Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
On 11/08/2012 01:36 AM, Moritz Muehlenhoff wrote: On Wed, Oct 10, 2012 at 06:52:16PM +0200, Julien Cristau wrote: On Mon, Oct 1, 2012 at 15:00:25 +0800, Thomas Goirand wrote: diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst --- keystone-2012.1.1/debian/keystone.postinst 2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/keystone.postinst 2012-10-01 06:51:43.0 + @@ -1,77 +1,64 @@ [...] + chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone + chmod 0750 /etc/keystone + chmod 0750 /var/log/keystone What's the point of this (in particular the recursive chown)? Why is it done every time the package is configured, rather than when these directories are initially created? [...] diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules --- keystone-2012.1.1/debian/rules 2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/rules 2012-10-01 06:51:43.0 + @@ -42,6 +42,11 @@ rm -rf debian/python-keystone/usr/lib/python*/*/doc rm -rf debian/python-keystone/usr/lib/python*/*/tools rm -rf debian/python-keystone/usr/lib/python*/*/examples + install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf + +override_dh_fixperms: + dh_fixperms + chmod 0640 debian/keystone/usr/share/keystone/keystone.conf override_dh_clean: rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache I don't think that (overriding fixperms) should be necessary, can't the permissions be set when installing the file in postinst? Thomas, what's the status? Cheers, Moritz Hi, I did the requested changes, plus 2 more important fixes, and uploaded to SID. Debdiff is attached. Let me know, Cheers, Thomas diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog --- keystone-2012.1.1/debian/changelog 2012-10-01 06:51:43.0 + +++ keystone-2012.1.1/debian/changelog 2012-11-08 22:17:39.0 + @@ -1,3 +1,16 @@ +keystone (2012.1.1-10) unstable; urgency=low + + * Fixes keystone.config which wasn't starting dbconfig-common at first + setup. + * Do not use override_dh_fixperms:, sets the permissions of keystone.conf in + the postinst using install -m instead of cp -auxf. + * The default db is now sqlite:///var/lib/keystone/keystonedb, since that's + what we run with Folsom, and that it might cause problems as + keystone.sqlite isn't a valid MySQL db name. Changed debian/keystone.config + accordingly. + + -- Thomas Goirand z...@debian.org Wed, 10 Oct 2012 15:46:14 + + keystone (2012.1.1-9) unstable; urgency=high * Fixes sometimes failing keystone.postrm (db_get in some conditions can diff -Nru keystone-2012.1.1/debian/keystone.config keystone-2012.1.1/debian/keystone.config --- keystone-2012.1.1/debian/keystone.config2012-10-01 06:51:43.0 + +++ keystone-2012.1.1/debian/keystone.config2012-11-08 22:17:39.0 + @@ -19,24 +19,28 @@ db_go db_get keystone/configure_db -if [ $RET = true ] [ -e ${KEY_CONF} ] [ -f /usr/share/dbconfig-common/dpkg/config ] ; then +if [ $RET = true ] [ -f /usr/share/dbconfig-common/dpkg/config ] ; then . /usr/share/dbconfig-common/dpkg/config - KEY_CONF_DB_CON_INFO=`grep -E ^([ \t])*connection([ \t])*=([ \t])* ${KEY_CONF} | awk '{print $3}'` + if [ -e ${KEY_CONF} ] ; then + KEY_CONF_DB_CON_INFO=`grep -E ^([ \t])*connection([ \t])*=([ \t])* ${KEY_CONF} | awk '{print $3}'` + else + KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystonedb + fi KEY_CONF_DB_TYPE=`echo ${KEY_CONF_DB_CON_INFO} | cut -d: -f1` # If we have an undefined SQL type, we go back to a more sane default (eg: SQLite) if [ ${KEY_CONF_DB_TYPE} != sqlite ] [ ${KEY_CONF_DB_TYPE} != mysql ] [ ${KEY_CONF_DB_TYPE} != pgsql ] ; then - KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystone.sqlite + KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystonedb KEY_CONF_DB_TYPE=sqlite fi if [ ${KEY_CONF_DB_TYPE} = sqlite ] ; then # This is the invalid default in the etc/keystone.conf in the source package if [ ${KEY_CONF_DB_CON_INFO} = sqlite:///keystone.db ] ; then - KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystone.sqlite + KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystonedb fi KEY_CONF_DB_PATH=`echo ${KEY_CONF_DB_CON_INFO} | awk '{print substr($0,11)}'` if [ -z ${KEY_CONF_DB_PATH} ] ; then - KEY_CONF_DB_PATH=/var/lib/keystone/keystone.sqlite + KEY_CONF_DB_PATH=/var/lib/keystone/keystonedb fi dbc_basepath=`dirname ${KEY_CONF_DB_PATH}`
Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
On Wed, Oct 10, 2012 at 06:52:16PM +0200, Julien Cristau wrote: On Mon, Oct 1, 2012 at 15:00:25 +0800, Thomas Goirand wrote: diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst --- keystone-2012.1.1/debian/keystone.postinst 2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/keystone.postinst 2012-10-01 06:51:43.0 + @@ -1,77 +1,64 @@ [...] + chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone + chmod 0750 /etc/keystone + chmod 0750 /var/log/keystone What's the point of this (in particular the recursive chown)? Why is it done every time the package is configured, rather than when these directories are initially created? [...] diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules --- keystone-2012.1.1/debian/rules 2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/rules 2012-10-01 06:51:43.0 + @@ -42,6 +42,11 @@ rm -rf debian/python-keystone/usr/lib/python*/*/doc rm -rf debian/python-keystone/usr/lib/python*/*/tools rm -rf debian/python-keystone/usr/lib/python*/*/examples + install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf + +override_dh_fixperms: + dh_fixperms + chmod 0640 debian/keystone/usr/share/keystone/keystone.conf override_dh_clean: rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache I don't think that (overriding fixperms) should be necessary, can't the permissions be set when installing the file in postinst? Thomas, what's the status? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
On Mon, Oct 1, 2012 at 15:00:25 +0800, Thomas Goirand wrote: diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst --- keystone-2012.1.1/debian/keystone.postinst2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/keystone.postinst2012-10-01 06:51:43.0 + @@ -1,77 +1,64 @@ [...] + chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone + chmod 0750 /etc/keystone + chmod 0750 /var/log/keystone What's the point of this (in particular the recursive chown)? Why is it done every time the package is configured, rather than when these directories are initially created? [...] diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules --- keystone-2012.1.1/debian/rules2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/rules2012-10-01 06:51:43.0 + @@ -42,6 +42,11 @@ rm -rf debian/python-keystone/usr/lib/python*/*/doc rm -rf debian/python-keystone/usr/lib/python*/*/tools rm -rf debian/python-keystone/usr/lib/python*/*/examples + install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf + +override_dh_fixperms: + dh_fixperms + chmod 0640 debian/keystone/usr/share/keystone/keystone.conf override_dh_clean: rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache I don't think that (overriding fixperms) should be necessary, can't the permissions be set when installing the file in postinst? Cheers, Julien signature.asc Description: Digital signature
Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Dear Release Team, I have applied upstream patches for CVE-2012-445{6,7} (yes, yet another CVE in keystone...), and fixed bad handling of /etc/keystone/keystone.conf. The later modifications have already been investigated by Julien, and I believe they are into shape now. If the release team prefers that I first undo keystone.conf changes so that only the CVE fixes can migrate first, then the keystone.conf handling gets the standard 10 days testing, that can be done too. I have no problem doing this in 2 steps, to give more testing time for the keystone.conf handling. But I believe it should be ok now. The debdiff is attached. It's unfortunately not so small. Thanks for your time working on the Wheezy release, Please unblock keystone/2012.1.1-9, Cheers, Thomas Goirand (zigo) -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog --- keystone-2012.1.1/debian/changelog 2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/changelog 2012-10-01 06:51:43.0 + @@ -1,3 +1,28 @@ +keystone (2012.1.1-9) unstable; urgency=high + + * Fixes sometimes failing keystone.postrm (db_get in some conditions can + return false), and fixed non-consistant indenting. + * Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone + /keystone.conf.sample for temporary storing the conf file (this was a policy + violation, as the doc folder should never be required). + * Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled, + CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210). + + -- Thomas Goirand z...@debian.org Mon, 01 Oct 2012 05:52:23 + + +keystone (2012.1.1-8) unstable; urgency=low + + * Fixes parsing of the SQL connection in keystone.config. + + -- Thomas Goirand z...@debian.org Sun, 30 Sep 2012 01:48:50 + + +keystone (2012.1.1-7) unstable; urgency=low + + * Fixes band handling (eg: policy violation) of keystone.conf which was + conffiles, but changed in the posinst (Closes: #687311). + + -- Thomas Goirand z...@debian.org Wed, 12 Sep 2012 17:09:47 + + keystone (2012.1.1-6) unstable; urgency=high * CVE-2012-4413: Revoking a role does not affect existing tokens diff -Nru keystone-2012.1.1/debian/keystone.config keystone-2012.1.1/debian/keystone.config --- keystone-2012.1.1/debian/keystone.config 2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/keystone.config 2012-10-01 06:51:43.0 + @@ -1,19 +1,79 @@ #!/bin/sh + set -e . /usr/share/debconf/confmodule +### Reading of values in the keystone config file ### +### and setting default for dbconfig-common accordingly ### +KEY_CONF=/etc/keystone/keystone.conf + +if [ -e ${KEY_CONF} ] ; then + KEY_CONF_AUTH_TOKEN=`grep -E ^([ \t])*admin_token([ \t])*=([ \t])* ${KEY_CONF} | awk '{print $3}'` + if [ -n ${KEY_CONF_AUTH_TOKEN} ] ; then + db_set keystone/auth-token ${KEY_CONF_AUTH_TOKEN} + fi +fi db_input low keystone/auth-token || true db_input low keystone/configure_db || true db_go + db_get keystone/configure_db -if [ $RET = true ]; then -if [ -f /usr/share/dbconfig-common/dpkg/config ]; -then - dbc_dbtypes=sqlite3, mysql, pgsql - db_authmethod_user=password - dbc_basepath=/var/lib/keystone +if [ $RET = true ] [ -e ${KEY_CONF} ] [ -f /usr/share/dbconfig-common/dpkg/config ] ; then . /usr/share/dbconfig-common/dpkg/config + KEY_CONF_DB_CON_INFO=`grep -E ^([ \t])*connection([ \t])*=([ \t])* ${KEY_CONF} | awk '{print $3}'` + KEY_CONF_DB_TYPE=`echo ${KEY_CONF_DB_CON_INFO} | cut -d: -f1` + # If we have an undefined SQL type, we go back to a more sane default (eg: SQLite) + if [ ${KEY_CONF_DB_TYPE} != sqlite ] [ ${KEY_CONF_DB_TYPE} != mysql ] [ ${KEY_CONF_DB_TYPE} != pgsql ] ; then + KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystone.sqlite + KEY_CONF_DB_TYPE=sqlite + fi + if [ ${KEY_CONF_DB_TYPE} = sqlite ] ; then + # This is the invalid default in the etc/keystone.conf in the source package + if [ ${KEY_CONF_DB_CON_INFO} = sqlite:///keystone.db ] ; then + KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystone.sqlite + fi + + KEY_CONF_DB_PATH=`echo ${KEY_CONF_DB_CON_INFO} | awk '{print substr($0,11)}'` + if [ -z ${KEY_CONF_DB_PATH} ] ; then + KEY_CONF_DB_PATH=/var/lib/keystone/keystone.sqlite + fi + dbc_basepath=`dirname ${KEY_CONF_DB_PATH}` + dbc_dbname=`basename ${KEY_CONF_DB_PATH}` + dbc_dbtypes=sqlite3, mysql, pgsql + else + # Later, the postinst does: mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname + # so we are