Bug#1134796: marked as done (usbguard: Preserve local administrator changes in /etc (do not *re*create policy))

[Debian Bug Tracking System]

Your message dated Thu, 14 May 2026 14:40:43 +0000
with message-id <e1wnxex-00000008kg6-2...@fasolo.debian.org>
and subject line Bug#1134796: fixed in usbguard 1.1.4+ds-3
has caused the Debian Bug report #1134796,
regarding usbguard: Preserve local administrator changes in /etc (do not 
*re*create policy)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1134796: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134796
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: usbguard
Version: 1.1.3+ds-3
Severity: serious
Justification: 10.7.3

Dear Maintainer,

The postinst has this:

```
case "$1" in
        configure)
            # if ther is not rules.conf file we assume this is
            # the first time usbguard is installed
```

https://salsa.debian.org/birger/usbguard/-/blob/debian/sid/debian/usbguard.postinst#L7


This is a debian policy violation. Examples of local administrator
changes that should be preserved that are currently violated:
 - file should not be re-created if local administrator removed it.
 - file permission should not be altered if local administrator changed
   them.
 - permissions on /etc/usbguard/rules.d directory should not be altered
   if local administrator changed them.

The postinst code also has a check if
/etc/usbguard/usbguard-daemon.conf exists or not and creates an empty
file if not. This is both a policy violation and pointless. The file is
shipped in the package (and automatically gets marked as a conffile)
so it will exist unless the local administrator removed it (and then
that should be respected. Permission handling on both
usbguard-daemon.conf and the rules.d directory is also violating policy
and should be better done at build-time instead of install-time as they
are shipped in the package.

The correct way to detect if this is a fresh install or an upgrade is to
look at $2 which will contain the previously installed version and if
empty that means it's a new install.
A possibly even better solution (if suitable) would be to move the generation
of the default rules policy from install-time to build-time. If the rules
where generated and installed at build-time then dpkg would both track
ownership of the files belonging to the usbguard package as well as mark it as
a conffile and apply dpkg conffile handling to it.
A third option would be to follow the suggested solution in #97840.

For reference see:
https://www.debian.org/doc/debian-policy/ch-files.html#behavior
https://www.debian.org/doc/debian-policy/ap-flowcharts.html

I'm attaching an untested patch (against git debian/sid branch) that
should resolve the above mentioned issues, which does:
- set restrictive permissions on installed files at build time and
  exclude them from dh_fixperms making them accessible to the world.
- Remove all handling of installed files from maintscript
  (usbguard-daemon.conf and rules.d).
- Check $2 to detect new installs before generating rules.conf
  (and use > instead of >>, because the file is non-existant and thus we're
  creating it not appending to it).

Regards,
Andreas Henriksson

diff --git a/debian/rules b/debian/rules
index 29eb4e6..40abd69 100755
--- a/debian/rules
+++ b/debian/rules
@@ -30,6 +30,10 @@ override_dh_auto_configure:
 override_dh_missing:
 	dh_missing --list-missing
 
+override_dh_fixperms:
+	chmod og-rwx debian/usbguard/etc/usbguard/usbguard-daemon.conf
+	chmod og-rwx debian/usbguard/etc/usbguard/rules.d
+	dh_fixperms -Xetc/usbguard/rules.d -Xetc/usbguard/usbguard-daemon.conf
 
 gen-orig-tgz:
 	if [ ! -f ../$(DEB_SOURCE)_$(VERSION).orig.tar.gz ] ; then \
diff --git a/debian/usbguard.postinst b/debian/usbguard.postinst
index 4dc229d..c14510a 100644
--- a/debian/usbguard.postinst
+++ b/debian/usbguard.postinst
@@ -4,18 +4,12 @@ set -e
 
 case "$1" in
         configure)
-	    # if ther is not rules.conf file we assume this is
-	    # the first time usbguard is installed
-            if [ ! -f /etc/usbguard/rules.conf ]; then
-                usbguard generate-policy >> /etc/usbguard/rules.conf || true
+            # Generate default policy on new installs (only).
+            if [ -z "$2" ] && [ ! -f /etc/usbguard/rules.conf ]; then
+                usbguard generate-policy > /etc/usbguard/rules.conf || true
                 usbguard add-user -g plugdev --devices=modify,list,listen --policy=list --exceptions=listen
-	    fi
-            chmod og-rwx /etc/usbguard/rules.conf
-            if [ ! -f /etc/usbguard/usbguard-daemon.conf ]; then
-                touch /etc/usbguard/usbguard-daemon.conf
+                chmod og-rwx /etc/usbguard/rules.conf
             fi
-            chmod og-rwx -f /etc/usbguard/usbguard-daemon.conf
-            chmod og-rwx -f /etc/usbguard/rules.d
         ;;
         abort-upgrade|abort-remove|abort-deconfigure)
             exit 0

--- End Message ---

--- Begin Message ---

Source: usbguard
Source-Version: 1.1.4+ds-3
Done: Birger Schacht <bir...@debian.org>

We believe that the bug you reported is fixed in the latest version of
usbguard, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1134...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Birger Schacht <bir...@debian.org> (supplier of updated usbguard package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 09 May 2026 17:49:58 +0200
Source: usbguard
Architecture: source
Version: 1.1.4+ds-3
Distribution: unstable
Urgency: medium
Maintainer: Birger Schacht <bir...@debian.org>
Changed-By: Birger Schacht <bir...@debian.org>
Closes: 1134796
Changes:
 usbguard (1.1.4+ds-3) unstable; urgency=medium
 .
   * debian/usbguard.postinst:
    + cleanup postinst file (Closes: #1134796)
   * debian/rules:
    + set permissions using override_dh_fixperms
   * debian/usbguard.lintian-overrides
    + Add override for non-standard-dir-perm
    + Drop unused bin-sbin-mismatch overrides
   * debian/control:
    + Bump Standards-Version to 4.7.4 (no changes required)
Checksums-Sha1:
 c5493ce3655d5bcfadf842b9c73427298f08857d 2630 usbguard_1.1.4+ds-3.dsc
 5ee9f7718a5c4d549987229d5dc1b8a3c5dc75c1 10536 
usbguard_1.1.4+ds-3.debian.tar.xz
 462e47fbe80b5c69966bc0018a60684cbf76140d 517728 usbguard_1.1.4+ds-3.git.tar.xz
 d95dd6c5e1141f48533dcba0610f7713d9435b10 17364 
usbguard_1.1.4+ds-3_source.buildinfo
Checksums-Sha256:
 0aa733e3fd96a485cb456e5c132a3571f79218e0f13cdc034c15dc6327d04e79 2630 
usbguard_1.1.4+ds-3.dsc
 f6ac0be531d0f69a0efcb22225697b8078e167e27828c7a9c17a897533c0d252 10536 
usbguard_1.1.4+ds-3.debian.tar.xz
 378c9739771ca4c7155728dfb40304e8509dfc4f490f71f682138dea9efaf2c3 517728 
usbguard_1.1.4+ds-3.git.tar.xz
 5f8ca9a844942fc699d8b7d99a0f4d7738275913c8154c82e30f9f5e138c3120 17364 
usbguard_1.1.4+ds-3_source.buildinfo
Files:
 d2255879190800661504cda60015d6b0 2630 utils optional usbguard_1.1.4+ds-3.dsc
 cd50615787e7447a9a42a1ca3607213e 10536 utils optional 
usbguard_1.1.4+ds-3.debian.tar.xz
 428e42b209c6cf27b1a2e6bd62202afd 517728 utils None 
usbguard_1.1.4+ds-3.git.tar.xz
 34b55bb511d6d12f1a1da10c3568a1de 17364 utils optional 
usbguard_1.1.4+ds-3_source.buildinfo
Git-Tag-Info: tag=51402c1cf87d20f402cbc6ace624f967cd0a173e 
fp=3af0bcb67c26ac48ceb4e5bc2a0c5d60f204bdb0
Git-Tag-Tagger: Birger Schacht <bir...@debian.org>

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmoF0tUACgkQYG0ITkaD
wHl4VhAAhBMmamJ7KURK4HM62H6oM5FscJFkWsosXlUGg08oeVm6Acb4wGLiSOYK
l4X6cZiKN/8is/MlKpegjDoX7OBFz8v4efC0cjYpv21UPtbvVzkyQoDKW2zbgMWu
sj68gbmIdzzdDLXkq0Mj8DDcd2c5u21Ho9iozLrIlG1JhnGs16dG0CMKm3lqbmSI
goBjZUzVrQsneTz/bC5UNd1k0GFENuyRi+ELgp9W6GtjByhXXqPbfZ03gUA7AX7a
xUsXHM41Zt7Sn0A1XTl4rfKebVMZlmQARXrgKq0P3ET60jTlL++KnN1vWHI6pqW/
3i/5BEpwgdMnUvjtQvmeJr3XvBi4pCzg1r00pAGlbNQSiI2HN2dVUIJaK1/oT2nW
ooV6R9kLOONGnbzPZiauDnJfISOIdKKkfrcniP/ZUIKPhS4yyk4lWJbV5aEyeCM/
qMi7lsj8fEPSXbxt3Xp3VBCpvzxfcE2jn57OG99r+QnBx/0IdgybyDvs253d7rI7
KKj+OKUEQhvBrGYRDYfBOXwiYnBtgO4215hArSjJjN9sVNgIAIcfjvAOsSFaOwjt
fvcFgH1vDxpTSx9l1bXS9U0X10nMh/+rE88AfAQMed/FvLFWo97U0GIdJaxqAjJT
6NELEYt+8/IEBX64i8wGAp585RHGfE9cKWgznJVBDF0kZEwvmBI=
=EPhu
-----END PGP SIGNATURE-----

pgpm1e5FvgePg.pgp
Description: PGP signature

--- End Message ---