Bug#471488: marked as done (dpkg: status fd (--status-fd ) should not be inherited by childs (scripts))

Debian Bug Tracking System Mon, 25 Aug 2008 22:08:41 -0700

Your message dated Tue, 26 Aug 2008 04:32:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#487684: fixed in dpkg 1.14.21
has caused the Debian Bug report #487684,
regarding dpkg: status fd (--status-fd <n>) should not be inherited by childs 
(scripts)
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
487684: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=487684
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems

--- Begin Message ---

Package: dpkg
Version: 1.14.16.6
Severity: normal

Hi,
when analysing SELinux audit log I found, that post,pre...install...
scripts inherits the file-descriptor of pipe between apt and dpkg. This
descriptor causes the SELinux audit message:

audit(1205849195.192:35): avc:  denied  { write } for  pid=4798 comm="ldconfig" 
name="[15750]" dev=pipefs ino=15750 scontext=system_u:system_r:ldconfig_t:s0 
tcontext=system_u:system_r:apt_t:s0 tclass=fifo_file

after some investigation:

sid:~# se_apt-get install libcdb1
Authenticating root.
Password: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  libcdb1
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/11.9kB of archives.
After this operation, 36.9kB of additional disk space will be used.
Selecting previously deselected package libcdb1.
(Reading database ... 68311 files and directories currently installed.)
Unpacking libcdb1 (from .../archives/libcdb1_0.76_i386.deb) ...
Setting up libcdb1 (0.76) ...


sid:~# echo 'sleep 1000' >>/var/lib/dpkg/info/libcdb1.postrm 


sid:~# se_apt-get remove --purge libcdb1
Authenticating root.
Password: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be REMOVED:
  libcdb1*
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 36.9kB disk space will be freed.
(Reading database ... 68315 files and directories currently installed.)
Removing libcdb1 ...

And while postrm script is waiting for sleep...

sid:~# ps axf
...
 4776 pts/3    SN+    0:47  |     \_ /usr/sbin/run_init apt-get remove --purge 
libcdb1
 4782 pts/2    Ss+    0:00  |         \_ apt-get remove --purge libcdb1
 4796 pts/5    Ss+    0:00  |             \_ /usr/bin/dpkg --status-fd 13 
--force-depends --force-remove-essential
 4797 pts/5    S+     0:00  |                 \_ /bin/sh 
/var/lib/dpkg/info/libcdb1.postrm remove
 4799 pts/5    S+     0:00  |                     \_ sleep 1000
...


sid:~# lsof -p 4782 -p 4796 -p 4797 -p 4799|grep FIFO
apt-get   4782 root   12r  FIFO    0,6           15750 pipe
dpkg      4796 root   13w  FIFO    0,6           15750 pipe
libcdb1.p 4797 root   13w  FIFO    0,6           15750 pipe
sleep     4799 root   13w  FIFO    0,6           15750 pipe


This information corresponds with the SELinux message above (fd 13, inode
15750). I think dpkg should not pass this descriptor down.
Best Regards!
-- 
Zito

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-6-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages dpkg depends on:
ii  coreutils                     6.10-3     The GNU core utilities
ii  libc6                         2.7-9      GNU C Library: Shared libraries

dpkg recommends no packages.

-- no debconf information

-- 
Zito

--- End Message ---

--- Begin Message ---

Source: dpkg
Source-Version: 1.14.21

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive:

dpkg-dev_1.14.21_all.deb
  to pool/main/d/dpkg/dpkg-dev_1.14.21_all.deb
dpkg_1.14.21.dsc
  to pool/main/d/dpkg/dpkg_1.14.21.dsc
dpkg_1.14.21.tar.gz
  to pool/main/d/dpkg/dpkg_1.14.21.tar.gz
dpkg_1.14.21_i386.deb
  to pool/main/d/dpkg/dpkg_1.14.21_i386.deb
dselect_1.14.21_i386.deb
  to pool/main/d/dpkg/dselect_1.14.21_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <[EMAIL PROTECTED]> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 26 Aug 2008 05:32:39 +0300
Source: dpkg
Binary: dpkg dpkg-dev dselect
Architecture: source i386 all
Version: 1.14.21
Distribution: unstable
Urgency: low
Maintainer: Dpkg Developers <[EMAIL PROTECTED]>
Changed-By: Guillem Jover <[EMAIL PROTECTED]>
Description: 
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
Closes: 456332 471488 483655 483785 486843 487637 487684 487768 488090 488689 
488903 489068 490076 490905 493326 493743 495097 495138 495505 496176
Changes: 
 dpkg (1.14.21) unstable; urgency=low
 .
   [ Raphael Hertzog ]
   * Small fix in "3.0 (quilt)" source format when using non-standard name
     of the quilt series.
   * Handle debian.tar.gz files like diff.gz in dpkg-buildpackage and
     dpkg-genchanges to detect the kind of upload.
   * Add "armel" to /usr/share/dpkg/archtable. Closes: #487768
   * Modified Dpkg::BuildOptions to recognize and use spaces as separator
     in DEB_BUILD_OPTIONS (in order to conform with the Debian policy
     ruling established in #430649).
   * Fix dpkg-source to not use -i and -I by default with "1.0" source
     packages. Closes: #495138
 .
   [ Guillem Jover ]
   * When loading the status file fix up any inconsistent package in state
     triggers-awaited w/o the corresponding package with pending triggers.
     Closes: #487637, #486843, #489068
   * Fix --no-act in triggers related code. Closes: #495097
   * Do not assert when dpkg stops processing packages due to too many
     errors occurred while configuring or removing packages.
     Thanks to Ian Jackson <[EMAIL PROTECTED]>. Closes: #483655
   * Move lzma from dpkg Suggests to Pre-Depends. Closes: #456332
   * Match description of -si option in dpkg-buildpackage to the one in
     dpkg-genchanges. Closes: #493743
   * Close --status-fd file descriptors on exec, so that they are not
     inherited by the childs. Closes: #471488, #487684
   * State that the preferred front-end is aptitude and replace one instance
     of dselect usage with apt-get. Closes: #483785
 .
   [ Updated manpages translations ]
   * French (Florent Usseil).
   * German (Helge Kreutzmann).
 .
   [ Updated scripts translations ]
   * Russian (Yuri Kozlov). Closes: #490076
   * German (Helge Kreutzmann).
 .
   [ Updated dpkg translations ]
   * Basque (Piarres Beobide). Closes: #490905
   * Czech (Miroslav Kure).
   * French (Christian Perrier).
   * German (Sven Joachim).
   * Korean (Changwoo Ryu).
   * Romanian (Eddy Petrișor).
   * Russian (Yuri Kozlov). Closes: #488689
   * Simplified Chinese (Deng Xiyue). Closes: #496176
   * Slovak (Ivan Masár). Closes: #488903, #495505
   * Thai (Theppitak Karoonboonyanan). Closes: #488090
 .
   [ Added dpkg translations ]
   * Lithuanian (Gintautas Miliauskas). Closes: #493326
 .
   [ Updated dselect translations ]
   * Romanian (Eddy Petrișor).
Checksums-Sha1: 
 6f1a229b5e15604f84c05de1daa350887b3d0bc5 1215 dpkg_1.14.21.dsc
 108db3330c560175766ae2af4e085c4ddbc2d43d 6753845 dpkg_1.14.21.tar.gz
 ffff03ab41f96c243896729503c531e46f377e06 2292134 dpkg_1.14.21_i386.deb
 3a4010adf2c4ddb2343edf450cda2c1cfa4c373a 782758 dselect_1.14.21_i386.deb
 f9145439e788c3f35018b22a0eac6d3f524fa29d 756778 dpkg-dev_1.14.21_all.deb
Checksums-Sha256: 
 d421bc009377eab5cce6f676e1332f7da476c711c9a5f952014222b44dff20b5 1215 
dpkg_1.14.21.dsc
 6ed6733de4178879a22946e35aa46ad83ba7f0f85942d4c1f7298d118eadf1d0 6753845 
dpkg_1.14.21.tar.gz
 f8f37588d2a4761ea9bc5a51d92019827d86aeaa823a78b5516428f1e629d617 2292134 
dpkg_1.14.21_i386.deb
 fa0be73f914321f4e3336c655a8dfe4cdc84c97d06e92b8d33f9198b63db0b43 782758 
dselect_1.14.21_i386.deb
 4a31ba51483e39210a6277331f68ef735e01365a1f0e244d117a0702295540bc 756778 
dpkg-dev_1.14.21_all.deb
Files: 
 08f0620d9ff7347adf0f5dce06feb86c 1215 admin required dpkg_1.14.21.dsc
 1586644fceb02b00d9f5030ff7c2de88 6753845 admin required dpkg_1.14.21.tar.gz
 0cf0018c56447a57db05c83265cb49f9 2292134 admin required dpkg_1.14.21_i386.deb
 65eed22ec1b83097798e06fc65e02a15 782758 admin optional dselect_1.14.21_i386.deb
 24f3545a0a3e1164640d68ffd518d83c 756778 utils optional dpkg-dev_1.14.21_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkizbxYACgkQuW9ciZ2SjJuaCACgqNMozP6Q9hK6HOTI4bk4pu/F
rJIAn3s3K0DxwnmvlNUPlIUCN14LVUQi
=ey2a
-----END PGP SIGNATURE-----

--- End Message ---

Bug#471488: marked as done (dpkg: status fd (--status-fd ) should not be inherited by childs (scripts))

Reply via email to