[Yum-devel] "bug" in yum-security

Christoph Anton Mitterer calestyo at scientia.net
Sat Apr 14 22:23:37 UTC 2012 

Hi.

I found some problem in the yum security plugin.

What I do is running the nagios/icinga check_yum plugin periodically as 
non-root (!) user.
That the system is not cluttered with repository caches and because a 
simply yum check-update quite some time I run yum makecache periodically 
as root (!) via cron (every hour).

Now check_yum invokes yum like the following:
/usr/bin/yum --security check-update -C

Which leads as non-root user to the following output and error:
$ /usr/bin/yum --security check-update -C
Loaded plugins: changelog, downloadonly, fastestmirror, keys, 
priorities, protectbase, ps, security, verify
102 packages excluded due to repository priority protections
0 packages excluded due to repository protections
Limiting package lists to security relevant ones


[Errno 13] Permission denied: 
'/var/cache/yum/x86_64/6.2/epel/gen/updateinfo.xml'
$

Strace shows the following:
$ strace -e trace=open /usr/bin/yum --security check-update -C 2>&1 | 
grep EACCES
open("DB_CONFIG", O_RDONLY)             = -1 EACCES (Permission denied)
open("DB_CONFIG", O_RDONLY)             = -1 EACCES (Permission denied)
open("DB_CONFIG", O_RDONLY)             = -1 EACCES (Permission denied)
open("/var/cache/yum/x86_64/6.2/epel/20ea7be5624822f05d7cf61426ffcaf71f2104a5905ccc4880495741ab02a801-primary.sqlite", 
O_RDWR|O_CREAT, 0644) = -1 EACCES (Permission denied)
open("/var/cache/yum/x86_64/6.2/sl/primary.sqlite", O_RDWR|O_CREAT, 
0644) = -1 EACCES (Permission denied)
open("/var/cache/yum/x86_64/6.2/sl-security/primary.sqlite", 
O_RDWR|O_CREAT, 0644) = -1 EACCES (Permission denied)
open("/var/cache/yum/x86_64/6.2/epel/gen/updateinfo.xml", 
O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
$

All these files are root owned and -rw-r--r--.


When I then run
/usr/bin/yum --security check-update -C
as root, and after wards again as non-root user, it works for the 
non-root user (even though the permissions haven't changed. No idea why.


Any ideas?

Please CC me, as I'm going to unsubscribe from the lists again. I tried 
to report this as bug in trac, but apparently one needs special rights 
for reporting tickets and an account is not enough... o.O
Strange because you advertise the reporting at many places in the 
FAQ/etc.


Cheers,
Chris.

More information about the Yum-devel mailing list