Bug#1035361: sauce: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
Control: severity -1 normal
Control: tags -1 + patch
Andreas Beckmann writes ("Bug#1035361: sauce: Potentially dangerous mode on
/etc/logrotate.d/sauce: 0755"):
> While the package works fine after a fresh install in sid or bookworm,
> the issue is still present after an upgrade from bullseye to bookworm.
> File permissions of conffiles do net seem to get updated on upgrades,
> this needs to be fixed manually in the postinst, e.g. (untested)
>
> if dpkg --compare-versions "$2" lt-nl "0.9.3~"
> then
> chmod -v -x /etc/logrotate.d/sauce
> fi
Indeed.
However, I decided not to make that change so late in the freeze. I
didn't want to add a risk that the maintscript fregemnt would be
wrong (despite the testing I would naturally do).
Cribbing from my commit message:
This is a conffile, so old installs don't get the updated mode.
Ideally we would add something to the postinst to fix them but
that seems too complex at this stage of the Debian release cycle.
Users who are annoyed with the warning can change the mode by
hand.
I will probably do something like you suggest when sid has reopened,
for the benefit of downstreams with a different release cycle, users
skip-upgrading, etc.
I don't intend to prepare a stable update for bookworm myself. But
if, after I've done this fixup in sid, someone would like to drive
that, I would be happy to review the proposed update and lend my
support.
Thanks,
Ian.
--
Ian JacksonThese opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Bug#1035361: sauce: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
Followup-For: Bug #1035361 Control: found -1 0.9.2 While the package works fine after a fresh install in sid or bookworm, the issue is still present after an upgrade from bullseye to bookworm. File permissions of conffiles do net seem to get updated on upgrades, this needs to be fixed manually in the postinst, e.g. (untested) if dpkg --compare-versions "$2" lt-nl "0.9.3~" then chmod -v -x /etc/logrotate.d/sauce fi Andreas
Bug#1035361: sauce: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
Control: clone -1 -2
Control: retitle -2 ancient chown syntax
Control: severity -2 serious
Andreas Beckmann writes ("Re: Bug#1035361: sauce: Potentially dangerous mode on
/etc/logrotate.d/sauce: 0755"):
> Setting up sauce (0.9.1) ...
> Checking for SAUCE databases in /var/lib/sauce ...
> cdb.site-annoy (no existing data) donechown: warning: '.' should be
> ':': 'mail.mail'
> chown: warning: '.' should be ':': 'mail.mail'
> chown: warning: '.' should be ':': 'mail.mail'
> chown: warning: '.' should be ':': 'mail.mail'
etc.
Ian.
--
Ian JacksonThese opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Bug#1035361: sauce: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
Andreas Beckmann writes ("Re: Bug#1035361: sauce: Potentially dangerous mode on
/etc/logrotate.d/sauce: 0755"):
> [trying] it manually by installing logrotate and sauce in a chroot
> (without removing sauce again):
Ah!
Thanks for investigating. I think that I ought to fix the
permissions of the logrotate.d and the chown syntax.
I will do some more tests to check about whether that's sufficient or
whether "missingok" is needed too.
Ian.
--
Ian JacksonThese opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Bug#1035361: sauce: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
On 02/05/2023 11.37, Ian Jackson wrote:
Andreas Beckmann writes ("Bug#1035361: sauce: Potentially dangerous mode on
/etc/logrotate.d/sauce: 0755"):
Package: sauce
Version: 0.9.1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
...
during a test with piuparts I noticed your package's logrotate
configuration causes logrotate to exit with an error after the package
has been removed (*) or when logrote is run but no logfile exists.
Thanks for the report. I will fix this ASAP.
Usually the solution is to specify 'missingok' in the logrotate
configuration.
I will do some tests but that sounds like a possible approach.
That doesn't look like a solution in this case.
Setting severity to serious since this does not seem limited to being
emitted after package removal but always. The current logrotate version
in sid seems to be more strict.
I looked through the changelog and didn't find anything about missing
logfiles since at least 2015. Are you sure ?
>From the attached log (scroll to the bottom...):
0m17.0s DEBUG: Starting command: ['chroot',
'/srv/piuparts.debian.org/tmp/tmp6h9n6ntx', '/usr/sbin/logrotate',
'/etc/logrotate.d/sauce']
0m17.0s DUMP:
warning: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
0m17.0s DEBUG: Command ok: ['chroot',
'/srv/piuparts.debian.org/tmp/tmp6h9n6ntx', '/usr/sbin/logrotate',
'/etc/logrotate.d/sauce']
0m17.0s ERROR: FAIL: Logrotate file /etc/logrotate.d/sauce exits with error or
has output with package removed
I have one question. The message here is complaining about the file
permission. I think that mode is probably wrong, but I don't think it
is *dangerous*.
I don't think I ought to change the mode for bookworm.
That code is from logrotate
https://sources.debian.org/src/logrotate/3.21.0-1/config.c/?hl=1057#L1057
but it was already present at least in bullseye (didn't check earlier
releases).
Tryinit it manually by installing logrotate and sauce in a chroot
(without removing sauce again):
bullseye# ls -la /etc/logrotate.d/sauce
-rwxr-xr-x 1 root root 506 Jan 27 2021 /etc/logrotate.d/sauce
bullseye# logrotate /etc/logrotate.d/sauce
bullseye# echo $?
0
installing sauce in bookworm is very noisy:
Setting up sauce (0.9.1) ...
Checking for SAUCE databases in /var/lib/sauce ...
cdb.site-annoy (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
cdb.site-seen (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
cdb.site-list (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
cdb.addr-seen (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
cdb.addr-list (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
bookworm# ls -la /etc/logrotate.d/sauce
-rwxr-xr-x 1 root root 506 Jan 27 2021 /etc/logrotate.d/sauce
bookworm# logrotate /etc/logrotate.d/sauce
warning: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
bookworm# echo $?
0
If I understand it correctly, logrotate complains about the executable
permission. (0644 and 0600 should be both ok)
And it will do that every time logrotate runs while the package is
installed, producing some cron email or other notification.
IMO both bugs (logrotate permission and ancient chown syntax) warrant an
update of the package to be included in bookworm.
Andreas
Bug#1035361: sauce: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
Andreas Beckmann writes ("Bug#1035361: sauce: Potentially dangerous mode on
/etc/logrotate.d/sauce: 0755"):
> Package: sauce
> Version: 0.9.1
> Severity: serious
> User: debian...@lists.debian.org
> Usertags: piuparts
...
> during a test with piuparts I noticed your package's logrotate
> configuration causes logrotate to exit with an error after the package
> has been removed (*) or when logrote is run but no logfile exists.
Thanks for the report. I will fix this ASAP.
> Usually the solution is to specify 'missingok' in the logrotate
> configuration.
I will do some tests but that sounds like a possible approach.
> Setting severity to serious since this does not seem limited to being
> emitted after package removal but always. The current logrotate version
> in sid seems to be more strict.
I looked through the changelog and didn't find anything about missing
logfiles since at least 2015. Are you sure ?
> >From the attached log (scroll to the bottom...):
>
> 0m17.0s DEBUG: Starting command: ['chroot',
> '/srv/piuparts.debian.org/tmp/tmp6h9n6ntx', '/usr/sbin/logrotate',
> '/etc/logrotate.d/sauce']
> 0m17.0s DUMP:
> warning: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
> 0m17.0s DEBUG: Command ok: ['chroot',
> '/srv/piuparts.debian.org/tmp/tmp6h9n6ntx', '/usr/sbin/logrotate',
> '/etc/logrotate.d/sauce']
> 0m17.0s ERROR: FAIL: Logrotate file /etc/logrotate.d/sauce exits with error
> or has output with package removed
I have one question. The message here is complaining about the file
permission. I think that mode is probably wrong, but I don't think it
is *dangerous*.
I don't think I ought to change the mode for bookworm.
Thanks,
Ian.
--
Ian JacksonThese opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Bug#1035361: sauce: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
Package: sauce Version: 0.9.1 Severity: serious User: debian...@lists.debian.org Usertags: piuparts Hi, during a test with piuparts I noticed your package's logrotate configuration causes logrotate to exit with an error after the package has been removed (*) or when logrote is run but no logfile exists. Usually the solution is to specify 'missingok' in the logrotate configuration. *) logrotate configuration files remain installed and executed after a package has been removed, they only get removed when the package is purged. >From the attached log (scroll to the bottom...): 0m17.0s DEBUG: Starting command: ['chroot', '/srv/piuparts.debian.org/tmp/tmp6h9n6ntx', '/usr/sbin/logrotate', '/etc/logrotate.d/sauce'] 0m17.0s DUMP: warning: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755 0m17.0s DEBUG: Command ok: ['chroot', '/srv/piuparts.debian.org/tmp/tmp6h9n6ntx', '/usr/sbin/logrotate', '/etc/logrotate.d/sauce'] 0m17.0s ERROR: FAIL: Logrotate file /etc/logrotate.d/sauce exits with error or has output with package removed Setting severity to serious since this does not seem limited to being emitted after package removal but always. The current logrotate version in sid seems to be more strict. cheers, Andreas sauce_0.9.1.log.gz Description: application/gzip
