Package: logcheck Version: 1.3.24 Severity: important Tags: patch X-Debbugs-Cc: richard.lewis.deb...@googlemail.com
Dear Maintainer, logcheck currently fails the 'piuparts test' because its postinst does a recursive chown/chmod on all rules - but logcheck is not the only package to install files in /etc/logcheck and so the postinst is actually changeing permissions of files from other packages: if you install and purge logcheck the systems is not the same state as if logcheck was never installed, because permissions have changed. The chown/chmod is not needed: logcheck runs as the 'logcheck' user, and we 'want'* to make /etc/logcheck not world-readable - but individual rules dont need to be kept secret as long as the outer dir is closed. (*do we really want this? it is pretty marginal benefit, but i suppose it prevents people seeing local modifications and local rules.) So this patch to postinst: - restores /etc/logcheck to root:root - restores all contents of /etc/logcheck to a-sx,u=rwX,go=rX - makes only the outer directories /var/lib/logcheck and /etc/logcheck owned logcheck:logcheck and sets permissions drwxr-x--- (the first two could be removed once bookworm is stable) In postrm, when logcheck is purged, /etc/logcheck will still exit is other packages had rules installed. So reset /etc/logcheck to root:root and u=rwx,go=rx - this ensures that the system is in the same state as wehn logcheck was installed. (Is this the right thing to do? i am not totally sure. it does mean anything left in /etc/logcheck after purge becomes readable. not sure this matters, but maybe it does - and i dont see how logcheck can pass piuparts without this) Again, can submit as a merge request in due course (Surely there is a better way to add the logcheck user than is done here? but i didnt fundamentally change this part) -- System Information: Debian Release: 11.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-15-amd64 (SMP w/1 CPU thread) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages logcheck depends on: ii adduser 3.118 ii exim4-daemon-light [mail-transport-agent] 4.94.2-7 ii lockfile-progs 0.1.18 ii logtail 1.3.24+local6 ii mime-construct 1.11+nmu3 Versions of packages logcheck recommends: ii logcheck-database 1.3.25+local1 Versions of packages logcheck suggests: ii cron [cron-daemon] 3.0pl1-137 ii rsyslog [system-log-daemon] 8.2102.0-2+deb11u1 ii systemd 247.3-7+deb11u1 -- Configuration Files: /etc/logcheck/header.txt [Errno 13] Permission denied: '/etc/logcheck/header.txt' /etc/logcheck/logcheck.conf [Errno 13] Permission denied: '/etc/logcheck/logcheck.conf' /etc/logcheck/logcheck.logfiles [Errno 13] Permission denied: '/etc/logcheck/logcheck.logfiles' /etc/logcheck/logcheck.logfiles.d/journal.logfiles [Errno 13] Permission denied: '/etc/logcheck/logcheck.logfiles.d/journal.logfiles' /etc/logcheck/logcheck.logfiles.d/syslog.logfiles [Errno 13] Permission denied: '/etc/logcheck/logcheck.logfiles.d/syslog.logfiles' -- no debconf information
diff --git a/debian/logcheck.postinst b/debian/logcheck.postinst index b38db801..fc5aff57 100644 --- a/debian/logcheck.postinst +++ b/debian/logcheck.postinst @@ -10,86 +10,65 @@ set -e # * <deconfigured's-postinst> `abort-deconfigure' `in-favour' # <failed-install-package> <version> `removing' # <conflicting-package> <version> -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package -# -# quoting from the policy: -# Any necessary prompting should almost always be confined to the -# post-installation script, and should be protected with a conditional -# so that unnecessary prompting doesn't happen if a package's -# installation fails and the `postinst' is called with `abort-upgrade', -# `abort-remove' or `abort-deconfigure'. case "$1" in configure) - # Add logcheck user - # check for logcheck user or bad version without home - # touch cron job on updating accounts to fix #284788 + # Ensure the logcheck user exists + # touch cron job on to fix #284788 if ! getent passwd logcheck > /dev/null; then adduser --quiet --system --home /var/lib/logcheck --no-create-home \ --group logcheck || true touch /etc/cron.d/logcheck || true fi - # check for logcheck group in case account exists without group - if ! getent group logcheck >/dev/null; then + # Ensure the logcheck group exists (the user could have been created without a group) + if ! getent group logcheck > /dev/null; then addgroup --system logcheck usermod -g logcheck logcheck fi - # make sure the home directory exists + # Ensure the logcheck user's home directory exists if [ ! -d "$(getent passwd logcheck | cut -d: -f6)" ]; then usermod -d /var/lib/logcheck logcheck > /dev/null || true fi - # check for logcheck in adm group + # Ensure logcheck is in the adm group if ! getent group adm | grep logcheck > /dev/null; then adduser --quiet logcheck adm || true fi - # add logcheck to /etc/aliases on install; not on upgrade - if [ -z "$2" ]; then + # Ensure the logcheck user has a 'real name' + if [ -z "$(getent passwd logcheck | cut -d: -f5)" ]; then + chfn -f 'logcheck system account' logcheck + fi + + # add logcheck to /etc/aliases (on install; not on upgrade) + if [ -z "${2-}" ]; then if [ -f /etc/aliases ] || [ -L /etc/aliases ]; then if ! grep -qi "^logcheck[[:space:]]*:" /etc/aliases; then echo "logcheck: root" >> /etc/aliases - test -x "$(command -v newaliases)" && newaliases || : + if [ -x "$(command -v newaliases)" ]; then + newaliases || : + fi fi fi fi - # give logcheck system user a real name unless it has one. - if [ -z "$(getent passwd logcheck | cut -d: -f5)" ]; then - chfn -f 'logcheck system account' logcheck - fi - - # Add logcheck mail header on install - if [ -z "$2" ] && [ ! -f /etc/logcheck/header.txt ]; then - cp -p /usr/share/logcheck/header.txt /etc/logcheck - fi - - # Unconditionalizing this for now as we have files that are - # unreadable upon upgrade. <ttrox...@debian.org> - chgrp -R logcheck /etc/logcheck || true - - # Set Permissions on install, not upgrade - if [ -z "$2" ]; then - chmod 2750 /etc/logcheck/ignore.d.paranoid || true - chmod 2750 /etc/logcheck/ignore.d.workstation || true - chmod 2750 /etc/logcheck/ignore.d.server || true - chmod 2750 /etc/logcheck/cracking.d || true - chmod 2750 /etc/logcheck/cracking.ignore.d || true - chmod 2750 /etc/logcheck/violations.d || true - chmod 2750 /etc/logcheck/violations.ignore.d || true - chmod 2750 /etc/logcheck/logcheck.logfiles.d || true - chmod -R g+rX /etc/logcheck || true - fi - chown -R logcheck:logcheck /var/lib/logcheck || true - chmod 0770 /var/lib/logcheck || true - + # revert previous behaviour of changing perms + group of contents + # of /etc/logcheck - this avoids the piuparts error on 'install + # (from bullseye)+upgrade (to bookworm)+purge' when other packages + # have installed rules. The next two lines can be removed once + # bookworm is stable. + chown -R root:root /etc/logcheck + chmod -R a-sx,u=rwX,go=rX /etc/logcheck + # Restrict /var/lib/logcheck and /etc/logcheck + for f in /var/lib/logcheck /etc/logcheck; do + chown logcheck:logcheck "$f" || true + chmod u=rwx,g=rx,o= "$f" || true # drwxr-x--- + done ;; abort-upgrade|abort-remove|abort-deconfigure) - : ;; *) @@ -98,9 +77,6 @@ case "$1" in ;; esac -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - #DEBHELPER# exit 0 diff --git a/debian/logcheck.postrm b/debian/logcheck.postrm index c9e82d3a..b071b11b 100644 --- a/debian/logcheck.postrm +++ b/debian/logcheck.postrm @@ -19,34 +19,34 @@ set -e case "$1" in purge) - # remove the lib dir - if [ -d /var/lib/logcheck ]; then - rm -r /var/lib/logcheck - fi - # remove user and group - #deluser --quiet --remove-home logcheck > /dev/null || true - # remove header - if [ -e /etc/logcheck/header.txt ]; then - rm -f /etc/logcheck/header.txt - fi - ;; + # remove offsets and stale locks + for f in /var/lib/logcheck /run/lock/logcheck; do + if [ -d "$f" ]; then + rm -rf "$f" || : + fi + done + if [ -d /etc/logcheck ]; then + # other packages may have installed rules in this dir, so + # we reset the permissions to how they were before we were + # installed. This also keeps piuparts happy + chown root:root /etc/logcheck + chmod u=rwx,go=rx /etc/logcheck # reset to default + fi + #do not remove, as may still own files in /etc/logcheck + #deluser --quiet --remove-home logcheck > /dev/null || true + ;; remove) - : - ;; + ;; upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) - - ;; + ;; *) - echo "postrm called with unknown argument \`$1'" >&2 - exit 1 + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 esac -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - #DEBHELPER# exit 0