The installer seems to change ownership of the /root/ folder - noticed as ssh authorized_keys stop working. /root is now owned by uid 1000, gid “users”.
After installation the webapp is inaccessible due to firewall issues.
Steps to reproduce:
Fresh CentOS 7 installation (mine was from CentOS minimal-1810.
ssh key added using ssh-copy-id from a different box.
yum update so all packages at current version as of today.
ssh into system as root and download/run the installer (as per guide)
Even before responding to the first question, the root directory ownership and permissions have already been altered giving world read/execute permissions on /root/
If I ignore this and continue with the installation (yes to maria, manual ssl certificates, yes to haveged) the installer gives two possible errors (grep: /var/spool/cron//*: No such file or directory && libsemanage.dbase_llist_query: could not query record value) but seems to complete successfully.
At this point I’m told to visit the URL to complete setup, though this inaccessible due to the firewall. The following fixes the issue; should the installer be doing this automagically?
firewall-cmd --permanent --add-service=http --add-service=https
firewall-cmd --reload
Other than these two issues everything seems to get installed and work fine.
Checklist
[✓] I have read intro post: About the Installation Issues category
[✓] I have read the tutorials, help and searched for similar issues
[✓] I provide relevant information about my server (component names and versions, etc.)
[x] I provide a copy of my logs and healthcheck
[✓] I describe the steps I have taken to trouble shoot the problem
[✓] I describe the steps on how to reproduce the issue
Thanks for your feedback! It is really appreciated!
The issue with the permissions change on your local folders it is because we are not providing a directory inside the distributed tar files. At the moment of uncompressing the file permissions get ovewritten on the directory the tar is uncompressed.
A fix would be us to provide a tar file with a directory in it rather than a tar file with just a single file on it.
The errors on the grep and the selinux step will require a bit more of effort so I will take a look when I have more time.
Firewall being automatically changed seems to me as admin responsibility and actively change it. Also the environment could be using firewall located on a separate hardware so checking on the firewall for the installer would be an effort that might not have a lot of value for certain users.
Anyway we will consider your suggestions. Maybe you could kindly open a ticket on https://github.com/passbolt/passbolt_install_scripts to keep track of all your suggestions as we have 0 bandwidth for this at the moment.
NP: Would you like me to raise individual bugs for each issue?
With regard to the tar file, I believe the issue is exacerbated by the fact it was created using tar -cvf bla.tgz . It’s the use of . that’s causing the parent folder’s permissions to be included.
If the archive creation specifies the files individually, or just uses a wildcard, then it doesn’t have the same effect on extraction (eg tar -cvzf installer.tar.gz *).
Re the firewall, I can fully understand your point as to why this should be admin responsibility.
However the installer states very clearly that “It is important that you use a vanilla server with no other services or tools already installed on it. The install scripts could potentially damage any existing data on your server.”
I would make the point that as we’re taking a completely blank server and configuring it to run passbolt - including installing the web server, giving access to the webserver (in the same way it configures selinux permissions on the webserver) should be part of the install. As Centos 7 ships with the firewall enabled and locked down as default, even if there is an external firewall in play, the local one would would still have to be enabled to allow http/s traffic on the box.
To put it another way, configuring firewall seems like part of the installers remit as port of “configure your operating system to be passbolt ready and will take care of installing and configuring the web server (Nginx), database (MariaDb), PHP, SSL and GPG keyring.”
@BuildTheRobots yes please create two issues. I also agree the local firewall setup could be integrated in the installation script (at least a question should be asked, e.g. do you want to let the script set up firewall rules y/n)
