enabled_plugins.tmp

So the central problem is that it is not obvious how things are supposed
to be used and to work. Just having a umask different from 022 seems to
break everything.

Under what uid is rabbitmq-plugins  supposed to be used?

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to rabbitmq-server in Ubuntu.
https://bugs.launchpad.net/bugs/1842408

Title:
  rabbitmq-server writes to /etc/rabbitmq

Status in rabbitmq-server package in Ubuntu:
  Incomplete

Bug description:
  Hi, 
  I just ran into a design problem of the ubuntu/debian installation of rabbitmq-server.

  I tried to configure rabbitmq with puppet, it didn't work, and I
  debugged it.

  Problem: the puppet plugin changes ownership of /etc/rabbitmq to root,
  while the ubuntu/debian package requires it to be rabbitmq.rabbitmq,
  because the tool rabbitmq-plugins needs to write to
  /etc/rabbitmq/enabled_plugins and create
  /etc/rabbitmq/enabled_plugins.tmp

  So if the /etc/rabbitmq belongs root, rabbitmq-plugins can write only if run as root, but then it issues error message because ownership trouble with rabbitmq daemon, which expects things to be rabbitmq. 

  It is definitely a poor and insecure idea to give an /etc directory
  ownership to a daemon and use it to store state information.
  /etc/rabbitmq/enabled_plugins definitely belongs to /var/lib/rabbitmq,
  and as far as I know, this is what linux design guides say.

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: rabbitmq-server 3.6.10-1
  ProcVersionSignature: Ubuntu 4.15.0-58.64-generic 4.15.18
  Uname: Linux 4.15.0-58-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.9-0ubuntu7.7
  Architecture: amd64
  CurrentDesktop: LXDE
  Date: Tue Sep  3 12:17:42 2019
  InstallationDate: Installed on 2018-04-30 (491 days ago)
  InstallationMedia: Lubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426)
  PackageArchitecture: all
  SourcePackage: rabbitmq-server
  UpgradeStatus: No upgrade log present (probably fresh install)
  modified.conffile..etc.default.rabbitmq-server: [modified]
  mtime.conffile..etc.default.rabbitmq-server: 2019-09-02T17:17:09.167373

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rabbitmq-server/+bug/1842408/+subscriptions