Your message dated Tue, 01 Apr 2014 13:00:07 +0000 with message-id <[email protected]> and subject line Bug#610630: fixed in net-snmp 5.7.2.1~dfsg-1 has caused the Debian Bug report #610630, regarding snmpd upgrade unnecessarily removes and re-adds user and group. to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 610630: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=610630 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: snmpd Version: 5.4.3~dfsg-2 Severity: normal Upgrading snmpd (and possibly snmp also) from lenny to squeeze appears to remove any existing snmp user and group, and recreate them. In our case this ultimately meant that the UID and GID of the snmp user and group changed, which affected some of our automated script, but also caused rkhunter to report warnings due to changes in /etc/passwd and /etc/group. I don't think that there is _any_ need for this to hold up squeeze, and may only cause issues in specific environments (and therefore a small number of cases), but I do think it's a bug as it negatively impacted our environment (albeit, only in a minor way). Looking into the dpkg scripts that run, my guess is that the issue is from /var/lib/dpkg/info/snmpd.postinst. I realise that one of the new features in squeeze's is that the package now configures and snmp group, rather than using "nogroup", and this has to be managed on upgrading the package, but I'm not sure I understand the logic in the postinst script. To me, and confirmed by my simple tests, the relevant steps in the script do the following (comments added to explain what I think is happening, in case I may have my reasoning wrong): #---8<----------------------------------------------------------------- # Check if an snmp group exists if [ ! `getent group snmp >/dev/null` ]; then # A snmp group does exist, delete the snmp user, which # removes the existing group too. deluser --quiet --system snmp fi # (Re)create an snmp user, with primary group adduser --quiet --system --group --no-create-home --home /var/lib/snmp snmp # Assign file-system permissions as necessary chown -R snmp:snmp /var/lib/snmp #---8<----------------------------------------------------------------- My question is, if the snmp group already exists, why delete the user and re-create it? Normally this shouldn't be an issue, as in some cases dropping and creating users/groups will be idempotent -- they'll end up with the same UID/GID as they previously had. However, it seems that if there are "holes" in the sequence of lowest available UID/GID adduser will fill in the gap, which results in the UID/GID changing, which in hand may effect something else on the system that sits outside the scope of the upgrade script. I've attached a patch which should do the trick. I'm not sure if the last else clause of the patch is necessary, but should keep things in line with the aim of the initial script, without the issue of changing UID/GID numbers around. (The comments are just to explain my thinking, feel free to remove them). Thanks for your time. Dameon -- ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< Dr. Dameon Wagner, Lead System Administrator and Senior ICT Specialist, Depts. of Computer Science & Information Systems, Rhodes University, Grahamstown, South Africa. :Beta tester for Pegasus & Mercury/32 (www.pmail.com): ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores) Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages snmpd depends on: ii adduser 3.112+nmu2 add and remove users and groups ii debconf [debconf-2.0] 1.5.36 Debian configuration management sy ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ii libsnmp15 5.4.3~dfsg-2 SNMP (Simple Network Management Pr ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip snmpd recommends no packages. snmpd suggests no packages. -- Configuration Files: /etc/snmp/snmpd.conf [Errno 13] Permission denied: u'/etc/snmp/snmpd.conf' /etc/snmp/snmptrapd.conf [Errno 13] Permission denied: u'/etc/snmp/snmptrapd.conf' -- debconf information: snmpd/upgradefrom521:diff -ur var/lib/dpkg/info/snmpd.postinst new/var/lib/dpkg/info/snmpd.postinst --- var/lib/dpkg/info/snmpd.postinst 2011-01-20 14:23:48.000000000 +0200 +++ new/var/lib/dpkg/info/snmpd.postinst 2011-01-20 15:22:59.000000000 +0200 @@ -3,10 +3,21 @@ set -e if [ "x$1" = xconfigure ]; then - if [ ! `getent group snmp >/dev/null` ]; then - deluser --quiet --system snmp + # Check for the existance of an snmp user and/or group + if [ `getent passwd snmp >/dev/null` ]; then + # user snmp missing, create it, with primary group + adduser --quiet --system --group --no-create-home \ + --home /var/lib/snmp snmp + else if [ `getent group snmp >/dev/null` ]; then + # user snmp exists, but group doesn't, make it, and + # assign snmp group as primary group to snmp user. + addgroup --quiet --system snmp + usermod -g snmp snmp + else + # snmp user and group exist, make sure that snmp + # is the primary group for the snmp user? + usermod -g snmp snmp fi - adduser --quiet --system --group --no-create-home --home /var/lib/snmp snmp chown -R snmp:snmp /var/lib/snmp fi
--- End Message ---
--- Begin Message ---Source: net-snmp Source-Version: 5.7.2.1~dfsg-1 We believe that the bug you reported is fixed in the latest version of net-snmp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Hideki Yamane <[email protected]> (supplier of updated net-snmp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 30 Mar 2014 19:58:39 +0900 Source: net-snmp Binary: snmpd snmptrapd snmp libsnmp-base libsnmp30 libsnmp30-dbg libsnmp-dev libsnmp-perl python-netsnmp tkmib Architecture: source amd64 all Version: 5.7.2.1~dfsg-1 Distribution: experimental Urgency: medium Maintainer: Net-SNMP Packaging Team <[email protected]> Changed-By: Hideki Yamane <[email protected]> Description: libsnmp-base - SNMP configuration script, MIBs and documentation libsnmp-dev - SNMP (Simple Network Management Protocol) development files libsnmp-perl - SNMP (Simple Network Management Protocol) Perl5 support libsnmp30 - SNMP (Simple Network Management Protocol) library libsnmp30-dbg - SNMP (Simple Network Management Protocol) library debug python-netsnmp - SNMP (Simple Network Management Protocol) Python support snmp - SNMP (Simple Network Management Protocol) applications snmpd - SNMP (Simple Network Management Protocol) agents snmptrapd - Net-SNMP notification receiver tkmib - SNMP (Simple Network Management Protocol) MIB browser Closes: 482041 577649 589040 606784 610630 640456 717179 717419 718988 726158 728546 729732 731625 741504 742817 Changes: net-snmp (5.7.2.1~dfsg-1) experimental; urgency=medium . * New upstream release - fix DoS on ICMP-MIB as CVE-2014-2284 (Closes: #742817) * Ack NMU (Closes: #717419) * debian/patches - add add_rocommunity6.patch to fix snmpwalk using ipv6 (Closes: #717179) - add fix_manpage-has-errors-from-man.patch - add agentx-crash.patch, taken from Fedora package. It fixes CVE-2012-6151 (Closes: #731625) - add TrapReceiver.patch to fix CVE-2014-2285 * debian/control - set Standards-Version: 3.9.5 - add "Build-Depends: libpci-dev" to enable libpci function that was introduced in 5.7 (Closes: #741504) * debian/libsnmp-dev.install - add missing net-snmp-create-v3-user (Closes: #726158, #718988) * debian/upstream/signing-key.asc - check upstream PGP key * debian/rules - add etherlike-mib/dot3StatsTable (Closes: #729732, LP#1251847) * debian/snmpd.init - relax start-stop-daemons avoid restart daemon before it terminates. Thanks to Saj Goonatilleke <[email protected]> for the patch (Closes: #640456) - fix "init.d-script-does-not-source-init-functions" lintian warning * debian/snmpd.postinst - fix weird user creation (Closes: #482041, #589040, #606784, #610630) * debian/snmpd.postrm - remove unnecessary old /var/agentx/master directory with purge (Closes: #728546) * debian/snmp.install - move traptoemail to snmptrapd.install releated to above changes * debian/{snmpd,snmptrapd}.default - fix pid diretory * debian/README.Debian - note snmpconf is in snmp package (Closes: #577649) Checksums-Sha1: 382c8d4ad3f24231bce42a722de203f35778d99b 2946 net-snmp_5.7.2.1~dfsg-1.dsc 232b1da37961d7fa509321f9fd8fd9ea7a88eb2b 3555276 net-snmp_5.7.2.1~dfsg.orig.tar.xz aa7979511cac9ed4b4c2a19d272a922ecff26fde 59540 net-snmp_5.7.2.1~dfsg-1.debian.tar.xz d5005c992e6facb81a624f43b1580e6e16f6b355 56854 snmpd_5.7.2.1~dfsg-1_amd64.deb 740238a6767d5e3f4513289c35dcd886bb28d3bd 23142 snmptrapd_5.7.2.1~dfsg-1_amd64.deb 9accd6bea0c605b47a024342faae43c5e310432d 145180 snmp_5.7.2.1~dfsg-1_amd64.deb bfa800a38f58f04ea29d67434380f2744f90b32a 1767108 libsnmp-base_5.7.2.1~dfsg-1_all.deb 1913613bed5b7466a929ab5ebc382737bed13307 2144238 libsnmp30_5.7.2.1~dfsg-1_amd64.deb b14a2da74d3df3f0a82814a5cca0a7fbdb7976cb 2124414 libsnmp30-dbg_5.7.2.1~dfsg-1_amd64.deb 3913cd20ba85a9ad27cbb2db298bc84cf95ac667 1057562 libsnmp-dev_5.7.2.1~dfsg-1_amd64.deb 83b55bd84eded86dbb09c2b94e02ac46bc4fed69 1455362 libsnmp-perl_5.7.2.1~dfsg-1_amd64.deb 8c335d77c19000271cd82ffeac6799cda88e1b06 19894 python-netsnmp_5.7.2.1~dfsg-1_amd64.deb ab1eea5df21e2b12e2537d7e9edf5c3045086d4a 1430090 tkmib_5.7.2.1~dfsg-1_all.deb Checksums-Sha256: c58bafe6f943ab75972f048886efb754a18f0c22e80aaef8207ddfba5193ebfd 2946 net-snmp_5.7.2.1~dfsg-1.dsc e45424ed191475625277d036b13da533807477d4839e63288e9b89b71457fe55 3555276 net-snmp_5.7.2.1~dfsg.orig.tar.xz 088acb067f6432dff3d26bcbe132f3e997103a1441a59d0a3c7393a344502ded 59540 net-snmp_5.7.2.1~dfsg-1.debian.tar.xz 26db4f013c92a4da0d370bbd8b2c7f8451d1793dc52cf39d8ccc416595ff0b40 56854 snmpd_5.7.2.1~dfsg-1_amd64.deb 48d31c14b9643db141bcaf24750673b652d9a054ce26fdcc6d493f52f612ade7 23142 snmptrapd_5.7.2.1~dfsg-1_amd64.deb a94c6ae2ce20ceddf84cf6bf747e33b8afe8d702292dac0b9789a7f314f7dc9d 145180 snmp_5.7.2.1~dfsg-1_amd64.deb 94c80aece490a598dde26dedd14b6c9a87e08218a667b7fd038bbfcbb93ff2d1 1767108 libsnmp-base_5.7.2.1~dfsg-1_all.deb 9c402dd4360cb476ed9e659e869a7195473861fa80753d8ab5c36224e86dd9ee 2144238 libsnmp30_5.7.2.1~dfsg-1_amd64.deb fcc1f0c1cb5dc5bed78df5ea006f44987b7885a34c9bf7a97e9317262a8149c8 2124414 libsnmp30-dbg_5.7.2.1~dfsg-1_amd64.deb f14aa5bd4e84addf4cf21c1c05bd0ed94a25cc40c83c44c4cf52f70c50e7378d 1057562 libsnmp-dev_5.7.2.1~dfsg-1_amd64.deb 8eebb0bd7b25207288fa4a883e31512341b7690673f46edc454ed8a15b409ea5 1455362 libsnmp-perl_5.7.2.1~dfsg-1_amd64.deb 9e5d12694d7d1acd6573dee6671a9b3224579689e00fd3a63c48f6ade96a1a2c 19894 python-netsnmp_5.7.2.1~dfsg-1_amd64.deb e35dcd3b2f6f49bfb0f732c57d9005e966e301efcc897e9e173640adf30244c8 1430090 tkmib_5.7.2.1~dfsg-1_all.deb Files: 43b390e803cd95081ff7df05825248ae 2946 net optional net-snmp_5.7.2.1~dfsg-1.dsc 2828e1631692809c245bece19725cad2 3555276 net optional net-snmp_5.7.2.1~dfsg.orig.tar.xz 75bce7f1d9d610b9c7e05a5592514d3e 59540 net optional net-snmp_5.7.2.1~dfsg-1.debian.tar.xz 637fb1f7615a618ae92c6ba9034a4eeb 56854 net optional snmpd_5.7.2.1~dfsg-1_amd64.deb 6484aa2f8c91d8fbcd1e8573bb3720c0 23142 net optional snmptrapd_5.7.2.1~dfsg-1_amd64.deb 6d2a5ee5362a71796003ba7bf6c35acb 145180 net optional snmp_5.7.2.1~dfsg-1_amd64.deb fc40314262b8f6658624e9e2929c118d 1767108 libs optional libsnmp-base_5.7.2.1~dfsg-1_all.deb 6a6530c7cfef121bda40225b3eb2e881 2144238 libs optional libsnmp30_5.7.2.1~dfsg-1_amd64.deb da7af9a1597dc037c2fca9523c6a64bc 2124414 debug extra libsnmp30-dbg_5.7.2.1~dfsg-1_amd64.deb 9c563c97c94254596d06d81ab52fc646 1057562 libdevel optional libsnmp-dev_5.7.2.1~dfsg-1_amd64.deb c3f790da3bdfa7006803cbdc2e91fda7 1455362 perl optional libsnmp-perl_5.7.2.1~dfsg-1_amd64.deb 729b3f2705a5deaa346b66ad18d68eab 19894 python optional python-netsnmp_5.7.2.1~dfsg-1_amd64.deb b6ccc929c4f63abefc7a905aa2ed9cd8 1430090 net optional tkmib_5.7.2.1~dfsg-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJTOCm9AAoJEF0yjQgqqrFAm9wP/AoOjwkrLcBuXn2BY7lrk/pP NlqulSUTTk1n3vD5yPV2Tf2TRTRYLS8MdolVHUH1brZQJFG3RkJGI9KNk9VUp16Q cxw3plqrjvGURYD3cAW3cKD7EzHPVyp193dRGGRspUjvYiop1Qy7mhwmqaHxcNFK 24epURCW4ljsbiIaqppK27jDvVkNz5nezd9+xVPpWu3q7GcYQyR4h+8HaUOHly+O 4ghTN12fQ7YeR5lBbScFSWHPnz30bHq64qXfTTASz1ILThuvgp/8tdVWQdBSa/f9 Bj6Ac9+rV9/+30rQ5R1onOY854AruusTAfgLBgf7VnvttQuNT7lXz+PNyHqC44C8 +MOKP197osZeZaQ0Vqsdhf/Ee0HD+dGFPpuoXlhk0EQz1e2pmmARKJ289p90Xt+t LQgnoqnsjvCNjS0sRJFH71ySQQTYGKJzwlPUUyKdC8QTRxuZJdYQ1QOkfOsc9K7a O5+2K++55wClR0Hli1wkSbd6ASnu6vKS4Gd/cc2RkALCz8SZqnd7G8GCCHqOcQSw WvE7wpP8YDpnRzpgaZwHm3qTpNjsDBkGqA5A2JnIG2VwfmjHzms1yxgGU/xBng6t OnC/7oar6azsIUU89lrU26jCD7JKTULjudMRFjnNlM1YILdgni6vHuXHbo9LmfjO 8fFf7IvKsYuTvx3g13Tc =Xm2f -----END PGP SIGNATURE-----
--- End Message ---
