Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
Hi Gregor, Le 23/10/2012 08:16, gregor herrmann a écrit : On Mon, 22 Oct 2012 22:22:06 +0200, Franck Joncourt wrote: I'm attaching a diff that implements my ideas from the last mail; Thank you very much. You're welcome :) still, I'm not sure about the unconditional replacing in the postinst ... In the postinst script the psad.conf file is left in place if one is found, and if none, the embedded copie is placed in /etc/psad. So I am not sure what you mean by unconditional. Sorry for being unclear; I didn't mean replacing the file, but udpating the values within the file, i.e. lines 44/45 (in git): 44 NAME=`hostname` 45 update_conf "$NAME" "HOSTNAME" "/etc/psad/psad.conf" This will overwrite the HOSTNAME variable in the file (also on updates), which could have been been changed by the admin. - And that's where I'm not sure ... The solution I can find is to leave this entry as _CHANGEME_ in psad.conf and maybe add a note in the README.debian file. It does not prevent the daemon to start. I think that would be better than overwriting any existing value set by the admin. Regards, Franck -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
On Sun, 28 Oct 2012 16:19:48 +0100, Franck Joncourt wrote: > I have updated the package accordingly > http://anonscm.debian.org/gitweb/?p=collab-maint/psad.git;a=summary Looks good! > I am about to upload the package. I just need to update my system to > run the latest lintian on it and that should be ok. Excellent, thanks. Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: STS: Aber niemals signature.asc Description: Digital signature
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
I have updated the package accordingly http://anonscm.debian.org/gitweb/?p=collab-maint/psad.git;a=summary I am about to upload the package. I just need to update my system to run the latest lintian on it and that should be ok. Regards, Franck -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
On Sun, 28 Oct 2012 14:58:49 +0100, Franck Joncourt wrote: > >Sorry for being unclear; I didn't mean replacing the file, but > >udpating the values within the file, i.e. lines 44/45 (in git): > > > > 44 NAME=`hostname` > > 45 update_conf "$NAME" "HOSTNAME" "/etc/psad/psad.conf" > > > >This will overwrite the HOSTNAME variable in the file (also on > >updates), which could have been been changed by the admin. - And > >that's where I'm not sure ... > > The solution I can find is to leave this entry as _CHANGEME_ in > psad.conf and maybe add a note in the README.debian file. > It does not prevent the daemon to start. I think that would be > better than overwriting any existing value set by the admin. Thanks, that was the missing piece for me :) (That the daemon also works with _CHANGEME_.) In this case /etc/psad/psad.conf could be installed as before, and the postinst (and removal in postrm) can just be dropped ... Nice. Yes, this sounds easier. Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Nick Drake: Which Will signature.asc Description: Digital signature
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
On Mon, 22 Oct 2012 22:22:06 +0200, Franck Joncourt wrote: > >I'm attaching a diff that implements my ideas from the last mail; > Thank you very much. You're welcome :) > >still, I'm not sure about the unconditional replacing in the postinst > >... > In the postinst script the psad.conf file is left in place if one is > found, and if none, the embedded copie is placed in /etc/psad. So I > am not sure what you mean by unconditional. Sorry for being unclear; I didn't mean replacing the file, but udpating the values within the file, i.e. lines 44/45 (in git): 44 NAME=`hostname` 45 update_conf "$NAME" "HOSTNAME" "/etc/psad/psad.conf" This will overwrite the HOSTNAME variable in the file (also on updates), which could have been been changed by the admin. - And that's where I'm not sure ... Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- BOFH excuse #294: PCMCIA slave driver -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
Le 21/10/2012 17:22, gregor herrmann a écrit : Hi Gregor, On Mon, 15 Oct 2012 08:31:52 +0200, Franck Joncourt wrote: I have not found the time to work on psad since Wedneday, so if you want to fix psad please do so. I let you know when I am ready to work on it. Sorry for my late reply, I was mostly away from $HOME during the last week. No problem :) I'm attaching a diff that implements my ideas from the last mail; Thank you very much. still, I'm not sure about the unconditional replacing in the postinst ... In the postinst script the psad.conf file is left in place if one is found, and if none, the embedded copie is placed in /etc/psad. So I am not sure what you mean by unconditional. Regards, Franck -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
Control: tag -1 + patch
On Mon, 15 Oct 2012 08:31:52 +0200, Franck Joncourt wrote:
> I have not found the time to work on psad since Wedneday, so if you
> want to fix psad please do so. I let you know when I am ready to
> work on it.
Sorry for my late reply, I was mostly away from $HOME during the last
week.
I'm attaching a diff that implements my ideas from the last mail;
still, I'm not sure about the unconditional replacing in the postinst
...
Cheers,
gregor
--
.''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
: :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/
`. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
`- NP: Dido: Hunter
diff -Nru psad-2.2/debian/changelog psad-2.2/debian/changelog
--- psad-2.2/debian/changelog 2012-06-05 23:06:57.0 +0200
+++ psad-2.2/debian/changelog 2012-10-21 17:14:31.0 +0200
@@ -1,3 +1,15 @@
+psad (2.2-2.1) UNRELEASED; urgency=low
+
+ * Non-maintainer upload.
+ * Fix "modifies conffiles (policy 10.7.3): /etc/psad/psad.conf"
+- revert changes in debian/psad.preinst from 2.2-2
+- install psad.conf to /usr/share/psad instead of /etc/psad
+- copy it to /etc/psad in debian/psad.postinst if it doesn't exist
+- remove in in debian/psad.postrm (purge)
+(Closes: #688891)
+
+ -- gregor herrmann Sun, 21 Oct 2012 17:05:38 +0200
+
psad (2.2-2) unstable; urgency=low
* d.psad.preinst: Revert the changes done by the postinst script in the
diff -Nru psad-2.2/debian/psad.dirs psad-2.2/debian/psad.dirs
--- psad-2.2/debian/psad.dirs 2012-06-05 23:06:57.0 +0200
+++ psad-2.2/debian/psad.dirs 2012-10-21 17:17:05.0 +0200
@@ -4,3 +4,4 @@
var/lib/psad
etc/psad
etc/psad/snort_rules
+usr/share/psad
diff -Nru psad-2.2/debian/psad.postinst psad-2.2/debian/psad.postinst
--- psad-2.2/debian/psad.postinst 2012-06-05 23:06:57.0 +0200
+++ psad-2.2/debian/psad.postinst 2012-10-21 17:13:00.0 +0200
@@ -38,6 +38,9 @@
if [ "$1" = "configure" ]; then
+if [ ! -e /etc/psad/psad.conf ]; then
+ cp /usr/share/psad/psad.conf /etc/psad/psad.conf
+fi
NAME=`hostname`
update_conf "$NAME" "HOSTNAME" "/etc/psad/psad.conf"
diff -Nru psad-2.2/debian/psad.postrm psad-2.2/debian/psad.postrm
--- psad-2.2/debian/psad.postrm 2012-06-05 23:06:57.0 +0200
+++ psad-2.2/debian/psad.postrm 2012-10-21 17:13:44.0 +0200
@@ -27,6 +27,11 @@
if [ -d /var/log/psad ]; then
rm -rf /var/log/psad/*
fi
+
+# Handle the generated configuration file
+if [ -e /etc/psad/psad.conf ]; then
+rm -f /etc/psad/psad.conf
+fi
fi
diff -Nru psad-2.2/debian/psad.preinst psad-2.2/debian/psad.preinst
--- psad-2.2/debian/psad.preinst 2012-06-05 23:06:57.0 +0200
+++ psad-2.2/debian/psad.preinst 2012-10-21 17:09:24.0 +0200
@@ -1,51 +1,14 @@
#!/bin/sh
+# This script is only intended to fix bug #497574.
+# We check for an upgrade from Psad older than 2.1.5 and remove the old
+# Psad process if needed.
#
-# Update_conf
-#
-# This function searchs a key entry in a file and updates its value with the new
-# one.
-#
-# Syntax:
-#
-#update_conf new_val key conffile
-# -> new_val ... : Value to set for the key value
-# -> key ... : Name of the key to be updated
-# -> conffile .. : File to search
-#
-update_conf ()
-{
-local new_val
-local key
-local conffile
-
-new_val=$1
-key=$2
-conffile=$3
-
-cp $conffile $conffile.old
-
-old_val=`awk '$1 == "'$key'" { print $2 }' $conffile`
-awk '$1 == "'$key'" { gsub("'$old_val'","'$new_val';",$0); \
- print $0 } \
- $1 != "'$key'" { print $0 }' \
- $conffile.old > $conffile
-
-rm $conffile.old
-}
+# NB: As some commands can return an exit code other than 0 we do not use
+# *set -e* at the beginning.
if [ "$1" = "upgrade" ]; then
-# Revert changes added to the configuration file by the postinst script
-update_conf "_CHANGEME_" "HOSTNAME" "/etc/psad/psad.conf"
-
-# This script is only intended to fix bug #497574.
-# We check for an upgrade from Psad older than 2.1.5 and remove the old
-# Psad process if needed.
-#
-# NB: As some commands can return an exit code other than 0 we do not use
-# *set -e* at the beginning.
-
status=1;
if [ -x "`which dpkg 2>/dev/null`" ]; then
dpkg --compare-versions 2.1.5 gt $2
diff -Nru psad-2.2/debian/rules psad-2.2/debian/rules
--- psad-2.2/debian/rules 2012-06-05 23:06:57.0 +0200
+++ psad-2.2/debian/rules 2012-10-21 17:17:21.0 +0200
@@ -9,6 +9,7 @@
DESTDIR_BIN = $(CURDIR)/debian/$(PROGRAM)/usr/bin/
DESTDIR_SBIN= $(CURDIR)/debian/$(PROGRAM)/usr/sbin/
DESTDIR_ETC = $(CURDIR)/debian/$(PROGRAM)/etc/$(PROGRAM)/
+DESTDIR_SHARE = $(CURDIR)/debian/$(PROGRAM)/usr/share/$(PROGRAM)/
CFLA
Processed: Re: Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
Processing control commands: > tag -1 + patch Bug #688891 [psad] psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf Added tag(s) patch. -- 688891: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=688891 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
Hi Gregor, I have not found the time to work on psad since Wedneday, so if you want to fix psad please do so. I let you know when I am ready to work on it. Regards, -- Franck -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
On Wed, 10 Oct 2012 21:30:17 +0200, Franck Joncourt wrote: > I have to check this bug too, but I have been working on fwknop so > far : CVE + FTBS on mips. > I will check your proposal tommorow, and see if I can fix it as soon > as possible to make it work properly. Cool, thanks! Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Joe Cocker: Feeling Alright signature.asc Description: Digital signature
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
Hi gregor, I have to check this bug too, but I have been working on fwknop so far : CVE + FTBS on mips. I will check your proposal tommorow, and see if I can fix it as soon as possible to make it work properly. Regards, -- Franck -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
On Wed, 26 Sep 2012 18:58:50 +0200, Andreas Beckmann wrote: > Package: psad > Version: 2.2-2 > Severity: serious > Tags: squeeze-ignore > User: debian...@lists.debian.org > Usertags: piuparts > Control: found -1 2.1.7-1 > > during a test with piuparts I noticed your package modifies conffiles. > This is forbidden by the policy, see > http://www.debian.org/doc/debian-policy/ch-files.html#s-config-files > debsums reports modification of the following files, > from the attached log (scroll to the bottom...): > > /etc/psad/psad.conf Looks like #675231. The fix in -2 (set back the variable in preinst) doesn't help against the underlying cause which is that the package ships /etc/psad/psad.conf and then modifies it in postinst. I think the way to go is: - revert the change in preinst - install psad.conf to /usr/share/psad/ or similar instead of /etc/psad - copy it to /etc/psad if /etc/psad/psad.conf doesn't exist - rm -f /etc/psad/psad.conf in postrm/purge What makes me a bit unhappy is the unconditional replacing in postinst; this will also overwrite any changes made by the admin. I guess it could be limited to the case where the file still contains _CHANGEME_, and (maybe, if this is necessary) to the case where the current value doesn't match `hostname`. Cheers, gregor -- .''`. Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06 : :' : Debian GNU/Linux user, admin, and developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Beach Boys: Darlin' signature.asc Description: Digital signature
Bug#688891: psad: modifies conffiles (policy 10.7.3): /etc/psad/psad.conf
Package: psad Version: 2.2-2 Severity: serious Tags: squeeze-ignore User: debian...@lists.debian.org Usertags: piuparts Control: found -1 2.1.7-1 Hi, during a test with piuparts I noticed your package modifies conffiles. This is forbidden by the policy, see http://www.debian.org/doc/debian-policy/ch-files.html#s-config-files 10.7.3: "[...] The easy way to achieve this behavior is to make the configuration file a conffile. [...] This implies that the default version will be part of the package distribution, and must not be modified by the maintainer scripts during installation (or at any other time)." Note that once a package ships a modified version of that conffile, dpkg will prompt the user for an action how to handle the upgrade of this modified conffile (that was not modified by the user). Further in 10.7.3: "[...] must not ask unnecessary questions (particularly during upgrades) [...]" If a configuration file is customized by a maintainer script after having asked some debconf questions, it may not be marked as a conffile. Instead a template could be installed in /usr/share and used by the postinst script to fill in the custom values and create (or update) the configuration file (preserving any user modifications!). This file must be removed during postrm purge. ucf(1) may help with these tasks. See also http://wiki.debian.org/DpkgConffileHandling In https://lists.debian.org/debian-devel/2012/09/msg00412.html and followups it has been agreed that these bugs are to be filed with severity serious. debsums reports modification of the following files, from the attached log (scroll to the bottom...): /etc/psad/psad.conf cheers, Andreas psad_2.2-2.log.gz Description: GNU Zip compressed data
