Bug#1037203: aide release notes to work around #1037171
On Wed, Jun 07, 2023 at 08:01:23PM +0100, Justin B Rye wrote: > Marc Haber wrote: > > I am really sorry for this. #1037171 is an embarrassing one, sadly too > > late for the release, but I'll try to do a fix via spu. > > I gather from the version data that when the bug submitter says buster > that's a typo for bookworm? Yes. It is. > > Suggested wording for something along chapter 5.4: > > It'll also need a section title and a summary of what the bug actually > is, which isn't completely clear to me. Does the bug mean that > bullseye systems where aide was already working will break on > dist-upgrade to bookworm, or is it only a bug for systems where aide > is installed subsequently? Sadly, aide will be broken after upgrades. bookworm's aide is the first version that doesn't run as root and thus needs the account. >I'm guessing: > > > Bug in aide user creation > >The version of aide in the >initial 12.0 release of bookworm has a bug >(https://bugs.debian.org/1037171;>#1037171) in >its package scripts which results in the _aide >user not being created, preventing aideinit >from creating a new database. > Yes. It prevents the package from working at all on systemd systems at least. > > Before upgrading your aide packages, create > > So this needs to be done before the dist-upgrade? It is the cleanest way, yes. Or the local admin can reinstall aide after creating the account. > > /usr/lib/sysusers.d/aide-common.conf with the following contents: > > Isn't this the sort of thing that's usually overridable via files with > names like /etc/sysusers.d/aide-common.conf? I'll assume for now that > this needs to live in /usr/lib (because we *want* it trampled when the > point release version installs its own copy). Yes. That's the idea. > > #Type NameID GECOS > > Home directoryShell↲ > > u _aide - "Advanced Intrusion Detection Environment" > > /var/lib/aide /usr/sbin/nologin↲ > > (I'm assuming "↲" just means "newline"...) Yes, sorry, that's a cut and paste error. > > > and call systemd-sysusers to work around Bug #1037171. > > (...and that this is a plain root-privileged invocation of bullseye > "systemd-sysusers". So:) > > >The bug can be avoided by creating the user before the dist-upgrade. >Create a file /usr/lib/sysusers.d/aide-common.conf >containing: > > #Type Name ID GECOS Home directory > Shell > u _aide - "Advanced Intrusion Detection Environment" /var/lib/aide > /usr/sbin/nologin > >and then run systemd-sysusers. > > Yes, that's it. Thanks for helping. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Bug#1037203: aide release notes to work around #1037171
Marc Haber wrote: > I am really sorry for this. #1037171 is an embarrassing one, sadly too > late for the release, but I'll try to do a fix via spu. I gather from the version data that when the bug submitter says buster that's a typo for bookworm? > Suggested wording for something along chapter 5.4: It'll also need a section title and a summary of what the bug actually is, which isn't completely clear to me. Does the bug mean that bullseye systems where aide was already working will break on dist-upgrade to bookworm, or is it only a bug for systems where aide is installed subsequently? I'm guessing: Bug in aide user creation The version of aide in the initial 12.0 release of bookworm has a bug (https://bugs.debian.org/1037171;>#1037171) in its package scripts which results in the _aide user not being created, preventing aideinit from creating a new database. > Before upgrading your aide packages, create So this needs to be done before the dist-upgrade? > /usr/lib/sysusers.d/aide-common.conf with the following contents: Isn't this the sort of thing that's usually overridable via files with names like /etc/sysusers.d/aide-common.conf? I'll assume for now that this needs to live in /usr/lib (because we *want* it trampled when the point release version installs its own copy). > #Type NameID GECOS Home > directoryShell↲ > u _aide - "Advanced Intrusion Detection Environment" > /var/lib/aide /usr/sbin/nologin↲ (I'm assuming "↲" just means "newline"...) > and call systemd-sysusers to work around Bug #1037171. (...and that this is a plain root-privileged invocation of bullseye "systemd-sysusers". So:) The bug can be avoided by creating the user before the dist-upgrade. Create a file /usr/lib/sysusers.d/aide-common.conf containing: #Type Name ID GECOS Home directory Shell u _aide - "Advanced Intrusion Detection Environment" /var/lib/aide /usr/sbin/nologin and then run systemd-sysusers. -- JBR with qualifications in linguistics, experience as a Debian sysadmin, and probably no clue about this particular package
Bug#1037203: aide release notes to work around #1037171
Package: release-notes Severity: normal I am really sorry for this. #1037171 is an embarrassing one, sadly too late for the release, but I'll try to do a fix via spu. Greetings Marc Suggested wording for something along chapter 5.4: Before upgrading your aide packages, create /usr/lib/sysusers.d/aide-common.conf with the following contents: #Type NameID GECOS Home directoryShell↲ u _aide - "Advanced Intrusion Detection Environment" /var/lib/aide /usr/sbin/nologin↲ and call systemd-sysusers to work around Bug #1037171.
