On 02/05/2023 11.37, Ian Jackson wrote:
Andreas Beckmann writes ("Bug#1035361: sauce: Potentially dangerous mode on
/etc/logrotate.d/sauce: 0755"):
Package: sauce
Version: 0.9.1
Severity: serious
User: debian...@lists.debian.org
Usertags: piuparts
...
during a test with piuparts I noticed your package's logrotate
configuration causes logrotate to exit with an error after the package
has been removed (*) or when logrote is run but no logfile exists.
Thanks for the report. I will fix this ASAP.
Usually the solution is to specify 'missingok' in the logrotate
configuration.
I will do some tests but that sounds like a possible approach.
That doesn't look like a solution in this case.
Setting severity to serious since this does not seem limited to being
emitted after package removal but always. The current logrotate version
in sid seems to be more strict.
I looked through the changelog and didn't find anything about missing
logfiles since at least 2015. Are you sure ?
>From the attached log (scroll to the bottom...):
0m17.0s DEBUG: Starting command: ['chroot',
'/srv/piuparts.debian.org/tmp/tmp6h9n6ntx', '/usr/sbin/logrotate',
'/etc/logrotate.d/sauce']
0m17.0s DUMP:
warning: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
0m17.0s DEBUG: Command ok: ['chroot',
'/srv/piuparts.debian.org/tmp/tmp6h9n6ntx', '/usr/sbin/logrotate',
'/etc/logrotate.d/sauce']
0m17.0s ERROR: FAIL: Logrotate file /etc/logrotate.d/sauce exits with error or
has output with package removed
I have one question. The message here is complaining about the file
permission. I think that mode is probably wrong, but I don't think it
is *dangerous*.
I don't think I ought to change the mode for bookworm.
That code is from logrotate
https://sources.debian.org/src/logrotate/3.21.0-1/config.c/?hl=1057#L1057
but it was already present at least in bullseye (didn't check earlier
releases).
Tryinit it manually by installing logrotate and sauce in a chroot
(without removing sauce again):
bullseye# ls -la /etc/logrotate.d/sauce
-rwxr-xr-x 1 root root 506 Jan 27 2021 /etc/logrotate.d/sauce
bullseye# logrotate /etc/logrotate.d/sauce
bullseye# echo $?
0
installing sauce in bookworm is very noisy:
Setting up sauce (0.9.1) ...
Checking for SAUCE databases in /var/lib/sauce ...
cdb.site-annoy (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
cdb.site-seen (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
cdb.site-list (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
cdb.addr-seen (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
cdb.addr-list (no existing data) donechown: warning: '.' should be
':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
chown: warning: '.' should be ':': 'mail.mail'
.
bookworm# ls -la /etc/logrotate.d/sauce
-rwxr-xr-x 1 root root 506 Jan 27 2021 /etc/logrotate.d/sauce
bookworm# logrotate /etc/logrotate.d/sauce
warning: Potentially dangerous mode on /etc/logrotate.d/sauce: 0755
bookworm# echo $?
0
If I understand it correctly, logrotate complains about the executable
permission. (0644 and 0600 should be both ok)
And it will do that every time logrotate runs while the package is
installed, producing some cron email or other notification.
IMO both bugs (logrotate permission and ancient chown syntax) warrant an
update of the package to be included in bookworm.
Andreas
