Bug#1035350: postfix: postinst script modifies configuration files despite local changes
On 02/05/2023 15:07, Scott Kitterman wrote: > On Tuesday, May 2, 2023 8:35:12 AM EDT Einhard Leichtfuß wrote: >> On 02/05/2023 00:56, Scott Kitterman wrote: >>> On Monday, May 1, 2023 3:20:19 PM EDT Einhard Leichtfuß wrote: >>>> On 01/05/2023 19:47, Scott Kitterman wrote: >>>>> On Monday, May 1, 2023 1:01:17 PM EDT Einhard Leichtfuß wrote: >>>>>> On 01/05/2023 18:14, Scott Kitterman wrote: >>>>>>> On Monday, May 1, 2023 11:06:07 AM EDT Einhard Leichtfuß wrote: >>>>>>>> Package: postfix >>>>> >>>>> ... >>>>> >>>>>>>> In `main.cf`, the following lines were appended: >>>>>>>>> readme_directory = /usr/share/doc/postfix >>>>>>>>> html_directory = /usr/share/doc/postfix/html >>>>>>>> >>>>>>>> If I understand the postinst script correctly, this modification of >>>>>>>> `main.cf` should only have happened upon first installation, which >>>>>>>> this >>>>>>>> was not. I was unable to reproduce this. So maybe this modification >>>>>>>> was indeed done earlier. >>>>>>>> >>>>>>>> However, even upon initial installation (with pre-existing >>>>>>>> configuration), this should, in my opinion, not happen. >>>>> >>>>> ... >>>>> >>>>>>> Also, note that the message about is about main.cf not being modified. >>>>>>> These changes are in master.cf, so I don't understand the concern with >>>>>>> the message? >>>>>> >>>>>> The second modification (readme_directory, html_directory) was to >>>>>> `main.cf`. While this modification should only happen for initial >>>>>> installations (with pre-existing configuration), the message is >>>>>> displayed even then. >>>>>> >>>>>> Steps to reproduce (assuming postfix is not installed): >>>>>> >>>>>> $ apt install postfix-doc >>>>>> $ echo > /etc/postfix/main.cf >>>>>> $ apt install postfix >>>>> >>>>> To focus in on the main.cf part of this, I believe that's per policy. >>>>> >>>>> First, it's a change made by postfix-doc, not postifx, so the postfix >>>>> package statement that main.cf was not modified by it is correct and >>>>> unrelated to the main.cf change. >>>> >>>> Ah, I did not check the postfix-doc postinst script. It seems that both >>>> postfix-doc's and postfix's postinst scripts conditionally run >>>> >>>> postconf -e readme_directory=/usr/share/doc/postfix >>>> >>>> html_directory=/usr/share/doc/postfix/html >>>> >>>> However, postfix's postinst script only does so in the arguably rare >>>> case that postfix-doc was installed first. So one might argue that this >>>> is still an action performed for postfix-doc falling under Policy 10.7.4. >>>> >>>>> For the postfix-doc change to main.cf, Policy 10.7.4 is the relevant >>>>> portion. Postfix-doc uses the provided interface (postfconf), when >>>>> available. >>>> >>>> It is not clear to me that Policy 10.7.4 overrides Policy 10.7.3 w.r.t. >>>> the requirement not to override local changes. While this may very well >>>> not be the intention behind these policies, I'd understand them as such >>>> that the related package (postfix-doc) must only [be able to] modify the >>>> configuration file if it does not contain local changes. >>>> >>>> I.e., either the provided program (currently postconf) should refuse to >>>> modify a locally modified configuration file, or the related package >>>> (postfix-doc) should check for local changes itself. >>>> >>>> I am generally unsure, however, how detection of local modification is >>>> supposed to work in practice without using conffiles. I suppose a >>>> second configuration file copy that is modified by postinst scripts, but >>>> not the local administrator, should work. >>> >>> Preserve local modifications means don't undo specific changes made by the >>> local administrator. It does not mean make no changes to a file that an >>> administrator has m
Bug#1035350: postfix: postinst script modifies configuration files despite local changes
On 02/05/2023 00:56, Scott Kitterman wrote: > On Monday, May 1, 2023 3:20:19 PM EDT Einhard Leichtfuß wrote: >> On 01/05/2023 19:47, Scott Kitterman wrote: >>> On Monday, May 1, 2023 1:01:17 PM EDT Einhard Leichtfuß wrote: >>>> On 01/05/2023 18:14, Scott Kitterman wrote: >>>>> On Monday, May 1, 2023 11:06:07 AM EDT Einhard Leichtfuß wrote: >>>>>> Package: postfix >>> >>> ... >>> >>>>>> In `main.cf`, the following lines were appended: >>>>>>> readme_directory = /usr/share/doc/postfix >>>>>>> html_directory = /usr/share/doc/postfix/html >>>>>> >>>>>> If I understand the postinst script correctly, this modification of >>>>>> `main.cf` should only have happened upon first installation, which this >>>>>> was not. I was unable to reproduce this. So maybe this modification >>>>>> was indeed done earlier. >>>>>> >>>>>> However, even upon initial installation (with pre-existing >>>>>> configuration), this should, in my opinion, not happen. >>> >>> ... >>> >>>>> Also, note that the message about is about main.cf not being modified. >>>>> These changes are in master.cf, so I don't understand the concern with >>>>> the message? >>>> >>>> The second modification (readme_directory, html_directory) was to >>>> `main.cf`. While this modification should only happen for initial >>>> installations (with pre-existing configuration), the message is >>>> displayed even then. >>>> >>>> Steps to reproduce (assuming postfix is not installed): >>>> >>>> $ apt install postfix-doc >>>> $ echo > /etc/postfix/main.cf >>>> $ apt install postfix >>> >>> To focus in on the main.cf part of this, I believe that's per policy. >>> >>> First, it's a change made by postfix-doc, not postifx, so the postfix >>> package statement that main.cf was not modified by it is correct and >>> unrelated to the main.cf change. >> >> Ah, I did not check the postfix-doc postinst script. It seems that both >> postfix-doc's and postfix's postinst scripts conditionally run >> >> postconf -e readme_directory=/usr/share/doc/postfix >> html_directory=/usr/share/doc/postfix/html >> >> However, postfix's postinst script only does so in the arguably rare >> case that postfix-doc was installed first. So one might argue that this >> is still an action performed for postfix-doc falling under Policy 10.7.4. >> >>> For the postfix-doc change to main.cf, Policy 10.7.4 is the relevant >>> portion. Postfix-doc uses the provided interface (postfconf), when >>> available. >> It is not clear to me that Policy 10.7.4 overrides Policy 10.7.3 w.r.t. >> the requirement not to override local changes. While this may very well >> not be the intention behind these policies, I'd understand them as such >> that the related package (postfix-doc) must only [be able to] modify the >> configuration file if it does not contain local changes. >> >> I.e., either the provided program (currently postconf) should refuse to >> modify a locally modified configuration file, or the related package >> (postfix-doc) should check for local changes itself. >> >> I am generally unsure, however, how detection of local modification is >> supposed to work in practice without using conffiles. I suppose a >> second configuration file copy that is modified by postinst scripts, but >> not the local administrator, should work. > > Preserve local modifications means don't undo specific changes made by the > local > administrator. It does not mean make no changes to a file that an > administrator has made changes to. The use of postconf specifically enables > changing the values relevant to postfix-doc without disturbing anything else > in > the file. I think this is fine. I agree that preserving local changes does not generally mean not to modify locally modified files. (Even though I'd prefer it to mean that.) However, unless I am mistaken, the postinst scripts do not preserve local changes to the readme_directory and html_directory configuration settings. In practice (given postfix-doc is [being] installed), such local changes probably either do not happen, or the values are exactly those set by the postinst scripts. That is, in such an unlikely case, the letter of the Policy would be violated, I think, but it may still be considered fine in practice. I cannot assess that. Einhard Leichtfuß
Bug#1035350: postfix: postinst script modifies configuration files despite local changes
On 01/05/2023 19:47, Scott Kitterman wrote: > On Monday, May 1, 2023 1:01:17 PM EDT Einhard Leichtfuß wrote: >> On 01/05/2023 18:14, Scott Kitterman wrote: >>> On Monday, May 1, 2023 11:06:07 AM EDT Einhard Leichtfuß wrote: >>>> Package: postfix > ... >>>> In `main.cf`, the following lines were appended: >>>>> readme_directory = /usr/share/doc/postfix >>>>> html_directory = /usr/share/doc/postfix/html >>>> >>>> If I understand the postinst script correctly, this modification of >>>> `main.cf` should only have happened upon first installation, which this >>>> was not. I was unable to reproduce this. So maybe this modification >>>> was indeed done earlier. >>>> >>>> However, even upon initial installation (with pre-existing >>>> configuration), this should, in my opinion, not happen. > ... >>> Also, note that the message about is about main.cf not being modified. >>> These changes are in master.cf, so I don't understand the concern with >>> the message? >> The second modification (readme_directory, html_directory) was to >> `main.cf`. While this modification should only happen for initial >> installations (with pre-existing configuration), the message is >> displayed even then. >> >> Steps to reproduce (assuming postfix is not installed): >> >> $ apt install postfix-doc >> $ echo > /etc/postfix/main.cf >> $ apt install postfix > > To focus in on the main.cf part of this, I believe that's per policy. > > First, it's a change made by postfix-doc, not postifx, so the postfix package > statement that main.cf was not modified by it is correct and unrelated to the > main.cf change. Ah, I did not check the postfix-doc postinst script. It seems that both postfix-doc's and postfix's postinst scripts conditionally run postconf -e readme_directory=/usr/share/doc/postfix html_directory=/usr/share/doc/postfix/html However, postfix's postinst script only does so in the arguably rare case that postfix-doc was installed first. So one might argue that this is still an action performed for postfix-doc falling under Policy 10.7.4. > For the postfix-doc change to main.cf, Policy 10.7.4 is the relevant portion. > > Postfix-doc uses the provided interface (postfconf), when available. It is not clear to me that Policy 10.7.4 overrides Policy 10.7.3 w.r.t. the requirement not to override local changes. While this may very well not be the intention behind these policies, I'd understand them as such that the related package (postfix-doc) must only [be able to] modify the configuration file if it does not contain local changes. I.e., either the provided program (currently postconf) should refuse to modify a locally modified configuration file, or the related package (postfix-doc) should check for local changes itself. I am generally unsure, however, how detection of local modification is supposed to work in practice without using conffiles. I suppose a second configuration file copy that is modified by postinst scripts, but not the local administrator, should work. > I checked and this goes back at least to when the postfix packaging was first > kept in git in 2007. I think this part is not a bug. Please let me know if > I'm misunderstanding the issue. > > I suspect the master.cf fix_master can be removed entirely, but I'm not 100% > certain yet. Best regards, Einhard Leichtfuß
Bug#1035350: postfix: postinst script modifies configuration files despite local changes
On 01/05/2023 18:14, Scott Kitterman wrote: > On Monday, May 1, 2023 11:06:07 AM EDT Einhard Leichtfuß wrote: >> Package: postfix >> Version: 3.5.18-0+deb11u1 >> Severity: serious >> >> Upon upgrade of postfix (due to `apt dist-upgrade`), the `master.cf` >> [and `main.cf`] configuration files were modified by the postinst >> script, despite existing local changes. >> >> If I understand correctly, this violates Debian Policy 10.7.3 [0]: >> "local changes must be preserved during a package upgrade". This is why >> I chose Severity "serious". >> >> I would instead expect a handling similar to that of changed conffiles >> (i.e., one is given an option to or is suggested to apply certain >> modifications). >> >> In `master.cf`, the following lines were appended: >>> proxymap unix - - n - - proxymap >>> verifyunix - - y - 1 verify >>> relay unix - - n - - smtp -o >>> smtp_fallback_relay= # -o smtp_helo_timeout=5 -o >>> smtp_connect_timeout=5 >> >> See the `fix_master()` function in the postinst script. >> >> (sidenote: The first two entries are the same as in >> `/usr/share/postfix/master.cf.dist`, the last one is different.) >> >> In `main.cf`, the following lines were appended: >>> readme_directory = /usr/share/doc/postfix >>> html_directory = /usr/share/doc/postfix/html >> >> If I understand the postinst script correctly, this modification of >> `main.cf` should only have happened upon first installation, which this >> was not. I was unable to reproduce this. So maybe this modification >> was indeed done earlier. >> >> However, even upon initial installation (with pre-existing >> configuration), this should, in my opinion, not happen. >> >> The changes were accompanied by the following message: >>> Setting up postfix (3.5.18-0+deb11u1) ... >>> >>> In master.cf: >>> adding missing entry for proxymap service >>> adding missing entry for verify service >>> adding missing entry for relay service >>> >>> Postfix (main.cf) configuration was untouched. If you need to make >>> changes, edit /etc/postfix/main.cf (and others) as needed. To view >>> Postfix configuration values, see postconf(1). >>> >>> After modifying main.cf, be sure to run 'systemctl reload postfix'. >> >> The message that `main.cf` was untouched is displayed regardless of >> whether the above noted modifications of `main.cf` are made. >> >> >> I noticed that many actions in the postinst script are only run if >> `[ "$mailer" != "No configuration" ]`. I am unsure whether this case >> would warrant the above mentioned modifications. If so, maybe this >> condition should be added to these modifications. >> >> >> [0] https://www.debian.org/doc/debian-policy/ch-files.html#behavior > > fix_master() was added in 2017 to upgrade pre-postfix 3.0 master.cf files to > support postfix 3.0 and hasn't been touched since then. > > What version of Debian were you upgrading from? That should be the previous minor version of Debian 11 (i.e., 11.6). postfix was upgraded from version 3.5.17-0+deb11u1. I did not notice this with earlier versions because this is the first upgrade of postfix on this installation (it is quite new). > Also, note that the message about is about main.cf not being modified. These > changes are in master.cf, so I don't understand the concern with the message? The second modification (readme_directory, html_directory) was to `main.cf`. While this modification should only happen for initial installations (with pre-existing configuration), the message is displayed even then. Steps to reproduce (assuming postfix is not installed): $ apt install postfix-doc $ echo > /etc/postfix/main.cf $ apt install postfix Einhard Leichtfuß
Bug#1035350: postfix: postinst script modifies configuration files despite local changes
Package: postfix Version: 3.5.18-0+deb11u1 Severity: serious Upon upgrade of postfix (due to `apt dist-upgrade`), the `master.cf` [and `main.cf`] configuration files were modified by the postinst script, despite existing local changes. If I understand correctly, this violates Debian Policy 10.7.3 [0]: "local changes must be preserved during a package upgrade". This is why I chose Severity "serious". I would instead expect a handling similar to that of changed conffiles (i.e., one is given an option to or is suggested to apply certain modifications). In `master.cf`, the following lines were appended: > proxymap unix - - n - - proxymap > verifyunix - - y - 1 verify > relay unix - - n - - smtp -o > smtp_fallback_relay= > # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 See the `fix_master()` function in the postinst script. (sidenote: The first two entries are the same as in `/usr/share/postfix/master.cf.dist`, the last one is different.) In `main.cf`, the following lines were appended: > readme_directory = /usr/share/doc/postfix > html_directory = /usr/share/doc/postfix/html If I understand the postinst script correctly, this modification of `main.cf` should only have happened upon first installation, which this was not. I was unable to reproduce this. So maybe this modification was indeed done earlier. However, even upon initial installation (with pre-existing configuration), this should, in my opinion, not happen. The changes were accompanied by the following message: > Setting up postfix (3.5.18-0+deb11u1) ... > In master.cf: > adding missing entry for proxymap service > adding missing entry for verify service > adding missing entry for relay service > > Postfix (main.cf) configuration was untouched. If you need to make changes, > edit /etc/postfix/main.cf (and others) as needed. To view Postfix > configuration values, see postconf(1). > > After modifying main.cf, be sure to run 'systemctl reload postfix'. The message that `main.cf` was untouched is displayed regardless of whether the above noted modifications of `main.cf` are made. I noticed that many actions in the postinst script are only run if `[ "$mailer" != "No configuration" ]`. I am unsure whether this case would warrant the above mentioned modifications. If so, maybe this condition should be added to these modifications. [0] https://www.debian.org/doc/debian-policy/ch-files.html#behavior -- System Information: Debian Release: 11.7 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-22-cloud-amd64 (SMP w/2 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages postfix depends on: ii adduser3.118 ii cpio 2.13+dfsg-4 ii debconf [debconf-2.0] 1.5.77 ii dpkg 1.20.12 ii e2fsprogs 1.46.2-2 ii libc6 2.31-13+deb11u6 ii libdb5.3 5.3.28+dfsg1-0.8 ii libicu67 67.1-7 ii libnsl21.3.0-2 ii libsasl2-2 2.1.27+dfsg-2.1+deb11u1 ii libssl1.1 1.1.1n-0+deb11u4 ii lsb-base 11.1.0 ii netbase6.3 ii ssl-cert 1.1.0+nmu1 Versions of packages postfix recommends: ii ca-certificates 20210119 ii python3 3.9.2-3 Versions of packages postfix suggests: ii bsd-mailx [mail-reader]8.1.2-0.20180807cvs-2 ii dovecot-core [dovecot-common] 1:2.3.13+dfsg1-2+deb11u1 pn postfix-cdb ii postfix-doc3.5.18-0+deb11u1 pn postfix-ldap pn postfix-lmdb pn postfix-mysql pn postfix-pcre ii postfix-pgsql 3.5.18-0+deb11u1 pn postfix-sqlite pn procmail pn resolvconf pn ufw -- debconf information: postfix/relay_restrictions_warning: postfix/bad_recipient_delimiter: postfix/destinations: $myhostname, myfancyhostname, localhost.localdomain, , localhost postfix/newaliases: false postfix/not_configured: postfix/main_cf_conversion_warning: true postfix/procmail: false postfix/mailname: myfancyhostname postfix/sqlite_warning: postfix/mailbox_limit: 0 postfix/protocols: all postfix/dynamicmaps_conversion_warning: postfix/tlsmgr_upgrade_warning: postfix/kernel_version_warning: postfix/root_address: postfix/mynetworks: 127.0.0.0/8 [:::127.0.0.0]/104 [::1]/128 postfix/lmtp_retired_warning: true postfix/retry_upgrade_warning: postfix/recipient_delim: + postfix/chattr: false * postfix/main_mailer_type: No