You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@bloodhound.apache.org by John Oliver <jo...@insightfullogic.com> on 2013/07/09 23:57:30 UTC
SensitiveTicketPlugin install issue
Hi I was evaluating bloodhound looking for a way of restricting access
to certain issues and found SensitiveTicketPlugin. I downloaded their
current version(it was labeled sensitiveticketsplugin-13332.zip). Built
an egg and installed it via the UI. This then led to me simply getting
the following from the UI:
```
(The Trac Environment needs to be upgraded. Run "trac-admin
/home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
upgrade")
```
Running that command then results in:
```
TracError: Database newer than Trac version
```
The console log around this time seems to show nothing interesting:
```
10.10.0.134 - - [09/Jul/2013 21:05:20] "GET /main/admin HTTP/1.1" 200 -
10.10.0.134 - - [09/Jul/2013 21:05:25] "GET /main/admin/ticket/type
HTTP/1.1" 200 -
10.10.0.134 - - [09/Jul/2013 21:05:28] "GET /main/admin/general/plugin
HTTP/1.1" 200 -
10.10.0.134 - - [09/Jul/2013 21:05:30] "POST /main/admin/general/plugin
HTTP/1.1" 500 -
10.10.0.134 - - [09/Jul/2013 21:05:30] "GET
/main/chrome/common/css/code.css HTTP/1.1" 200 -
10.10.0.134 - - [09/Jul/2013 21:05:53] "POST /main/admin/general/plugin
HTTP/1.1" 303 -
10.10.0.134 - - [09/Jul/2013 21:05:53] "GET /main/admin/general/plugin
HTTP/1.1" 500 -
10.10.0.134 - - [09/Jul/2013 21:06:47] "GET /main/admin/general/plugin
HTTP/1.1" 500 -
```
I presume the transition from 200's to 500's is the point at which I
installed the plugin.
This was on version 0.5.3 using sqlite db.
I was asked to also attach the db, I am a bit hesitant since I am not
100% that it does not contain any sensitive data. It was only a testing
instance and has no issues in it yet so it looks clean, my main worry is
over passwords/hashes, which again don't appear to be present, so if
someone wants it I will be willing to share it off list, let me know.
Thank you very much
John Oliver
Re: SensitiveTicketPlugin install issue
Posted by Ryan Ollos <ry...@wandisco.com>.
On Wed, Jul 10, 2013 at 8:38 AM, Olemis Lang <ol...@gmail.com> wrote:
> On 7/10/13, Ryan Ollos <ry...@wandisco.com> wrote:
> > On Jul 9, 2013 10:10 PM, "Olemis Lang" <ol...@gmail.com> wrote:
> >>
> >> On 7/9/13, Ryan Ollos <ry...@wandisco.com> wrote:
> >> > On Tue, Jul 9, 2013 at 2:57 PM, John Oliver
> >> > <jo...@insightfullogic.com>wrote:
> >> >
> >> [...]
> >> >
> >> > This led to a suggestion from him that we might consider, that the
> > message
> >> > presented in the browser include information about needing to run the
> >> > activate script. We might be able to help the user in an even simpler
> > way
> >> > though, by providing the full path to `trac-admin` in the message.
> >> >
> >> > Rather than, The Trac Environment needs to be upgraded. Run
> "trac-admin
> >> >
> >
> /home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
> >> > upgrade")
> >> >
> >> > the message could be: The Trac Environment needs to be upgraded. Run
> >> > "/home/foo/bloodhound/bh/bin/trac-admin
> >> >
> >
> /home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
> >> > upgrade")
> >> >
> >> > This change should probably be made in the Trac core.
> >> >
> >>
> >> IMO, in the general case this will reveal server paths to users, which
> >> are not in a position to do anything about that . I'm not sure of how
> >> much beneficial it will be in practice. Indeed I'm of the opinion that
> >> such messages are only effective for trac admins. It'd be very nice to
> >> determine whether target user is granted with TRAC_ADMIN permission
> >> and only then show such a message. Regular users might only see a HTTP
> >> 503 ''Service unavailable'' response with body «Under maintenance» ,
> >> or alike.
> >>
> >> --
> >> Regards,
> >>
> >> Olemis.
> >
> > Yeah that makes sense. In regards to revealing the path, this crossed my
> > mind, but since the path to the env directory is revealed it didn't seem
> > any worse to reveal the path to trac-admin.
>
> Yes , you are right . I've been uncomfortable too with path to env
> visible for users.
>
> > Your idea to hide them both
> > from regular users sounds even better though.
> >
>
> ;)
>
> > I also haven't looked into whether the path to trac-admin is readily
> > available where the upgrade message is generated, in order to make
> showing
> > the full path feasible.
> >
>
> AFAICR, in the test suite path to trac* cli tools is identified
> considering sys.executable . Is it enough ?
>
Thanks for the hint, I will keep it in mind if/when I finally get to
working on this issue.
I opened a ticket to summarize the discussion that took place in this
thread. Please add to it if you see fit:
https://issues.apache.org/bloodhound/ticket/589
Thank you for the ideas and good discussion on the matter!
Re: SensitiveTicketPlugin install issue
Posted by Olemis Lang <ol...@gmail.com>.
On 7/10/13, Ryan Ollos <ry...@wandisco.com> wrote:
> On Jul 9, 2013 10:10 PM, "Olemis Lang" <ol...@gmail.com> wrote:
>>
>> On 7/9/13, Ryan Ollos <ry...@wandisco.com> wrote:
>> > On Tue, Jul 9, 2013 at 2:57 PM, John Oliver
>> > <jo...@insightfullogic.com>wrote:
>> >
>> [...]
>> >
>> > This led to a suggestion from him that we might consider, that the
> message
>> > presented in the browser include information about needing to run the
>> > activate script. We might be able to help the user in an even simpler
> way
>> > though, by providing the full path to `trac-admin` in the message.
>> >
>> > Rather than, The Trac Environment needs to be upgraded. Run "trac-admin
>> >
> /home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
>> > upgrade")
>> >
>> > the message could be: The Trac Environment needs to be upgraded. Run
>> > "/home/foo/bloodhound/bh/bin/trac-admin
>> >
> /home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
>> > upgrade")
>> >
>> > This change should probably be made in the Trac core.
>> >
>>
>> IMO, in the general case this will reveal server paths to users, which
>> are not in a position to do anything about that . I'm not sure of how
>> much beneficial it will be in practice. Indeed I'm of the opinion that
>> such messages are only effective for trac admins. It'd be very nice to
>> determine whether target user is granted with TRAC_ADMIN permission
>> and only then show such a message. Regular users might only see a HTTP
>> 503 ''Service unavailable'' response with body «Under maintenance» ,
>> or alike.
>>
>> --
>> Regards,
>>
>> Olemis.
>
> Yeah that makes sense. In regards to revealing the path, this crossed my
> mind, but since the path to the env directory is revealed it didn't seem
> any worse to reveal the path to trac-admin.
Yes , you are right . I've been uncomfortable too with path to env
visible for users.
> Your idea to hide them both
> from regular users sounds even better though.
>
;)
> I also haven't looked into whether the path to trac-admin is readily
> available where the upgrade message is generated, in order to make showing
> the full path feasible.
>
AFAICR, in the test suite path to trac* cli tools is identified
considering sys.executable . Is it enough ?
--
Regards,
Olemis.
Re: SensitiveTicketPlugin install issue
Posted by Ryan Ollos <ry...@wandisco.com>.
On Jul 9, 2013 10:10 PM, "Olemis Lang" <ol...@gmail.com> wrote:
>
> On 7/9/13, Ryan Ollos <ry...@wandisco.com> wrote:
> > On Tue, Jul 9, 2013 at 2:57 PM, John Oliver
> > <jo...@insightfullogic.com>wrote:
> >
> [...]
> >
> > This led to a suggestion from him that we might consider, that the
message
> > presented in the browser include information about needing to run the
> > activate script. We might be able to help the user in an even simpler
way
> > though, by providing the full path to `trac-admin` in the message.
> >
> > Rather than, The Trac Environment needs to be upgraded. Run "trac-admin
> >
/home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
> > upgrade")
> >
> > the message could be: The Trac Environment needs to be upgraded. Run
> > "/home/foo/bloodhound/bh/bin/trac-admin
> >
/home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
> > upgrade")
> >
> > This change should probably be made in the Trac core.
> >
>
> IMO, in the general case this will reveal server paths to users, which
> are not in a position to do anything about that . I'm not sure of how
> much beneficial it will be in practice. Indeed I'm of the opinion that
> such messages are only effective for trac admins. It'd be very nice to
> determine whether target user is granted with TRAC_ADMIN permission
> and only then show such a message. Regular users might only see a HTTP
> 503 ''Service unavailable'' response with body «Under maintenance» ,
> or alike.
>
> --
> Regards,
>
> Olemis.
Yeah that makes sense. In regards to revealing the path, this crossed my
mind, but since the path to the env directory is revealed it didn't seem
any worse to reveal the path to trac-admin. Your idea to hide them both
from regular users sounds even better though.
I also haven't looked into whether the path to trac-admin is readily
available where the upgrade message is generated, in order to make showing
the full path feasible.
Re: SensitiveTicketPlugin install issue
Posted by Olemis Lang <ol...@gmail.com>.
On 7/9/13, Ryan Ollos <ry...@wandisco.com> wrote:
> On Tue, Jul 9, 2013 at 2:57 PM, John Oliver
> <jo...@insightfullogic.com>wrote:
>
[...]
>
> This led to a suggestion from him that we might consider, that the message
> presented in the browser include information about needing to run the
> activate script. We might be able to help the user in an even simpler way
> though, by providing the full path to `trac-admin` in the message.
>
> Rather than, The Trac Environment needs to be upgraded. Run "trac-admin
> /home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
> upgrade")
>
> the message could be: The Trac Environment needs to be upgraded. Run
> "/home/foo/bloodhound/bh/bin/trac-admin
> /home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
> upgrade")
>
> This change should probably be made in the Trac core.
>
IMO, in the general case this will reveal server paths to users, which
are not in a position to do anything about that . I'm not sure of how
much beneficial it will be in practice. Indeed I'm of the opinion that
such messages are only effective for trac admins. It'd be very nice to
determine whether target user is granted with TRAC_ADMIN permission
and only then show such a message. Regular users might only see a HTTP
503 ''Service unavailable'' response with body «Under maintenance» ,
or alike.
--
Regards,
Olemis.
Re: SensitiveTicketPlugin install issue
Posted by Ryan Ollos <ry...@wandisco.com>.
On Tue, Jul 9, 2013 at 2:57 PM, John Oliver <jo...@insightfullogic.com>wrote:
> Hi I was evaluating bloodhound looking for a way of restricting access to
> certain issues and found SensitiveTicketPlugin. I downloaded their current
> version(it was labeled sensitiveticketsplugin-13332.**zip). Built an egg
> and installed it via the UI. This then led to me simply getting the
> following from the UI:
>
> ```
> (The Trac Environment needs to be upgraded. Run "trac-admin
> /home/foo/bloodhound/apache-**bloodhound-0.5.3/installer/**bloodhound/environments/main
> upgrade")
> ```
>
> Running that command then results in:
>
> ```
> TracError: Database newer than Trac version
> ```
>
> The console log around this time seems to show nothing interesting:
>
> ```
> 10.10.0.134 - - [09/Jul/2013 21:05:20] "GET /main/admin HTTP/1.1" 200 -
> 10.10.0.134 - - [09/Jul/2013 21:05:25] "GET /main/admin/ticket/type
> HTTP/1.1" 200 -
> 10.10.0.134 - - [09/Jul/2013 21:05:28] "GET /main/admin/general/plugin
> HTTP/1.1" 200 -
> 10.10.0.134 - - [09/Jul/2013 21:05:30] "POST /main/admin/general/plugin
> HTTP/1.1" 500 -
> 10.10.0.134 - - [09/Jul/2013 21:05:30] "GET /main/chrome/common/css/code.*
> *css HTTP/1.1" 200 -
> 10.10.0.134 - - [09/Jul/2013 21:05:53] "POST /main/admin/general/plugin
> HTTP/1.1" 303 -
> 10.10.0.134 - - [09/Jul/2013 21:05:53] "GET /main/admin/general/plugin
> HTTP/1.1" 500 -
> 10.10.0.134 - - [09/Jul/2013 21:06:47] "GET /main/admin/general/plugin
> HTTP/1.1" 500 -
> ```
>
> I presume the transition from 200's to 500's is the point at which I
> installed the plugin.
>
> This was on version 0.5.3 using sqlite db.
>
> I was asked to also attach the db, I am a bit hesitant since I am not 100%
> that it does not contain any sensitive data. It was only a testing instance
> and has no issues in it yet so it looks clean, my main worry is over
> passwords/hashes, which again don't appear to be present, so if someone
> wants it I will be willing to share it off list, let me know.
>
> Thank you very much
>
> John Oliver
>
It looks like this message took a few hours to post to the list.
John came to the conclusion that the issue was caused by having Trac
installed through his OS package manager, and not running his virtualenv's
activate shell script before running the trac-admin upgrade command. So
when he ran "trac-admin ... upgrade", the trac-admin being executed was the
instance installed in his system path, not the one installed in the
virtualenv.
This led to a suggestion from him that we might consider, that the message
presented in the browser include information about needing to run the
activate script. We might be able to help the user in an even simpler way
though, by providing the full path to `trac-admin` in the message.
Rather than, The Trac Environment needs to be upgraded. Run "trac-admin
/home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
upgrade")
the message could be: The Trac Environment needs to be upgraded. Run
"/home/foo/bloodhound/bh/bin/trac-admin
/home/foo/bloodhound/apache-bloodhound-0.5.3/installer/bloodhound/environments/main
upgrade")
This change should probably be made in the Trac core.