Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
On 11/08/2012 01:36 AM, Moritz Muehlenhoff wrote:
On Wed, Oct 10, 2012 at 06:52:16PM +0200, Julien Cristau wrote:
On Mon, Oct 1, 2012 at 15:00:25 +0800, Thomas Goirand wrote:
diff -Nru keystone-2012.1.1/debian/keystone.postinst
keystone-2012.1.1/debian/keystone.postinst
--- keystone-2012.1.1/debian/keystone.postinst 2012-09-12
16:33:13.0 +
+++ keystone-2012.1.1/debian/keystone.postinst 2012-10-01
06:51:43.0 +
@@ -1,77 +1,64 @@
[...]
+ chown keystone:keystone -R /var/lib/keystone /var/log/keystone
/etc/keystone
+ chmod 0750 /etc/keystone
+ chmod 0750 /var/log/keystone
What's the point of this (in particular the recursive chown)? Why is it
done every time the package is configured, rather than when these
directories are initially created?
[...]
diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules
--- keystone-2012.1.1/debian/rules 2012-09-12 16:33:13.0 +
+++ keystone-2012.1.1/debian/rules 2012-10-01 06:51:43.0 +
@@ -42,6 +42,11 @@
rm -rf debian/python-keystone/usr/lib/python*/*/doc
rm -rf debian/python-keystone/usr/lib/python*/*/tools
rm -rf debian/python-keystone/usr/lib/python*/*/examples
+ install -D -m 0640 etc/keystone.conf
debian/keystone/usr/share/keystone/keystone.conf
+
+override_dh_fixperms:
+ dh_fixperms
+ chmod 0640 debian/keystone/usr/share/keystone/keystone.conf
override_dh_clean:
rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache
I don't think that (overriding fixperms) should be necessary, can't the
permissions be set when installing the file in postinst?
Thomas,
what's the status?
Cheers,
Moritz
Hi,
I did the requested changes, plus 2 more important fixes, and uploaded
to SID. Debdiff is attached.
Let me know,
Cheers,
Thomas
diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog
--- keystone-2012.1.1/debian/changelog 2012-10-01 06:51:43.0 +
+++ keystone-2012.1.1/debian/changelog 2012-11-08 22:17:39.0 +
@@ -1,3 +1,16 @@
+keystone (2012.1.1-10) unstable; urgency=low
+
+ * Fixes keystone.config which wasn't starting dbconfig-common at first
+ setup.
+ * Do not use override_dh_fixperms:, sets the permissions of keystone.conf in
+ the postinst using install -m instead of cp -auxf.
+ * The default db is now sqlite:///var/lib/keystone/keystonedb, since that's
+ what we run with Folsom, and that it might cause problems as
+ keystone.sqlite isn't a valid MySQL db name. Changed debian/keystone.config
+ accordingly.
+
+ -- Thomas Goirand z...@debian.org Wed, 10 Oct 2012 15:46:14 +
+
keystone (2012.1.1-9) unstable; urgency=high
* Fixes sometimes failing keystone.postrm (db_get in some conditions can
diff -Nru keystone-2012.1.1/debian/keystone.config
keystone-2012.1.1/debian/keystone.config
--- keystone-2012.1.1/debian/keystone.config2012-10-01 06:51:43.0
+
+++ keystone-2012.1.1/debian/keystone.config2012-11-08 22:17:39.0
+
@@ -19,24 +19,28 @@
db_go
db_get keystone/configure_db
-if [ $RET = true ] [ -e ${KEY_CONF} ] [ -f
/usr/share/dbconfig-common/dpkg/config ] ; then
+if [ $RET = true ] [ -f /usr/share/dbconfig-common/dpkg/config ] ; then
. /usr/share/dbconfig-common/dpkg/config
- KEY_CONF_DB_CON_INFO=`grep -E ^([ \t])*connection([ \t])*=([ \t])*
${KEY_CONF} | awk '{print $3}'`
+ if [ -e ${KEY_CONF} ] ; then
+ KEY_CONF_DB_CON_INFO=`grep -E ^([ \t])*connection([ \t])*=([
\t])* ${KEY_CONF} | awk '{print $3}'`
+ else
+ KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystonedb
+ fi
KEY_CONF_DB_TYPE=`echo ${KEY_CONF_DB_CON_INFO} | cut -d: -f1`
# If we have an undefined SQL type, we go back to a more sane default
(eg: SQLite)
if [ ${KEY_CONF_DB_TYPE} != sqlite ] [ ${KEY_CONF_DB_TYPE} !=
mysql ] [ ${KEY_CONF_DB_TYPE} != pgsql ] ; then
-
KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystone.sqlite
+ KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystonedb
KEY_CONF_DB_TYPE=sqlite
fi
if [ ${KEY_CONF_DB_TYPE} = sqlite ] ; then
# This is the invalid default in the etc/keystone.conf in the
source package
if [ ${KEY_CONF_DB_CON_INFO} = sqlite:///keystone.db ] ;
then
-
KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystone.sqlite
+
KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystonedb
fi
KEY_CONF_DB_PATH=`echo ${KEY_CONF_DB_CON_INFO} | awk '{print
substr($0,11)}'`
if [ -z ${KEY_CONF_DB_PATH} ] ; then
- KEY_CONF_DB_PATH=/var/lib/keystone/keystone.sqlite
+ KEY_CONF_DB_PATH=/var/lib/keystone/keystonedb
fi
dbc_basepath=`dirname ${KEY_CONF_DB_PATH}`
Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
On Wed, Oct 10, 2012 at 06:52:16PM +0200, Julien Cristau wrote: On Mon, Oct 1, 2012 at 15:00:25 +0800, Thomas Goirand wrote: diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst --- keystone-2012.1.1/debian/keystone.postinst 2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/keystone.postinst 2012-10-01 06:51:43.0 + @@ -1,77 +1,64 @@ [...] + chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone + chmod 0750 /etc/keystone + chmod 0750 /var/log/keystone What's the point of this (in particular the recursive chown)? Why is it done every time the package is configured, rather than when these directories are initially created? [...] diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules --- keystone-2012.1.1/debian/rules 2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/rules 2012-10-01 06:51:43.0 + @@ -42,6 +42,11 @@ rm -rf debian/python-keystone/usr/lib/python*/*/doc rm -rf debian/python-keystone/usr/lib/python*/*/tools rm -rf debian/python-keystone/usr/lib/python*/*/examples + install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf + +override_dh_fixperms: + dh_fixperms + chmod 0640 debian/keystone/usr/share/keystone/keystone.conf override_dh_clean: rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache I don't think that (overriding fixperms) should be necessary, can't the permissions be set when installing the file in postinst? Thomas, what's the status? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
On Mon, Oct 1, 2012 at 15:00:25 +0800, Thomas Goirand wrote: diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst --- keystone-2012.1.1/debian/keystone.postinst2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/keystone.postinst2012-10-01 06:51:43.0 + @@ -1,77 +1,64 @@ [...] + chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone + chmod 0750 /etc/keystone + chmod 0750 /var/log/keystone What's the point of this (in particular the recursive chown)? Why is it done every time the package is configured, rather than when these directories are initially created? [...] diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules --- keystone-2012.1.1/debian/rules2012-09-12 16:33:13.0 + +++ keystone-2012.1.1/debian/rules2012-10-01 06:51:43.0 + @@ -42,6 +42,11 @@ rm -rf debian/python-keystone/usr/lib/python*/*/doc rm -rf debian/python-keystone/usr/lib/python*/*/tools rm -rf debian/python-keystone/usr/lib/python*/*/examples + install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf + +override_dh_fixperms: + dh_fixperms + chmod 0640 debian/keystone/usr/share/keystone/keystone.conf override_dh_clean: rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache I don't think that (overriding fixperms) should be necessary, can't the permissions be set when installing the file in postinst? Cheers, Julien signature.asc Description: Digital signature
Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Dear Release Team,
I have applied upstream patches for CVE-2012-445{6,7} (yes, yet another
CVE in keystone...), and fixed bad handling of /etc/keystone/keystone.conf.
The later modifications have already been investigated by Julien, and I
believe they are into shape now.
If the release team prefers that I first undo keystone.conf changes so
that only the CVE fixes can migrate first, then the keystone.conf handling
gets the standard 10 days testing, that can be done too. I have no problem
doing this in 2 steps, to give more testing time for the keystone.conf
handling. But I believe it should be ok now.
The debdiff is attached. It's unfortunately not so small.
Thanks for your time working on the Wheezy release,
Please unblock keystone/2012.1.1-9,
Cheers,
Thomas Goirand (zigo)
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog
--- keystone-2012.1.1/debian/changelog 2012-09-12 16:33:13.0 +
+++ keystone-2012.1.1/debian/changelog 2012-10-01 06:51:43.0 +
@@ -1,3 +1,28 @@
+keystone (2012.1.1-9) unstable; urgency=high
+
+ * Fixes sometimes failing keystone.postrm (db_get in some conditions can
+ return false), and fixed non-consistant indenting.
+ * Uses /usr/share/keystone/keystone.conf instead of /usr/share/doc/keystone
+ /keystone.conf.sample for temporary storing the conf file (this was a policy
+ violation, as the doc folder should never be required).
+ * Fixes CVE-2012-4457: fails to raise Unauthorized user error for disabled,
+ CVE-2012-4456: fails to validate tokens in Admin API (Closes: #689210).
+
+ -- Thomas Goirand z...@debian.org Mon, 01 Oct 2012 05:52:23 +
+
+keystone (2012.1.1-8) unstable; urgency=low
+
+ * Fixes parsing of the SQL connection in keystone.config.
+
+ -- Thomas Goirand z...@debian.org Sun, 30 Sep 2012 01:48:50 +
+
+keystone (2012.1.1-7) unstable; urgency=low
+
+ * Fixes band handling (eg: policy violation) of keystone.conf which was
+ conffiles, but changed in the posinst (Closes: #687311).
+
+ -- Thomas Goirand z...@debian.org Wed, 12 Sep 2012 17:09:47 +
+
keystone (2012.1.1-6) unstable; urgency=high
* CVE-2012-4413: Revoking a role does not affect existing tokens
diff -Nru keystone-2012.1.1/debian/keystone.config keystone-2012.1.1/debian/keystone.config
--- keystone-2012.1.1/debian/keystone.config 2012-09-12 16:33:13.0 +
+++ keystone-2012.1.1/debian/keystone.config 2012-10-01 06:51:43.0 +
@@ -1,19 +1,79 @@
#!/bin/sh
+
set -e
. /usr/share/debconf/confmodule
+### Reading of values in the keystone config file ###
+### and setting default for dbconfig-common accordingly ###
+KEY_CONF=/etc/keystone/keystone.conf
+
+if [ -e ${KEY_CONF} ] ; then
+ KEY_CONF_AUTH_TOKEN=`grep -E ^([ \t])*admin_token([ \t])*=([ \t])* ${KEY_CONF} | awk '{print $3}'`
+ if [ -n ${KEY_CONF_AUTH_TOKEN} ] ; then
+ db_set keystone/auth-token ${KEY_CONF_AUTH_TOKEN}
+ fi
+fi
db_input low keystone/auth-token || true
db_input low keystone/configure_db || true
db_go
+
db_get keystone/configure_db
-if [ $RET = true ]; then
-if [ -f /usr/share/dbconfig-common/dpkg/config ];
-then
- dbc_dbtypes=sqlite3, mysql, pgsql
- db_authmethod_user=password
- dbc_basepath=/var/lib/keystone
+if [ $RET = true ] [ -e ${KEY_CONF} ] [ -f /usr/share/dbconfig-common/dpkg/config ] ; then
. /usr/share/dbconfig-common/dpkg/config
+ KEY_CONF_DB_CON_INFO=`grep -E ^([ \t])*connection([ \t])*=([ \t])* ${KEY_CONF} | awk '{print $3}'`
+ KEY_CONF_DB_TYPE=`echo ${KEY_CONF_DB_CON_INFO} | cut -d: -f1`
+ # If we have an undefined SQL type, we go back to a more sane default (eg: SQLite)
+ if [ ${KEY_CONF_DB_TYPE} != sqlite ] [ ${KEY_CONF_DB_TYPE} != mysql ] [ ${KEY_CONF_DB_TYPE} != pgsql ] ; then
+ KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystone.sqlite
+ KEY_CONF_DB_TYPE=sqlite
+ fi
+ if [ ${KEY_CONF_DB_TYPE} = sqlite ] ; then
+ # This is the invalid default in the etc/keystone.conf in the source package
+ if [ ${KEY_CONF_DB_CON_INFO} = sqlite:///keystone.db ] ; then
+ KEY_CONF_DB_CON_INFO=sqlite:///var/lib/keystone/keystone.sqlite
+ fi
+
+ KEY_CONF_DB_PATH=`echo ${KEY_CONF_DB_CON_INFO} | awk '{print substr($0,11)}'`
+ if [ -z ${KEY_CONF_DB_PATH} ] ; then
+ KEY_CONF_DB_PATH=/var/lib/keystone/keystone.sqlite
+ fi
+ dbc_basepath=`dirname ${KEY_CONF_DB_PATH}`
+ dbc_dbname=`basename ${KEY_CONF_DB_PATH}`
+ dbc_dbtypes=sqlite3, mysql, pgsql
+ else
+ # Later, the postinst does: mysql://$dbc_dbuser:$dbc_dbpass@${dbc_dbserver:-localhost}$dbport/$dbc_dbname
+ # so we are
