subject:"Bug#862485\: fwsnort mustn't set iptables rules when purged"

Bug#862485: fwsnort mustn't set iptables rules when purged

2017-05-14 Thread Axel Beckert

Axel Beckert wrote:
> Point taken. Will move that line (or an "fwsnort --ipt-flush") into a
> (to be created) prerm and do another QA upload. (Unless you're already
> onto it. Feel free to do that.)

Unfortunately "fwsnort --ipt-flush" only flushes the chains but does
not remove the chains:

  # iptables -L -v -n
  Chain INPUT (policy ACCEPT 34 packets, 6672 bytes)
   pkts bytes target prot opt in out source   
destination
  22598   17M FWSNORT_INPUT  all  --  !lo*   0.0.0.0/0
0.0.0.0/0
  
  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target prot opt in out source   
destination
  0 0 FWSNORT_FORWARD  all  --  !lo*   0.0.0.0/0
0.0.0.0/0
  
  Chain OUTPUT (policy ACCEPT 34 packets, 2568 bytes)
   pkts bytes target prot opt in out source   
destination
  22777 1488K FWSNORT_OUTPUT  all  --  *  !lo 0.0.0.0/0
0.0.0.0/0
  
  Chain FWSNORT_FORWARD (1 references)
   pkts bytes target prot opt in out source   
destination
  
  Chain FWSNORT_FORWARD_ESTAB (0 references)
   pkts bytes target prot opt in out source   
destination
  
  Chain FWSNORT_INPUT (1 references)
   pkts bytes target prot opt in out source   
destination
  
  Chain FWSNORT_INPUT_ESTAB (0 references)
   pkts bytes target prot opt in out source   
destination
  
  Chain FWSNORT_OUTPUT (1 references)
   pkts bytes target prot opt in out source   
destination
  
  Chain FWSNORT_OUTPUT_ESTAB (0 references)
   pkts bytes target prot opt in out source   
destination

So a little bit more is needed in prerm to properly clean up: First
remove the remaining references to FWSNORT_* chains, then delete all
FWSNORT_* chains.

Regards, Axel
--
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#862485: fwsnort mustn't set iptables rules when purged

2017-05-13 Thread Axel Beckert

Control: tag -1 + confirmed - moreinfo

Hi Adrian,

Adrian Bunk wrote:
> > > Tags: security
> > 
> > I also disagree with this tag.
> 
> messing up the iptables setup at an unexpected time can have bad 
> consequences.

bad != security

> > > A case could be made for "fwsnort --ipt-flush" in prerm.
> > 
> > This would be against the expectation of users that configurations,
> > settings etc. are removed on purge and not on removal.
> 
> When you remove (not purge) a package containing a webserver, do you 
> expect that the webserver is stopped or do you expect that the webserver
> is still running after removing the package?

Granted. Thanks for that comparison.

> > > Or considering that activating any fwsnort rules is not done
> > > automatically and that the package should not interfere with
> > > what the the admin has done.
> >
> > I disagree. I expect a package to clean up its changes on purge which
> > result on common usage. To be more specifically, seeing 11'000
> > iptables rules left on my system after pruging fwsnort with no chance
> > to remove them without reinstalling the package or removing 11'000
> > rules by hand. Not cleaning up these rules is a bug. And cleaning up
> > is a task for "purge", not for "remove".
> 
> "Remove an installed package. This removes everything except conffiles"
> This the dpkg (and similar in apt) description of what remove does.
> 
> A package that is removed but not purged is in the Config-Files states.
> This means the old configuration is still present if the package gets
> installed again.
> 
> Purging is supposed to remove the (at that point already unused)
> configuration files of the package.

Point taken. Will move that line (or an "fwsnort --ipt-flush") into a
(to be created) prerm and do another QA upload. (Unless you're already
onto it. Feel free to do that.)
 
Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#862485: fwsnort mustn't set iptables rules when purged

2017-05-13 Thread Adrian Bunk

Control: severity -1 serious

On Sat, May 13, 2017 at 07:27:27PM +0200, Axel Beckert wrote:
> Control: tag -1 + moreinfo
> Control: severity -1 important
> 
> Hi Adrian,

Hi Axel,

> Adrian Bunk wrote:
> > Severity: critical
> 
> I think that's overly exaggerated.
> 
> > Tags: security
> 
> I also disagree with this tag.

messing up the iptables setup at an unexpected time can have bad 
consequences.

> > The #861999 fix adds the following on purging:
> >   grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore
> 
> Yes. In postrm on purge.
> 
> > Imagine the following:
> > 1. today I install fwsnort and try it
> > 2. later today I uninstall it
> 
> You usually purge package if you play with packages which make changes
> to your system.
> 
> > This would in 2 years set the iptables rules to what they
> > were today before I shortly played with fwsnort.
> 
> I consider this (i.e. just removing but not purging when wanting to
> get rid of a package and all its effects) to be the admin's fault, not
> the package's fault.
> 
> > A case could be made for "fwsnort --ipt-flush" in prerm.
> 
> This would be against the expectation of users that configurations,
> settings etc. are removed on purge and not on removal.

When you remove (not purge) a package containing a webserver, do you 
expect that the webserver is stopped or do you expect that the webserver
is still running after removing the package?

> > Or considering that activating any fwsnort rules is not done
> > automatically and that the package should not interfere with
> > what the the admin has done.
>
> I disagree. I expect a package to clean up its changes on purge which
> result on common usage. To be more specifically, seeing 11'000
> iptables rules left on my system after pruging fwsnort with no chance
> to remove them without reinstalling the package or removing 11'000
> rules by hand. Not cleaning up these rules is a bug. And cleaning up
> is a task for "purge", not for "remove".

"Remove an installed package. This removes everything except conffiles"
This the dpkg (and similar in apt) description of what remove does.

A package that is removed but not purged is in the Config-Files states.
This means the old configuration is still present if the package gets
installed again.

Purging is supposed to remove the (at that point already unused)
configuration files of the package.

Purging is not supposed to do any reconfiguration of the system.

>   Regards, Axel

cu
Adrian

-- 

   "Is there not promise of rain?" Ling Tan asked suddenly out
of the darkness. There had been need of rain for many days.
   "Only a promise," Lao Er said.
   Pearl S. Buck - Dragon Seed

Bug#862485: fwsnort mustn't set iptables rules when purged

2017-05-13 Thread Axel Beckert

Control: tag -1 + moreinfo
Control: severity -1 important

Hi Adrian,

Adrian Bunk wrote:
> Severity: critical

I think that's overly exaggerated.

> Tags: security

I also disagree with this tag.

> The #861999 fix adds the following on purging:
>   grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore

Yes. In postrm on purge.

> Imagine the following:
> 1. today I install fwsnort and try it
> 2. later today I uninstall it

You usually purge package if you play with packages which make changes
to your system.

> This would in 2 years set the iptables rules to what they
> were today before I shortly played with fwsnort.

I consider this (i.e. just removing but not purging when wanting to
get rid of a package and all its effects) to be the admin's fault, not
the package's fault.

> A case could be made for "fwsnort --ipt-flush" in prerm.

This would be against the expectation of users that configurations,
settings etc. are removed on purge and not on removal.

> Or considering that activating any fwsnort rules is not done
> automatically and that the package should not interfere with
> what the the admin has done.

I disagree. I expect a package to clean up its changes on purge which
result on common usage. To be more specifically, seeing 11'000
iptables rules left on my system after pruging fwsnort with no chance
to remove them without reinstalling the package or removing 11'000
rules by hand. Not cleaning up these rules is a bug. And cleaning up
is a task for "purge", not for "remove".

Regards, Axel
-- 
 ,''`.  |  Axel Beckert , http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-|  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Bug#862485: fwsnort mustn't set iptables rules when purged

2017-05-13 Thread Adrian Bunk

Package: fwsnort
Version: 1.6.5-3
Severity: critical
Tags: security

The #861999 fix adds the following on purging:
  grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore

Imagine the following:
1. today I install fwsnort and try it
2. later today I uninstall it
3. 2 years later I purge all long-removed packages

This would in 2 years set the iptables rules to what they
were today before I shortly played with fwsnort.


A case could be made for "fwsnort --ipt-flush" in prerm.

Or considering that activating any fwsnort rules is not done
automatically and that the package should not interfere with
what the the admin has done.

Bug#862485: fwsnort mustn't set iptables rules when purged

Bug#862485: fwsnort mustn't set iptables rules when purged

Bug#862485: fwsnort mustn't set iptables rules when purged

Bug#862485: fwsnort mustn't set iptables rules when purged

Bug#862485: fwsnort mustn't set iptables rules when purged

5 matches

Site Navigation

Mail list logo

Footer information