Package: bacula-sd Version: 9.4.4-2 Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu focal ubuntu-patch
Hi, bacula-sd.postinst currently uses mktemp, chowns to bacula.bacula, and then attempts to write to the temporary file using a shell redirection. If a system has /proc/sys/fs/protected_regular set to 2, then this fails[1]. While what is being done might be safe in this particular case, writing to a file in /tmp not owned by the writing user is in principle unsafe, and so it is blocked. In Ubuntu we are moving to protected_regular=2 and so for us a build of this package becomes uninstallable[2]. Please consider applying the attached patch, which simply rearranges the postinst to change file ownership after writing the file. This prevents the protection from being tripped. Thanks, Robie [1] https://www.kernel.org/doc/Documentation/sysctl/fs.txt [2] https://lists.ubuntu.com/archives/ubuntu-devel/2020-February/040904.html
From 2efa5028139683bd851c76ab117cc47cf698e2b3 Mon Sep 17 00:00:00 2001 From: Robie Basak <robie.ba...@canonical.com> Date: Mon, 2 Mar 2020 20:19:27 +0000 Subject: [PATCH] * d/bacula-sd.postinst: change temporary file ownership after writing to it to avoid a protected_regular=2 world-writeable sticky denial. --- debian/bacula-sd.postinst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/bacula-sd.postinst b/debian/bacula-sd.postinst index 1ed67ff4..d3f83bb8 100644 --- a/debian/bacula-sd.postinst +++ b/debian/bacula-sd.postinst @@ -14,13 +14,13 @@ case "$1" in # create new bacula-sd.conf using the template TMP_CONFIG="$(mktemp -p /tmp $PKG_NAME.conf.ucftmp-XXXXXXXXXX)" - chmod 640 $TMP_CONFIG - chown bacula:bacula $TMP_CONFIG sed -e s~@debian_basename@~`hostname`~ \ -e s~XXX_SDPASSWORD_XXX~$SDPASSWD~ \ -e s~XXX_MONSDPASSWORD_XXX~$SDMPASSWD~ \ $TEMPLATE > $TMP_CONFIG + chmod 640 $TMP_CONFIG + chown bacula:bacula $TMP_CONFIG # let ucf handle the conffile and register it ucf --debconf-ok --three-way $TMP_CONFIG $TARGET ucfr $PKG_NAME $TARGET -- 2.25.0
signature.asc
Description: PGP signature