tags 603428 +patch
tags 603428 +penting
thanks
Hi!
* Alexander Reichle-Schmehl <toli...@debian.org> [101216 14:14]:
> The only part missing would to make sure, snort-{mysql,pgsql} write into
> the new file instead of the old one, and purge the new file. But the
> main part taking care of this bug can already be reviewed if someone
> likes to do so ;)
Attached is now a proposal to solve this bug. I must confess, that I
didn't had the change to do extensive testing (I did only upgrade tests,
no functionality tests), but I think I covered most scenarios.
The only thing I can think of that might fail, is if a user modified his
/etc/snort/snort.conf himselve, and upgrades. In this case the db
configuration is splitt into a sepperate file, but the new "include"
line isn't added automatically, but the user will have the usual "new
configuration file, but you modified it, look at it" thing and hopefully
see the db releated chances. I'm not sure, if that problem can be solved
in a better way.
As I'm not a user of snort myself, I enourage more testing of this
patch. Packages are available at
http://people.debian.org/~tolimar/tmp/snort-nmu/
Best Regards,
Alexander
diff -u snort-2.8.5.2/etc/snort.conf snort-2.8.5.2/etc/snort.conf
--- snort-2.8.5.2/etc/snort.conf
+++ snort-2.8.5.2/etc/snort.conf
@@ -701,16 +701,11 @@
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
-# <debian>
-# Keep your paws off of these (#DBSTART#) and (#DBEND#) tokens
-# or you *will* break the configure process (snort-pgsql/snort-mysql only)
-# Anything you put between them will be removed on (re)configure.
-#
-# (#DBSTART#)
-# (#DBEND#)
-#
-# </debian>
#
+# On Debian Systems, the database configuration is sepperate into
+# /etc/snort/database.conf.
+# please edit it there, to ensure smoother upgrades of this file.
+include database.conf
# unified: Snort unified binary format alerting and logging
diff -u snort-2.8.5.2/debian/snort-pgsql.postinst
snort-2.8.5.2/debian/snort-pgsql.postinst
--- snort-2.8.5.2/debian/snort-pgsql.postinst
+++ snort-2.8.5.2/debian/snort-pgsql.postinst
@@ -77,8 +77,7 @@
fi
if [ "$STARTUP" != "manual" ]; then
- if [ -f /etc/snort/snort.conf ]; then
- # insert database config stuff in the configuration file,
+ # create database config stuff in the configuration file,
# or configure it for syslog-logging.
db_get snort-pgsql/configure_db
if [ "$RET" = "true" ]; then
@@ -87,52 +86,25 @@
db_get snort-pgsql/db_user || true; DB_USER=$RET
db_get snort-pgsql/db_pass || true; DB_PASS=$RET
- # Here we put the database stuff in the config file.
TEMPFILE=`mktemp`
- cat /etc/snort/snort.conf | while read LINE
- do
- if [ "$LINE" = "# (#DBSTART#)" ]
- then
- echo "# (#DBSTART#)" >> $TEMPFILE
- echo -n "output database: log,
postgresql, " >> $TEMPFILE
- if [ $DB_USER ]
- then
- echo -n "user=$DB_USER " >>
$TEMPFILE
- fi
- if [ $DB_PASS ]
- then
- echo -n "password=$DB_PASS " >>
$TEMPFILE
- fi
- if [ $DB_DATABASE ]
- then
- echo -n "dbname=$DB_DATABASE "
>> $TEMPFILE
- fi
- if [ $DB_HOST ]
- then
- echo -n "host=$DB_HOST " >>
$TEMPFILE
- fi
- echo " " >> $TEMPFILE
- echo "# (#DBEND#)" >> $TEMPFILE
- break
- else
- echo $LINE >> $TEMPFILE
- fi
- done
-
- WRITE=0
- cat /etc/snort/snort.conf | while read LINE
- do
- if [ $WRITE -eq 1 ]
- then
- echo $LINE >> $TEMPFILE
- fi
-
- if [ "$LINE" = "# (#DBEND#)" ]
- then
- WRITE=1
- fi
- done
- mv -f $TEMPFILE /etc/snort/snort.conf
+ echo -n "output database: log, postgresql, " >>
$TEMPFILE
+ if [ $DB_USER ]
+ then
+ echo -n "user=$DB_USER " >> $TEMPFILE
+ fi
+ if [ $DB_PASS ]
+ then
+ echo -n "password=$DB_PASS " >> $TEMPFILE
+ fi
+ if [ $DB_DATABASE ]
+ then
+ echo -n "dbname=$DB_DATABASE " >> $TEMPFILE
+ fi
+ if [ $DB_HOST ]
+ then
+ echo -n "host=$DB_HOST " >> $TEMPFILE
+ fi
+ mv -f $TEMPFILE /etc/snort/database.conf
fi
# Ensure the config file is readable by root.root and mode 600
diff -u snort-2.8.5.2/debian/snort-mysql.postinst
snort-2.8.5.2/debian/snort-mysql.postinst
--- snort-2.8.5.2/debian/snort-mysql.postinst
+++ snort-2.8.5.2/debian/snort-mysql.postinst
@@ -78,63 +78,36 @@
fi
if [ "$STARTUP" != "manual" ]; then
- if [ -f /etc/snort/snort.conf ]; then
- # insert database config stuff in the configuration file,
- # or configure it for syslog-logging.
- db_get snort-mysql/configure_db
- if [ "$RET" = "true" ]; then
- db_get snort-mysql/db_host || true; DB_HOST=$RET
- db_get snort-mysql/db_database || true; DB_DATABASE=$RET
- db_get snort-mysql/db_user || true; DB_USER=$RET
- db_get snort-mysql/db_pass || true; DB_PASS=$RET
-
- # Here we put the database stuff in the config file.
- TEMPFILE=`mktemp`
- cat /etc/snort/snort.conf | while read LINE
- do
- if [ "$LINE" = "# (#DBSTART#)" ]
- then
- echo "# (#DBSTART#)" >> $TEMPFILE
- echo -n "output database: log, mysql, "
>> $TEMPFILE
- if [ $DB_USER ]
- then
- echo -n "user=$DB_USER " >>
$TEMPFILE
- fi
- if [ $DB_PASS ]
- then
- echo -n "password=$DB_PASS " >>
$TEMPFILE
- fi
- if [ $DB_DATABASE ]
- then
- echo -n "dbname=$DB_DATABASE "
>> $TEMPFILE
- fi
- if [ $DB_HOST ]
- then
- echo -n "host=$DB_HOST " >>
$TEMPFILE
- fi
- echo " " >> $TEMPFILE
- echo "# (#DBEND#)" >> $TEMPFILE
- break
- else
- echo $LINE >> $TEMPFILE
- fi
- done
-
- WRITE=0
- cat /etc/snort/snort.conf | while read LINE
- do
- if [ $WRITE -eq 1 ]
- then
- echo $LINE >> $TEMPFILE
- fi
-
- if [ "$LINE" = "# (#DBEND#)" ]
- then
- WRITE=1
- fi
- done
- mv -f $TEMPFILE /etc/snort/snort.conf
+ # create database config stuff in the configuration file,
+ # or configure it for syslog-logging.
+ db_get snort-mysql/configure_db
+ if [ "$RET" = "true" ]; then
+ db_get snort-mysql/db_host || true; DB_HOST=$RET
+ db_get snort-mysql/db_database || true; DB_DATABASE=$RET
+ db_get snort-mysql/db_user || true; DB_USER=$RET
+ db_get snort-mysql/db_pass || true; DB_PASS=$RET
+
+ # Here we put the database stuff in the config file.
+ TEMPFILE=`mktemp`
+ echo -n "output database: log, mysql, " >> $TEMPFILE
+ if [ $DB_USER ]
+ then
+ echo -n "user=$DB_USER " >> $TEMPFILE
+ fi
+ if [ $DB_PASS ]
+ then
+ echo -n "password=$DB_PASS " >> $TEMPFILE
+ fi
+ if [ $DB_DATABASE ]
+ then
+ echo -n "dbname=$DB_DATABASE " >> $TEMPFILE
+ fi
+ if [ $DB_HOST ]
+ then
+ echo -n "host=$DB_HOST " >> $TEMPFILE
fi
+ echo " " >> $TEMPFILE
+ mv -f $TEMPFILE /etc/snort/database.conf
# Ensure the config file is readable by root.root and mode 600
if ! dpkg-statoverride --list /etc/snort/snort.conf >/dev/null
@@ -142,7 +115,7 @@
chown root:snort /etc/snort/snort.conf
chmod 640 /etc/snort/snort.conf
fi
- fi
+ fi
fi
db_stop
diff -u snort-2.8.5.2/debian/snort-mysql.postrm
snort-2.8.5.2/debian/snort-mysql.postrm
--- snort-2.8.5.2/debian/snort-mysql.postrm
+++ snort-2.8.5.2/debian/snort-mysql.postrm
@@ -36,6 +36,9 @@
if [ -e /etc/snort/db-pending-config ] ; then
rm /etc/snort/db-pending-config
fi
+ if [ -e /etc/snort/database.conf ] ; then
+ rm /etc/snort/database.conf
+ fi
# Remove configuration dir
[ -d /etc/snort ] && rmdir --ignore-fail-on-non-empty /etc/snort
diff -u snort-2.8.5.2/debian/changelog snort-2.8.5.2/debian/changelog
--- snort-2.8.5.2/debian/changelog
+++ snort-2.8.5.2/debian/changelog
@@ -1,3 +1,16 @@
+snort (2.8.5.2-2.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Move the DB-Configuration into a sepperate file, instead of modifying
+ /etc/snort/snort.conf, which causes upgrade problems (Closes: #603428)
+ * Adding snort-common-preinst to split off exiting config or touch the
+ new database config file on new installations to ensure it exists
+ * modify etc/snort.conf to include the new database conf file
+ * modify snort-{mysql,pgsql}.postinst to use new config file
+ * modify snort-{mysql,pgsql,common}.postrm to purge new config file
+
+ -- Alexander Reichle-Schmehl <toli...@debian.org> Thu, 16 Dec 2010 14:30:46
+0100
+
snort (2.8.5.2-2) unstable; urgency=low
* Remove the reverse_order debconf option since Snort no longer supports the
diff -u snort-2.8.5.2/debian/snort-pgsql.postrm
snort-2.8.5.2/debian/snort-pgsql.postrm
--- snort-2.8.5.2/debian/snort-pgsql.postrm
+++ snort-2.8.5.2/debian/snort-pgsql.postrm
@@ -36,6 +36,9 @@
if [ -e /etc/snort/db-pending-config ] ; then
rm /etc/snort/db-pending-config
fi
+ if [ -e /etc/snort/database.conf ] ; then
+ rm /etc/snort/database.conf
+ fi
# Remove configuration dir
[ -d /etc/snort ] && rmdir --ignore-fail-on-non-empty /etc/snort
only in patch2:
unchanged:
--- snort-2.8.5.2.orig/debian/snort-common.postrm
+++ snort-2.8.5.2/debian/snort-common.postrm
@@ -0,0 +1,39 @@
+#! /bin/sh
+# postrm script for snort
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+# * <postrm> `remove'
+# * <postrm> `purge'
+# * <old-postrm> `upgrade' <new-version>
+# * <new-postrm> `failed-upgrade' <old-version>
+# * <new-postrm> `abort-install'
+# * <new-postrm> `abort-install' <old-version>
+# * <new-postrm> `abort-upgrade' <old-version>
+# * <disappearer's-postrm> `disappear' <r>overwrit>r> <new-version>
+# for details, see /usr/doc/packaging-manual/
+
+
+case "$1" in
+ purge)
+ # on installation we touch this file to ensure it's there
+ # if it's still there and emmpty, we can remove it
+ # if it's not empty, snort-{mysql,pgsql} have added content and
+ # should deal with it themselve on purge
+ if [ -e /etc/snort/database.conf ] && [ ! -s /etc/snort/database.conf ]
+ then
+ rm -f /etc/snort/database.conf
+ fi
+ ;;
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade)
+ # nothing
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
only in patch2:
unchanged:
--- snort-2.8.5.2.orig/debian/snort-common.preinst
+++ snort-2.8.5.2/debian/snort-common.preinst
@@ -0,0 +1,70 @@
+#!/bin/sh
+
+set -e
+
+# summary of how this script can be called:
+# * <new-preinst> `install'
+# * <new-preinst> `install' <old-version>
+# * <new-preinst> `upgrade' <old-version>
+# * <old-preinst> `abort-upgrade' <new-version>
+
+DBCONF="/etc/snort/database.conf"
+GENCONF="/etc/snort/snort.conf"
+
+case "$1" in
+ install)
+ # make sure database configuration file exists
+ touch $DBCONF
+ ;;
+ upgrade)
+ # earlier versions modified /etc/snort/snort.conf directly for the
+ # DB stuff, we splitt it off in a sepperate file, to ensure smooth
+ # upgrades
+ if dpkg --compare-versions "$2" le "2.8.5.2-2";
+ then
+ GENCONF_TEMPFILE=`mktemp`
+ DBCONF_TEMPFILE=`mktemp`
+ WRITE_DB=0
+ WRITE_GEN=1
+ cat $GENCONF | while read LINE
+ do
+ if [ "$LINE" = "# (#DBEND#)" ]
+ then
+ WRITE_DB=0
+ WRITE_GEN=1
+ fi
+ if [ $WRITE_DB -eq 1 ]
+ then
+ echo $LINE >> $DBCONF_TEMPFILE
+ fi
+ if [ $WRITE_GEN -eq 1 ]
+ then
+ echo $LINE >> $GENCONF_TEMPFILE
+ fi
+ if [ "$LINE" = "# (#DBSTART#)" ]
+ then
+ WRITE_DB=1
+ WRITE_GEN=0
+ fi
+ done
+ mv $DBCONF_TEMPFILE $DBCONF
+ mv $GENCONF_TEMPFILE $DBCONF
+ fi
+ ;;
+ configure)
+ ;;
+ abort-upgrade)
+ ;;
+ *)
+ echo "preinst called with unknown argument \`$1'" >&2
+ exit 0
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
+
