Important Security Fix

Dear community,

If you installed Frappe/ERPNext using easy install script (setup_frappe.sh) or used the new bench setup production command between 11th November 2014 and 17th November 2014, there was a bug which configured supervisor to run the frappe processes as root. To rectify this, please run,

bench update --bench
bench patch fix-perms

Thanks to Marius Gedminas for reporting this.


Pratik

If I run it as user erpnext, I get

“superuser priviliges required for this command”.

then if I run as root, it complains:

“you should not run this command as root”.

If I restart supervisor, its still running as root. How do I change that?

Thanks.

Try running bench update as erpnext and bench patch fix-perms as root

Wouldn’t let me git pull.

I think I installed it poorly as root, and some permissions are wrong, as some dirs were owned by root.

So I’ve been modding everything to be owned by erpnext instead.

Yet still, something remains - can’t git pull the third thing it’s trying to git pull here. Can you let me know what that is I can’t work it out. Thanks.

erpnext@sv:~/frappe-bench$ bench update --bench
Already up-to-date.
Already up-to-date.
error: cannot open .git/FETCH_HEAD: Permission denied

Error: None
Traceback (most recent call last):
File “/usr/local/bin/bench”, line 9, in
load_entry_point(‘bench==0.1’, ‘console_scripts’, ‘bench’)()
File “/home/bench-repo/bench/cli.py”, line 38, in cli
return bench()
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 610, in call
return self.main(*args, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 590, in main
rv = self.invoke(ctx)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 936, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 782, in invoke
return ctx.invoke(self.callback, **ctx.params)
File “/usr/local/lib/python2.7/dist-packages/click/core.py”, line 416, in invoke
return callback(*args, **kwargs)
File “/home/bench-repo/bench/cli.py”, line 163, in update
pull_all_apps()
File “/home/bench-repo/bench/app.py”, line 73, in pull_all_apps
exec_cmd(“git pull {rebase} upstream {branch}”.format(rebase=rebase, branch=get_current_branch(app_dir)), cwd=app_dir)
File “/home/bench-repo/bench/utils.py”, line 61, in exec_cmd
subprocess.check_call(cmd, cwd=cwd, shell=True)
File “/usr/lib/python2.7/subprocess.py”, line 511, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command 'git pull upstream master

Just chown the apps dir recursively to erpnext and it should update cleanly. Then run the bench patch fix-perms

I accept that there has always been confusion about what user should run what and where, so have implemented automation in the bench for that. For all new installs, if you run a bench command as root and it will drop privileges wherever appropriate.