Bug#953030: bacula-sd.postinst fails on systems with protected_regular=2 enabled

Tue, 03 Mar 2020 07:15:59 -0800 

Package: bacula-sd
Version: 9.4.4-2
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu focal ubuntu-patch

Hi,

bacula-sd.postinst currently uses mktemp, chowns to bacula.bacula, and
then attempts to write to the temporary file using a shell redirection.

If a system has /proc/sys/fs/protected_regular set to 2, then this
fails[1].

While what is being done might be safe in this particular case, writing
to a file in /tmp not owned by the writing user is in principle unsafe,
and so it is blocked. In Ubuntu we are moving to protected_regular=2 and
so for us a build of this package becomes uninstallable[2].

Please consider applying the attached patch, which simply rearranges the
postinst to change file ownership after writing the file. This prevents
the protection from being tripped.

Thanks,

Robie

[1] https://www.kernel.org/doc/Documentation/sysctl/fs.txt
[2] https://lists.ubuntu.com/archives/ubuntu-devel/2020-February/040904.html

From 2efa5028139683bd851c76ab117cc47cf698e2b3 Mon Sep 17 00:00:00 2001
From: Robie Basak <robie.ba...@canonical.com>
Date: Mon, 2 Mar 2020 20:19:27 +0000
Subject: [PATCH]   * d/bacula-sd.postinst: change temporary file ownership
 after writing to it     to avoid a protected_regular=2 world-writeable sticky
 denial.

---
 debian/bacula-sd.postinst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/bacula-sd.postinst b/debian/bacula-sd.postinst
index 1ed67ff4..d3f83bb8 100644
--- a/debian/bacula-sd.postinst
+++ b/debian/bacula-sd.postinst
@@ -14,13 +14,13 @@ case "$1" in
 
 	# create new bacula-sd.conf using the template
 	TMP_CONFIG="$(mktemp -p /tmp $PKG_NAME.conf.ucftmp-XXXXXXXXXX)"
-	chmod 640 $TMP_CONFIG
-	chown bacula:bacula $TMP_CONFIG
 
 	sed -e s~@debian_basename@~`hostname`~ \
 	    -e s~XXX_SDPASSWORD_XXX~$SDPASSWD~ \
 	    -e s~XXX_MONSDPASSWORD_XXX~$SDMPASSWD~ \
 	    $TEMPLATE > $TMP_CONFIG
+	chmod 640 $TMP_CONFIG
+	chown bacula:bacula $TMP_CONFIG
 	# let ucf handle the conffile and register it
 	ucf --debconf-ok --three-way $TMP_CONFIG $TARGET
 	ucfr $PKG_NAME $TARGET
-- 
2.25.0

Attachment: signature.asc
Description: PGP signature

Reply via email to