Hi Dann, I have CC'ed Wolfgang who takes care of it from customer service perspective. Within our team, we received some feedback for your patches that I want to share with you.
On Fri, Jan 29, 2016 at 04:17:32PM -0700, dann frazier wrote: > On Sun, Dec 13, 2015 at 03:50:01PM +0100, Philipp Kern wrote: > > On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote: > > > diff -Nru s390-tools-1.32.0/debian/changelog > > > s390-tools-1.32.0/debian/changelog > > > --- s390-tools-1.32.0/debian/changelog 2015-10-25 17:12:02.000000000 > > > +0100 > > > +++ s390-tools-1.32.0/debian/changelog 2015-12-08 23:14:52.000000000 > > > +0100 > > > @@ -1,3 +1,9 @@ > > > +s390-tools (1.32.0-2) UNRELEASED; urgency=medium > > > + > > > + * Add dbginfo.sh. (Closes: #807442) > > > + > > > + -- dann frazier <da...@debian.org> Tue, 08 Dec 2015 22:33:52 +0100 > > > + > > > s390-tools (1.32.0-1) unstable; urgency=medium > > > > > > * New upstream release > > > diff -Nru s390-tools-1.32.0/debian/s390-tools.install > > > s390-tools-1.32.0/debian/s390-tools.install > > > --- s390-tools-1.32.0/debian/s390-tools.install 2014-07-26 > > > 23:59:18.000000000 +0200 > > > +++ s390-tools-1.32.0/debian/s390-tools.install 2015-12-08 > > > 23:08:30.000000000 +0100 > > > @@ -10,6 +10,10 @@ > > > /sbin/dasdview > > > /usr/share/man/man8/dasdview.8 > > > > > > +# dbginfo.sh > > > +/sbin/dbginfo.sh > > > +/usr/share/man/man1/dbginfo.sh.1 > > > + > > > # fdasd > > > /sbin/fdasd > > > /usr/share/man/man8/fdasd.8 > > > > Three comments: > > > > * dbginfo.sh should tell the user that the information in the tarball > > is sensitive. > > * The resulting tarball should be 0600 by default. (The script needs > > to run as root anyway, but placing the result world-readable in > > /tmp does not seem smart.) > > * Unless this is expected to be in /sbin, given that it's user > > invoked and not usually scripted, should this be in /usr/sbin > > instead? > > Good feedback, thanks Philipp! I've addressed all 3 issues in the > attached updated patch. > diff -Nru s390-tools-1.32.0/debian/changelog > s390-tools-1.32.0/debian/changelog > --- s390-tools-1.32.0/debian/changelog 2015-12-13 09:50:48.000000000 > -0500 > +++ s390-tools-1.32.0/debian/changelog 2016-01-29 12:56:29.000000000 > -0500 > @@ -1,3 +1,12 @@ > +s390-tools (1.32.0-3) UNRELEASED; urgency=medium > + > + * Add dbginfo.sh. (Closes: #807442, LP: #1539719) > + - dbginfo.sh-umask.patch: Avoid leaking content to unprivileged users. > + - dbginfo.sh-warn.patch: Warn users about the sensitivity of the data > + this tool collects. > + > + -- dann frazier <da...@debian.org> Fri, 29 Jan 2016 12:49:16 -0500 > + > s390-tools (1.32.0-2) unstable; urgency=medium > > [ Hendrik Brueckner ] > diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch > s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch > --- s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch 1969-12-31 > 19:00:00.000000000 -0500 > +++ s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch 2016-01-29 > 12:21:06.000000000 -0500 > @@ -0,0 +1,16 @@ > +Description: dbginfo.sh: set umask to prevent local leaks of sensitive data > +Author: dann frazier <da...@debian.org> > +Last-Update: 2016-01-29 > + > +Index: s390-tools-1.32.0/scripts/dbginfo.sh > +=================================================================== > +--- s390-tools-1.32.0.orig/scripts/dbginfo.sh > ++++ s390-tools-1.32.0/scripts/dbginfo.sh > +@@ -12,6 +12,7 @@ export LC_ALL > + # The general name of this script > + readonly SCRIPTNAME="${0##*/}" > + > ++umask 0077 This is tricky and probaly leads to changed permissions that might be useful to detect permissions problem. Wolfgang and team worked on this topic and a problem fix will be provided with the next s390-tools version. The idea here is to change the permission of the directory which will be created to contain all service data. > + > + ######################################## > + # print version info > diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch > s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch > --- s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch 1969-12-31 > 19:00:00.000000000 -0500 > +++ s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch 2016-01-29 > 12:32:51.000000000 -0500 > @@ -0,0 +1,38 @@ > +Description: dbginfo.sh: Sensitivity training > + Warn users that the archive this tool generates contains sensitive data, > + and give them an opportunity to exit. > +Author: dann frazier <da...@debian.org> > +Last-Update: 2016-01-29 > + > +Index: s390-tools-1.32.0/scripts/dbginfo.sh > +=================================================================== > +--- s390-tools-1.32.0.orig/scripts/dbginfo.sh > ++++ s390-tools-1.32.0/scripts/dbginfo.sh > +@@ -71,6 +71,27 @@ if test "$(/usr/bin/id -u 2>/dev/null)" > + exit 1 > + fi > + > ++echo > "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" > ++echo " Warning: The archive created by this utility will contain sensitive" > ++echo " information including, but not limited to:" > ++echo " - configuration files" > ++echo " - log files" > ++echo " - hardware state information" > ++echo " - running process state and command line arguments" > ++echo > "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" > ++echo "" > ++echo -n " Do you wish to continue? [y/N]> " > ++read resp > ++case "$resp" in > ++ y|Y) > ++ : > ++ ;; > ++ *) > ++ echo "OK, exiting." > ++ exit 0 > ++esac The dbginfo.sh must be started as root and typically whoever acts as root should know what it doesn... if not, well, it should be not root ;-) Also keep in mind that the dbginfo.sh is called from within other programs that are non-interactive. For clarity, what exactly do you understand of "sensitive" data. dbginfo.sh does not collect file that contains passwords. If think that dbginfo.sh includes password-sensitive data, feel free to report the problem to us. > ++ > ++ > + ####################################### > + # Parsing the command line > + # > diff -Nru s390-tools-1.32.0/debian/patches/series > s390-tools-1.32.0/debian/patches/series > --- s390-tools-1.32.0/debian/patches/series 2015-12-13 09:41:14.000000000 > -0500 > +++ s390-tools-1.32.0/debian/patches/series 2016-01-29 12:21:21.000000000 > -0500 > @@ -6,3 +6,5 @@ > zipl-optional.patch > disable.patch > sg3-utils.patch > +dbginfo.sh-umask.patch > +dbginfo.sh-warn.patch > diff -Nru s390-tools-1.32.0/debian/s390-tools.install > s390-tools-1.32.0/debian/s390-tools.install > --- s390-tools-1.32.0/debian/s390-tools.install 2015-12-13 > 09:47:24.000000000 -0500 > +++ s390-tools-1.32.0/debian/s390-tools.install 2016-01-29 > 12:40:00.000000000 -0500 > @@ -10,6 +10,10 @@ > /sbin/dasdview > /usr/share/man/man8/dasdview.8 > > +# dbginfo.sh > +/sbin/dbginfo.sh /usr/sbin > +/usr/share/man/man1/dbginfo.sh.1 > + > # fdasd > /sbin/fdasd > /usr/share/man/man8/fdasd.8 Thanks and kind regards, Hendrik -- Hendrik Brueckner brueck...@linux.vnet.ibm.com | IBM Deutschland Research & Development GmbH Linux on z Systems Development | Schoenaicher Str. 220, 71032 Boeblingen IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Martina Koederitz Geschaeftsfuehrung: Dirk Wittkopp Sitz der Gesellschaft: Boeblingen Registergericht: Amtsgericht Stuttgart, HRB 243294