Re: WARNING: Re: debhelper /usr/bin/passwd
Wichert Akkerman [EMAIL PROTECTED] writes: [1 text/plain; us-ascii (quoted-printable)] Previously Remco Blaakmeer wrote: Is there any way of changing that default behaviour (e.g. some config file) apart from recompiling dpkg? I'd like to leave it disabled at all times no matter what the default is in the current dpkg package. No. Are there other things that would be useful in a dpkg configuration file? I can't think of anything at the moment. I'd like to be able to turn it off too. (At least RPM only does --force-overwrites during the initial install process.) Steve [EMAIL PROTECTED]
Re: WARNING: Re: debhelper /usr/bin/passwd
In article [EMAIL PROTECTED] you write: Joey Hess wrote: I'd say installing debhelper 1.2.28 with --force-conflicts is a _very_ bad idea. Unfortunatly, it looks like the current version of dpkg has --force-overwrite (which is what I meant to say above) enabled by default. And so anyone who ran dselect in the past 24 hours and upgraded from unstable has probably beeen bitten by this bad package. My understanding of dpkg/dselect/apt-get isn't extremely good, but anyway: I have noticed this behaviour, too. However, at the time, I assumed the apt-get forced the file to be overwritten because the package I was installing was required/base (ldso from memory, but this problem has already been fixed). Now I am not so sure. Can you be certain that dselect doesn't give dpkg the --force-overwrite option? My versions of dpkg claim that --force-overwrite isn't on be default (otherwise it should have [*] after it): dpkg forcing options - control behaviour when problems found: warn but continue: --force-thing,thing,... stop with error:--refuse-thing,thing,... | --no-force-thing,... Forcing things: auto-select [*](De)select packages to install (remove) them dowgrade [*] Replace a package with a lower version configure-any Configure any package which may help this one hold Process incidental packages even when on hold bad-path PATH is missing important programs, problems likely not-root Try to (de)install things even when not root overwrite Overwrite a file from one package with another overwrite-diverted Overwrite a diverted file with an undiverted version depends-version [!]Turn dependency version problems into warnings depends [!]Turn all dependency problems into warnings conflicts [!] Allow installation of conflicting packages architecture [!] Process even packages with wrong architecture overwrite-dir [!] Overwrite one package's directory with another's file remove-reinstreq [!] Remove packages which require installation remove-essential [!] Remove an essential package WARNING - use of options marked [!] can seriously damage your installation. Forcing options marked [*] are enabled by default.
Re: WARNING: Re: debhelper /usr/bin/passwd
Brian == Brian May [EMAIL PROTECTED] writes: Brian My versions of dpkg claim that --force-overwrite isn't on Brian be default (otherwise it should have [*] after it): As does mine: and it lies! I've been testing package upgrades dpkg itself is very definately using --force-overwite $ dpkg -l dpkg ii dpkg 1.4.1 Package maintenance system for Debian Linux -- Stephen --- It should be illegal to yell Y2K in a crowded economy. :-) -- Larry Wall
Re: WARNING: Re: debhelper /usr/bin/passwd
Stephen Zander wrote: Brian == Brian May [EMAIL PROTECTED] writes: Brian My versions of dpkg claim that --force-overwrite isn't on Brian be default (otherwise it should have [*] after it): As does mine: and it lies! I've been testing package upgrades dpkg itself is very definately using --force-overwite $ dpkg -l dpkg ii dpkg 1.4.1 Package maintenance system for Debian Linux Version 1.4.0.27 seems OK here. I created two dummy test packages both containing the same file, and installed them. I will check the latest version tommorrow. I suggest that you should file a bug report against dpkg... Brian May [EMAIL PROTECTED]
Re: WARNING: Re: debhelper /usr/bin/passwd
Brian May wrote: Unfortunatly, it looks like the current version of dpkg has --force-overwrite (which is what I meant to say above) enabled by default. And so anyone who ran dselect in the past 24 hours and upgraded from unstable has probably beeen bitten by this bad package. Can you be certain that dselect doesn't give dpkg the --force-overwrite option? IIRC, I wrote the above after running dpkg on the broken debhelper package by hand and watching it overwrite the files. My versions of dpkg claim that --force-overwrite isn't on be default (otherwise it should have [*] after it): That means nothing, you can turn off options in dpkg without editing that output. (Bad design, IMHO.) -- see shy jo
Re: WARNING: Re: debhelper /usr/bin/passwd
On Sat, Jan 30, 1999 at 10:06:30PM -0800, Stephen Zander wrote: Brian == Brian May [EMAIL PROTECTED] writes: Brian My versions of dpkg claim that --force-overwrite isn't on Brian be default (otherwise it should have [*] after it): As does mine: and it lies! I've been testing package upgrades dpkg itself is very definately using --force-overwite which is a damn good thing. please, nobody suggest changing the default behaviour until dpkg has a config file in /etc allowing each system admin to choose what the default should be. i get really sick of apt/dselect upgrades not working in unstable because some people have the mistaken belief that --force-overwrite should default to off. yes, you can override it on the dpkg command linebut there is no way to override it if you use dselect or apt. this is evil. craig -- craig sanders
Re: WARNING: Re: debhelper /usr/bin/passwd
Craig Sanders wrote: As does mine: and it lies! I've been testing package upgrades dpkg itself is very definately using --force-overwite which is a damn good thing. please, nobody suggest changing the default behaviour until dpkg has a config file in /etc allowing each system admin to choose what the default should be. i get really sick of apt/dselect upgrades not working in unstable because some people have the mistaken belief that --force-overwrite should default to off. yes, you can override it on the dpkg command linebut there is no way to override it if you use dselect or apt. this is evil. Just my 2 cents: The dpkg online help should reflect the default setting. It should not give the impression that the default is off when it is in actual fact on. Any duplicate files in packages is a bug in the package, and users may not even be aware of the problem (ie it can scroll of the screen) unless the default is off. If a user installs package X and it overwrites a file with an older, buggy and/or incompatable version of file F, then IMHO it is going to be very difficult to diagnose why package Y stops working, especially if that user files a bug report against Y. If you want to use --force-overwrite, perhaps these problems should be logged somewhere. Also, bug could be made to report any potential problems when submitting a bug report. As an extreme example is when installing a new, buggy, package breaks your system because it overwrites (and potentially breaks) critical system files, for instance, this thread was started because a package overwrite: /usr/bin/passwd /usr/bin/chsh /usr/bin/chfn I think the default in dpkg should be off, but it should be possible to override it by environment variable, for those who know what they are doing. In fact, I am very surprised that this isn't already supported... Brian May [EMAIL PROTECTED]
Re: WARNING: Re: debhelper /usr/bin/passwd
Previously Stephen Zander wrote: As does mine: and it lies! I've been testing package upgrades dpkg itself is very definately using --force-overwite The [*] marks are hardcoded in dpkg, and Daniel Jacobowitz forgot to change that when he made NMU 1.4.0.31 which turned --force-overwrite on by default. Wichert. -- == This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: [EMAIL PROTECTED] WWW: http://www.wi.leidenuniv.nl/~wichert/ pgpwD78HURI5b.pgp Description: PGP signature
Re: WARNING: Re: debhelper /usr/bin/passwd
Previously Remco Blaakmeer wrote: Is there any way of changing that default behaviour (e.g. some config file) apart from recompiling dpkg? I'd like to leave it disabled at all times no matter what the default is in the current dpkg package. No. Are there other things that would be useful in a dpkg configuration file? I can't think of anything at the moment. Wichert -- == This combination of bytes forms a message written to you by Wichert Akkerman. E-Mail: [EMAIL PROTECTED] WWW: http://www.wi.leidenuniv.nl/~wichert/ pgpdIuSwjrO65.pgp Description: PGP signature
Re: WARNING: Re: debhelper /usr/bin/passwd
hi Ship's Log, Lt. Brian May, Stardate 310199.1320: I have noticed this behaviour, too. However, at the time, I assumed the apt-get forced the file to be overwritten because the package I was installing was required/base (ldso from memory, but this problem has already been fixed). Now I am not so sure. Can you be certain that dselect doesn't give dpkg the --force-overwrite option? I experienced this beheaviour too with ssh/cfs which are both in non-US This is a very bad thing as the ssh of cfs is something compleatly diferent and should be renamed. Greetings -- Alexander N. Benner - Christen im Internet - http://www.christen.net/ pgp : E7BCBEBD 53 5F 48 0A 0D 3E 4A 38 A8 11 B1 AF BE 08 C8 B0 You can't be american if you don't have children. I need a wife soon. MegaHAL
Re: WARNING: Re: debhelper /usr/bin/passwd
On Mon, 25 Jan 1999, Joey Hess wrote: Joey Hess wrote: I'd say installing debhelper 1.2.28 with --force-conflicts is a _very_ bad idea. Unfortunatly, it looks like the current version of dpkg has --force-overwrite (which is what I meant to say above) enabled by default. And so anyone who ran dselect in the past 24 hours and upgraded from unstable has probably beeen bitten by this bad package. Is there any way of changing that default behaviour (e.g. some config file) apart from recompiling dpkg? I'd like to leave it disabled at all times no matter what the default is in the current dpkg package. Remco -- rd31-144: 12:50am up 5 days, 38 min, 10 users, load average: 1.00, 1.02, 1.00
Re: WARNING: Re: debhelper /usr/bin/passwd
In article [EMAIL PROTECTED],
Joey Hess [EMAIL PROTECTED] wrote:
Yesterday I fixed a bug in dh_link, bug #23255. That bug concerns a
different package that diverts /usr/bin/{passwd,chsh,chfn}, and needed to
set up some symlinks from sysdb-wrapper to them using dh_link.
Talk about heartstopping... I was wondering how on earth that escaped
my system...
--
almost called it today, turned to face the void along with the suffering
and the question- Why am I? [queensrÿche]
debhelper /usr/bin/passwd
Hi guys, I just updated my potato system. The only two packages that were being updated were debhelper and egcs-docs. I got a warning from dpkg that debhelper (it seemed) was trying to overwrite /usr/bin/passwd. Due to all of the trojan rumours flying around, I got a little scared. Also, I couldn't see why debhelper would want to overwrite /usr/bin/passwd. Any ideas? Is this something I should worry about? Thanks, -Ossama __ Ossama Othman [EMAIL PROTECTED] 58 60 1A E8 7A 66 F4 44 74 9F 3C D4 EF BF 35 88 1024/8A04D15D 1998/08/26
Re: debhelper /usr/bin/passwd
In foo.debian-devel, you wrote: Hi guys, I just updated my potato system. The only two packages that were being updated were debhelper and egcs-docs. I got a warning from dpkg that debhelper (it seemed) was trying to overwrite /usr/bin/passwd. Due to all of the trojan rumours flying around, I got a little scared. Also, I couldn't see why debhelper would want to overwrite /usr/bin/passwd. Any ideas? Is this something I should worry about? Could you please post the version(s) you have and which mirror you got it from? The /usr/bin/passwd file should be owned by the 'passwd' package [bash]$ dpkg -S /usr/bin/passwd passwd: /usr/bin/passwd Also, the debhelper package should not overwrite /usr/bin/passwd... [bash]$ dpkg --listfiles debhelper |grep /usr/bin/ /usr/bin/dh_builddeb /usr/bin/dh_clean /usr/bin/dh_compress /usr/bin/dh_du /usr/bin/dh_fixperms /usr/bin/dh_gencontrol /usr/bin/dh_installchangelogs /usr/bin/dh_installcron /usr/bin/dh_installdeb /usr/bin/dh_installdebfiles /usr/bin/dh_installdirs /usr/bin/dh_installdocs /usr/bin/dh_installexamples /usr/bin/dh_installinit /usr/bin/dh_installmanpages /usr/bin/dh_installmenu /usr/bin/dh_makeshlibs /usr/bin/dh_md5sums /usr/bin/dh_movefiles /usr/bin/dh_shlibdeps /usr/bin/dh_strip /usr/bin/dh_suidregister /usr/bin/dh_testdir /usr/bin/dh_testroot /usr/bin/dh_testversion /usr/bin/dh_undocumented /usr/bin/dh_debstd /usr/bin/dh_installemacsen /usr/bin/dh_installwm /usr/bin/dh_link /usr/bin/dh_listpackages [bash]$ dpkg --status debhelper |egrep '^Version' Version: 1.2.27 [bash]$ dpkg --status passwd |egrep '^Version' Version: 980403-0.3 [bash]$ egrep '^deb' /etc/apt/sources.list deb http://http.us.debian.org/debian unstable main contrib non-free
Re: debhelper /usr/bin/passwd
Hi Mitch, Could you please post the version(s) you have and which mirror you got it from? Sure! chsh and chfn were also in debhelper! I got debhelper using dselect/apt. Here is all the info you requested: % cat /etc/apt/sources.list deb http://http.us.debian.org/debian unstable main contrib non-free deb http://non-us.debian.org/debian-non-US unstable non-US % dpkg -l debhelper ii debhelper 1.2.28 helper programs for debian/rules % dpkg --listfiles debhelper | grep /usr/bin/ /usr/bin/dh_builddeb /usr/bin/dh_clean /usr/bin/dh_compress /usr/bin/dh_du /usr/bin/dh_fixperms /usr/bin/dh_gencontrol /usr/bin/dh_installchangelogs /usr/bin/dh_installcron /usr/bin/dh_installdeb /usr/bin/dh_installdebfiles /usr/bin/dh_installdirs /usr/bin/dh_installdocs /usr/bin/dh_installexamples /usr/bin/dh_installinit /usr/bin/dh_installmanpages /usr/bin/dh_installmenu /usr/bin/dh_makeshlibs /usr/bin/dh_md5sums /usr/bin/dh_movefiles /usr/bin/dh_shlibdeps /usr/bin/dh_strip /usr/bin/dh_suidregister /usr/bin/dh_testdir /usr/bin/dh_testroot /usr/bin/dh_testversion /usr/bin/dh_undocumented /usr/bin/dh_debstd /usr/bin/dh_installemacsen /usr/bin/dh_installwm /usr/bin/dh_link /usr/bin/dh_listpackages /usr/bin/passwd /usr/bin/chsh /usr/bin/chfn Okay, I think we can be pretty sure the last three entries don't belong there. What do you think is the problem? Thanks, -Ossama __ Ossama Othman [EMAIL PROTECTED] 58 60 1A E8 7A 66 F4 44 74 9F 3C D4 EF BF 35 88 1024/8A04D15D 1998/08/26
Re: debhelper /usr/bin/passwd
The $1E6 question is now (a) why debhelper has symlinks pointing passwd/ chfn/chsh to sysdb-wrapper, and (b) where sysdb-wrapper comes from. --Jeff
Re: debhelper /usr/bin/passwd
Ossama Othman wrote: Hi Mitch, Could you please post the version(s) you have and which mirror you got it from? Sure! chsh and chfn were also in debhelper! I got debhelper using dselect/apt. Here is all the info you requested: % cat /etc/apt/sources.list deb http://http.us.debian.org/debian unstable main contrib non-free deb http://non-us.debian.org/debian-non-US unstable non-US % dpkg -l debhelper ii debhelper 1.2.28 helper programs for debian/rules % dpkg --listfiles debhelper | grep /usr/bin/ /usr/bin/dh_builddeb /usr/bin/dh_clean /usr/bin/dh_compress /usr/bin/dh_du /usr/bin/dh_fixperms /usr/bin/dh_gencontrol /usr/bin/dh_installchangelogs /usr/bin/dh_installcron /usr/bin/dh_installdeb /usr/bin/dh_installdebfiles /usr/bin/dh_installdirs /usr/bin/dh_installdocs /usr/bin/dh_installexamples /usr/bin/dh_installinit /usr/bin/dh_installmanpages /usr/bin/dh_installmenu /usr/bin/dh_makeshlibs /usr/bin/dh_md5sums /usr/bin/dh_movefiles /usr/bin/dh_shlibdeps /usr/bin/dh_strip /usr/bin/dh_suidregister /usr/bin/dh_testdir /usr/bin/dh_testroot /usr/bin/dh_testversion /usr/bin/dh_undocumented /usr/bin/dh_debstd /usr/bin/dh_installemacsen /usr/bin/dh_installwm /usr/bin/dh_link /usr/bin/dh_listpackages /usr/bin/passwd /usr/bin/chsh /usr/bin/chfn Okay, I think we can be pretty sure the last three entries don't belong there. What do you think is the problem? Well, I got the deb and source and dsc from the mirror you pointed out, and it _does_ have these files as symlinks in them pointing to sysdb-wrapper. It doesn't look like a trojan (this weeks hot topic) because his pgp sig matches the md5sum of the tarfile, and the tarfile reproduces the symlinks in the resulting deb. So, I would just treat it as a bug. Please file a critical bug report against this package, or let me know if you don't and I will file it. I would downgrade your debhelper to 1.2.27 and reinstall the passwd package. Thanks for finding this bug. -Mitch pgpUf3EhA37to.pgp Description: PGP signature
WARNING: Re: debhelper /usr/bin/passwd
Good greif. I'm sorry about this snafu. You weren't hit by an exploit
attempt, just by a debhelper package I managed to leave some junk in. This
is fixed in version 1.2.29, and it only affected version 1.2.28.
Background:
Yesterday I fixed a bug in dh_link, bug #23255. That bug concerns a
different package that diverts /usr/bin/{passwd,chsh,chfn}, and needed to
set up some symlinks from sysdb-wrapper to them using dh_link. As I tested
dh_link, I created a debian/links file that generated those 3 symlinks. And
then I forgot to remove it and when debhelper built, it happily made the 3
symlinks in the binary package.
I'd say installing debhelper 1.2.28 with --force-conflicts is a _very_ bad
idea. So long as you don't force things dpkg won't let it install all the
way or remove /usr/bin/{passwd,chsh,chfn}. As I said, I've verified that
1.2.29 doesn't have this problem. If you install debhelper 1.2.29 and find
yourself missing /usr/bin/{passwd,chsh,chfn}, you'll have to reinstall
passwd.deb to get them back.
Ossama Othman wrote:
Hi Mitch,
Could you please post the version(s) you have and which mirror you
got it from?
Sure! chsh and chfn were also in debhelper! I got debhelper using
dselect/apt. Here is all the info you requested:
% cat /etc/apt/sources.list
deb http://http.us.debian.org/debian unstable main contrib non-free
deb http://non-us.debian.org/debian-non-US unstable non-US
% dpkg -l debhelper
ii debhelper 1.2.28 helper programs for debian/rules
% dpkg --listfiles debhelper | grep /usr/bin/
/usr/bin/dh_builddeb
/usr/bin/dh_clean
/usr/bin/dh_compress
/usr/bin/dh_du
/usr/bin/dh_fixperms
/usr/bin/dh_gencontrol
/usr/bin/dh_installchangelogs
/usr/bin/dh_installcron
/usr/bin/dh_installdeb
/usr/bin/dh_installdebfiles
/usr/bin/dh_installdirs
/usr/bin/dh_installdocs
/usr/bin/dh_installexamples
/usr/bin/dh_installinit
/usr/bin/dh_installmanpages
/usr/bin/dh_installmenu
/usr/bin/dh_makeshlibs
/usr/bin/dh_md5sums
/usr/bin/dh_movefiles
/usr/bin/dh_shlibdeps
/usr/bin/dh_strip
/usr/bin/dh_suidregister
/usr/bin/dh_testdir
/usr/bin/dh_testroot
/usr/bin/dh_testversion
/usr/bin/dh_undocumented
/usr/bin/dh_debstd
/usr/bin/dh_installemacsen
/usr/bin/dh_installwm
/usr/bin/dh_link
/usr/bin/dh_listpackages
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
Okay, I think we can be pretty sure the last three entries don't belong
there. What do you think is the problem?
Thanks,
-Ossama
__
Ossama Othman [EMAIL PROTECTED]
58 60 1A E8 7A 66 F4 44 74 9F 3C D4 EF BF 35 88 1024/8A04D15D 1998/08/26
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
--
see shy jo
Re: debhelper /usr/bin/passwd
Hi Mitch, It doesn't look like a trojan (this weeks hot topic) because his pgp sig matches the md5sum of the tarfile, and the tarfile reproduces the symlinks in the resulting deb. Great! That's good to know. So, I would just treat it as a bug. Please file a critical bug report against this package, or let me know if you don't and I will file it. Okay, I'll do it right now. I would downgrade your debhelper to 1.2.27 and reinstall the passwd package. Thanks for finding this bug. No problem. I am glad that I was able to help. Thanks, -Ossama __ Ossama Othman [EMAIL PROTECTED] 58 60 1A E8 7A 66 F4 44 74 9F 3C D4 EF BF 35 88 1024/8A04D15D 1998/08/26
Re: WARNING: Re: debhelper /usr/bin/passwd
Hi Joey, Thanks! I won't file that bug report now. :) -Ossama __ Ossama Othman [EMAIL PROTECTED] 58 60 1A E8 7A 66 F4 44 74 9F 3C D4 EF BF 35 88 1024/8A04D15D 1998/08/26
Re: debhelper /usr/bin/passwd
In foo.debian-devel, I wrote: Well, I got the deb and source and dsc from the mirror you pointed out, and it _does_ have these files as symlinks in them pointing to sysdb-wrapper. It doesn't look like a trojan (this weeks hot topic) because his pgp sig matches the md5sum of the tarfile, and the tarfile reproduces the symlinks in the resulting deb. So, I would just treat it as a bug. Please file a critical bug report against this package, or let me know if you don't and I will file it. I would downgrade your debhelper to 1.2.27 and reinstall the passwd package. Thanks for finding this bug. John Goezen has uploaded an NMU of the package, I assume he already filed the bug, so feel free to ignore. -Mitch
Re: WARNING: Re: debhelper /usr/bin/passwd
Joey Hess wrote: I'd say installing debhelper 1.2.28 with --force-conflicts is a _very_ bad idea. Unfortunatly, it looks like the current version of dpkg has --force-overwrite (which is what I meant to say above) enabled by default. And so anyone who ran dselect in the past 24 hours and upgraded from unstable has probably beeen bitten by this bad package. -- see shy jo
