Page MenuHomeVyOS Platform

Config rollback function is broken due lack access to the config.boot
Needs testing, HighPublicBUG

Description

Rollback commands and the script vyatta-config-mgmt.pl --action=rollback run from the current user. Internal function cm_write_file during rollback trying to write into the /opt/vyatta/etc/config/archive/config.boot file.
But, because this file allows writing access only to the root user, operation failing and rollback cannot be done:

Permission:
-rw-r--r-- 1 root vyattacfg 1630 Aug 27 18:41 /opt/vyatta/etc/config/archive/config.boot

Error body:
Couldn't open /opt/vyatta/etc/config/archive/config.boot - Permission denied at /opt/vyatta/share/perl5/Vyatta/ConfigMgmt.pm line 108.

Affected both 1.3 and 1.2 versions.

Details

Difficulty level
Unknown (require assessment)
Version
1.3-rolling-202008270118. 1.2.5
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

zsdc changed the task status from Open to Confirmed.Aug 27 2020, 6:51 PM
zsdc triaged this task as High priority.
zsdc created this task.
pasik added a subscriber: pasik.Aug 28 2020, 3:43 PM
Viacheslav added a comment.EditedThu, Oct 15, 6:15 AM

If I do a clean install of 1.2.6-s1 from iso, the rollback works fine.
If deploy from a qcow2 image, I see a similar error.

Deployed from iso

vyos@r1-1.2.6:~$ ls -la  /opt/vyatta/etc/config/
total 36
drwxrwsr-x 8 root vyattacfg 4096 Oct 15 08:58 .
drwxr-xr-x 1 root root      4096 Sep 27 13:03 ..
drwxrwsr-x 2 root vyattacfg 4096 Oct 15 09:06 archive
drwxrwsr-x 2 root vyattacfg 4096 Sep 27 13:02 auth
-rwxrwxr-x 1 root vyattacfg 2282 Oct 15 09:03 config.boot
drwxrwsr-x 2 root vyattacfg 4096 Sep 27 13:02 scripts
drwxrwsr-x 2 root vyattacfg 4096 Sep 27 13:02 support
drwxr-sr-x 3 root vyattacfg 4096 Sep 27 13:03 url-filtering
drwxrwsr-x 2 root vyattacfg 4096 Sep 27 13:02 user-data
-rw-r--r-- 1 root vyattacfg    0 Oct 15 08:58 .vyatta_config

Deployed from qcow2

vyos@r-2.lts# ls -la  /opt/vyatta/etc/config/
total 40
drwxrwsr-x 8 root vyattacfg 4096 Oct 15 09:11 .
drwxr-xr-x 1 root root      4096 Sep 28 23:29 ..
drwxrwsr-x 2 root vyattacfg 4096 Oct 15 09:11 archive
drwxrwsr-x 2 root vyattacfg 4096 Sep 28 23:10 auth
-rw-r--r-- 1 root vyattacfg 2134 Oct 15 09:11 config.boot
-rwxr-xr-x 1 root vyattacfg  723 Oct 15 09:11 config.boot.2020-10-15-0611.pre-migration
drwxrwsr-x 2 root vyattacfg 4096 Sep 28 23:10 scripts
drwxrwsr-x 2 root vyattacfg 4096 Sep 28 23:10 support
drwxr-sr-x 3 root vyattacfg 4096 Sep 28 23:10 url-filtering
drwxrwsr-x 2 root vyattacfg 4096 Sep 28 23:10 user-data
-rw-r--r-- 1 root vyattacfg    0 Sep 28 23:29 .vyatta_config
[edit]
UnicronNL changed the task status from Confirmed to Needs testing.Sat, Oct 17, 1:27 PM