Hi Ulrich,

I thought the same, but it seems yum/dnf do not have a post-install 'hook', like debian has with DPkg::Pre-Install-Pkgs & DPkg::Post-Invoke, that allows you to define commands/scripts to run before and after.

Not sure how to do something similar on RHEL. I have now excluded openldap from auto updates, and added instructions on our manual update.instructions.

Any ideas here..?



On Wed, 11 Oct 2023 at 11:05, Windl, Ulrich <u.windl@ukr.de> wrote:
I wonder:
Couldn't some RPM "pre-script" remember the current permissions for some RPM "post script" to restore them (after they were messed up)?

-----Original Message-----
From: cYuSeDfZfb cYuSeDfZfb <cyusedfzfb@gmail.com>
Sent: Thursday, September 21, 2023 10:54 AM
To: Ondřej Kuzník <ondra@mistotebe.net>
Cc: openldap-technical@openldap.org; Dimitar Stoychev <dstoychev@symas.com>
Subject: [EXT] Re: regular yum symas-openldap-servers update breaks permissions on /var/symas/openldap-data

Hi Ondřej,

Thanks for your reply.

Yes, we are putting our (single file) mdb straight in /var/symas/openldap-data, using subdirs never crossed our minds.

Anyway, we just have to document this behaviour in our upgrade documentation.

Must say: the behaviour, for us, is a little bit unexcpected. We didn't expect rpm upgrades to "mess" with fs permissions, but we can simply work around it.

Thanks again for your reply, appreciated!


On Wed, 13 Sept 2023 at 12:25, Ondřej Kuzník <ondra@mistotebe.net <mailto:ondra@mistotebe.net> > wrote:


        On Tue, Sep 12, 2023 at 04:44:15PM +0200, cYuSeDfZfb cYuSeDfZfb wrote:
        > Hi,
        >
        > We're seeing this quite consistently.
        >
        > Before updating:
        > [root@ldaps01 log]# ls -l
        > /var/symas/ drwx------. 3 ldap ldap 50 Aug 28 16:28 openldap-data
        >
        > After updating:
        > [root@ldaps01 log]# ls -l
        > /var/symas/ drwx------. 3 root root 50 Aug 28 16:28 openldap-data
        >
        > And afterwards symas-openldap-server (running as ldap:ldap) no longer
        > starts, since permission denied on /var/symas/openldap-data.
        >
        > Reverting the permissions back to ldap:ldap solves it. But...WHY is this
        > happening.
        >
        > Are we somehow encouraged to run openldap as root..?
        >
        > Why would a post-install script reset permissions on
        > /var/symas/openldap-data?

        Hi,
        openldap-data is owned by the package and as such you'll have to tell
        rpm somehow (a trigger, ...) that you don't want it to mess with it.
        AFAIK there's work ongoing to make the directory 711 which should sort
        things for you.

        That's unless you're putting the databases directly into
        /var/symas/openldap-data, we advise you create a subdirectory per DB,
        e.g. /var/symas/openldap-data/dc=example,dc=com or
        /var/symas/openldap-data/cn=accesslog.

        Regards,

        --
        Ondřej Kuzník
        Senior Software Engineer
        Symas Corporation                       http://www.symas.com
        Packaged, certified, and supported LDAP solutions powered by OpenLDAP