Your message dated Tue, 10 Mar 2020 20:49:13 +0000
with message-id <[email protected]>
and subject line Bug#953030: fixed in bacula 9.6.3-1
has caused the Debian Bug report #953030,
regarding bacula-sd.postinst fails on systems with protected_regular=2 enabled
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
953030: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=953030
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bacula-sd
Version: 9.4.4-2
Tags: patch
User: [email protected]
Usertags: origin-ubuntu focal ubuntu-patch
Hi,
bacula-sd.postinst currently uses mktemp, chowns to bacula.bacula, and
then attempts to write to the temporary file using a shell redirection.
If a system has /proc/sys/fs/protected_regular set to 2, then this
fails[1].
While what is being done might be safe in this particular case, writing
to a file in /tmp not owned by the writing user is in principle unsafe,
and so it is blocked. In Ubuntu we are moving to protected_regular=2 and
so for us a build of this package becomes uninstallable[2].
Please consider applying the attached patch, which simply rearranges the
postinst to change file ownership after writing the file. This prevents
the protection from being tripped.
Thanks,
Robie
[1] https://www.kernel.org/doc/Documentation/sysctl/fs.txt
[2] https://lists.ubuntu.com/archives/ubuntu-devel/2020-February/040904.html
From 2efa5028139683bd851c76ab117cc47cf698e2b3 Mon Sep 17 00:00:00 2001
From: Robie Basak <[email protected]>
Date: Mon, 2 Mar 2020 20:19:27 +0000
Subject: [PATCH] * d/bacula-sd.postinst: change temporary file ownership
after writing to it to avoid a protected_regular=2 world-writeable sticky
denial.
---
debian/bacula-sd.postinst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/debian/bacula-sd.postinst b/debian/bacula-sd.postinst
index 1ed67ff4..d3f83bb8 100644
--- a/debian/bacula-sd.postinst
+++ b/debian/bacula-sd.postinst
@@ -14,13 +14,13 @@ case "$1" in
# create new bacula-sd.conf using the template
TMP_CONFIG="$(mktemp -p /tmp $PKG_NAME.conf.ucftmp-XXXXXXXXXX)"
- chmod 640 $TMP_CONFIG
- chown bacula:bacula $TMP_CONFIG
sed -e s~@debian_basename@~`hostname`~ \
-e s~XXX_SDPASSWORD_XXX~$SDPASSWD~ \
-e s~XXX_MONSDPASSWORD_XXX~$SDMPASSWD~ \
$TEMPLATE > $TMP_CONFIG
+ chmod 640 $TMP_CONFIG
+ chown bacula:bacula $TMP_CONFIG
# let ucf handle the conffile and register it
ucf --debconf-ok --three-way $TMP_CONFIG $TARGET
ucfr $PKG_NAME $TARGET
--
2.25.0
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: bacula
Source-Version: 9.6.3-1
Done: Carsten Leonhardt <[email protected]>
We believe that the bug you reported is fixed in the latest version of
bacula, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Leonhardt <[email protected]> (supplier of updated bacula package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Mar 2020 21:05:35 +0100
Source: bacula
Architecture: source
Version: 9.6.3-1
Distribution: unstable
Urgency: low
Maintainer: Debian Bacula Team <[email protected]>
Changed-By: Carsten Leonhardt <[email protected]>
Closes: 953030
Changes:
bacula (9.6.3-1) unstable; urgency=low
.
* New upstream version 9.6.3
.
[ Carsten Leonhardt ]
* Make installation of bacula-sd possible on systems with
protected_regular=2 set (Closes: #953030).
.
[ Sven Hartge ]
* Update Standards-Version to 4.5.0, no changes required.
* Update .gitlab-ci.yml to current Salsa-CI default
* Remove arch-any and arch-all build jobs, now provided by salsa-ci.yml
* Import better workaround for #923444 from Ubuntu
* allow-stderr for tests
Checksums-Sha1:
178b87e23e335251fd4d2d8a7aa1494b5a36f4cc 3691 bacula_9.6.3-1.dsc
852b9d2efa7248c8be94015919e6bf7e946e96bf 4246447 bacula_9.6.3.orig.tar.gz
61dcf81c26460dfd5aa21d1d0383bec90bb68e25 833 bacula_9.6.3.orig.tar.gz.asc
de494e5714c35d1ddcb05ecbf7ab97f36650124d 83068 bacula_9.6.3-1.debian.tar.xz
Checksums-Sha256:
49bf628be1e58d0414e8d01602241d278939154b0b25e35f88ab088c58a961f3 3691
bacula_9.6.3-1.dsc
ec1365a678e1b49505c1cdbc59a3cef5ca5f5a5a25fb1b0cced822eeb88c5b0a 4246447
bacula_9.6.3.orig.tar.gz
57c277d8694d6355ace589185987d0718b6072b04cbd4d6cc1b8557be9671e52 833
bacula_9.6.3.orig.tar.gz.asc
c53f450432b2f08e45bc33bffa2b6afb373c8f6121ac6840a852591cbe0d8462 83068
bacula_9.6.3-1.debian.tar.xz
Files:
e455154f95bf3671e096ab0d82bb0af3 3691 admin optional bacula_9.6.3-1.dsc
6d64bc27de773ee0e0ca1d836cbe4008 4246447 admin optional
bacula_9.6.3.orig.tar.gz
1d140015519302e3ca3c467e6648bf26 833 admin optional
bacula_9.6.3.orig.tar.gz.asc
ef0bf407281c34c2ebc3d4b41f1858e4 83068 admin optional
bacula_9.6.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEETxO/995XSygF6EUmKrIctfbulV4FAl5n+hAPHGxlb0BkZWJp
YW4ub3JnAAoJECqyHLX27pVeXdIP/j1HZySMahHAbEZRXTAcTECSerBBJPgFStxR
Y2xhYnIsmhh76MeeK5qi0/Jhx+65u7DEbIcsAo6eMVhWo9E9vCwpjagMNAOhaNvp
LbqJCE5Kd/BcQQQExDDk1zjnwQ2yJ4ksd4lPtKu3iJl+Qs2fsXcDxkPM3U9ATeoN
NMULowH3jhw8k9x/u0FbxsIV813zkb88eVvqLV4ZH6t2XPaNwFuNz4aj4nVYNDzM
7GyMclPrtxvqU4XFLS7gFd+/+JN5N0hqb9cEGan4rRxdpsHYERymK5FYGWOlXM0a
9z107kjd2Mo4IdEPkiOQvytZ435wHlEzcSggIux5N5nCknY0nAHgbVtrr2R/YZ9U
5k1p2NXDpbAlVJ4CaFLqeYP4w2bMbTc4VyW/hvux9LsWitZ/sKdA5t+3TfI6lHRC
IMJOSErQz5OL7smC+N8hNG48gMQJsRt6IuLlTILgXOunwPbTgsWD4ooDPepYnjEg
d5NdOGz7uOZiEnsxwh2Go57nvcOda6YKhHdHI67YV1REt/SHT7259nEswKYRbiSL
dD//Tgh25LRp5oB5a7FJ4A3CxCNUGWo+FMzguTeeZpFvGxnZe2xeC5yzUaldgH8o
JlvvhOmFCsz9mewTIJzRDvenyW/DerZmdW+8KRTdGZquhUIa5iMqr/EQ5UZw5xoY
U0mJIQ59
=SBcY
-----END PGP SIGNATURE-----
--- End Message ---
