Logcheck devel - Sep 2005 - Re: [Logcheck-commits] CVS logcheck/debian

On Sun, 29 May 2005, CVS User ttroxell wrote:
> Update of /cvsroot/logcheck/logcheck/debian
> In directory haydn:/tmp/cvs-serv9342/debian
> 
> Modified Files:
> 	changelog logcheck.postinst 
> Log Message:
> Unfortunately this change breaks policy because we need to keep user's 
> existing group, owner, and permissions in tact, so I have to remove it.
> 
> It's not too bad though because logcheck can still read the rulefiles.
> It's just sloppy.  The best solution proposed thus far was to get 
> logcheck user installed in Debian base.
 
i'm repeatably beaten by that revert.
do a simple:  sudo find /etc/logcheck/ -gid 0
and you won't be surprised. :-P

please name the paragraph in the policy you have in mind?

base-passwd states that packages should cope with dynamically allocated
system users and groups.
"packages should avoid requesting such ids"

 
> --- /cvsroot/logcheck/logcheck/debian/changelog	2005/05/27 00:50:46	1.443
> +++ /cvsroot/logcheck/logcheck/debian/changelog	2005/05/29 04:20:30	1.444
> @@ -53,7 +53,6 @@
>    * Added dot to username match in scponly rule.
>    * Match more strictly ipv4 address in dhcpd + dhclient rules.
>    * Add to ignore.d.server/dhcpd initial udhcpd lines. (Closes: #306388)
> -  * Set group ownership on install and on upgrade to catch new rule files.
>    * Minor additions to logcheck(8).
>    * Add rule for cron nss_ldap message in ignore.d.server/cron.
>    * Generalise kernel message no IPv6 routers present level workstation.
> --- /cvsroot/logcheck/logcheck/debian/logcheck.postinst	2005/05/13 15:29:48
1.38
> +++ /cvsroot/logcheck/logcheck/debian/logcheck.postinst	2005/05/29 04:20:30
1.39
> @@ -1,6 +1,6 @@
>  #!/bin/sh
>  
> -# $Id: logcheck.postinst,v 1.38 2005/05/13 15:29:48 maks-guest Exp $
> +# $Id: logcheck.postinst,v 1.39 2005/05/29 04:20:30 ttroxell Exp $
>  
>  set -e
>  
> @@ -65,9 +65,16 @@
>          fi
>  
>  	# need to be done on install and on upgrade for new rule files
> -	chgrp -R logcheck /etc/logcheck || true
> +	# (Cant do this; breaks policy! -todd)
> +	# TODO: Get logcheck user in Debian base.
> +	# chgrp -R logcheck /etc/logcheck || true
> +
> +	# This gets executed even if there is no $2.
> +	if dpkg --compare-versions "$2" lt "1.2.34"; then
> +	  chgrp -R logcheck /etc/logcheck || true
> +	fi
>  
> -    	# Fix Permissions on install or upgrade
> +    	# Set Permissions on install or upgrade
>  	if [ ! -n "$2" ] || dpkg --compare-versions "$2" lt
"1.2.34"; then
>      	  chown -R logcheck:logcheck /var/lib/logcheck  || true
>            chmod 2750 /etc/logcheck/ignore.d.paranoid || true
 
--
maks

On Wed, Sep 14, 2005 at 05:58:00PM +0200, maximilian attems
wrote:
> On Sun, 29 May 2005, CVS User ttroxell wrote:
> 
> > Update of /cvsroot/logcheck/logcheck/debian
> > In directory haydn:/tmp/cvs-serv9342/debian
> > 
> > Modified Files:
> > 	changelog logcheck.postinst 
> > Log Message:
> > Unfortunately this change breaks policy because we need to keep
user's
> > existing group, owner, and permissions in tact, so I have to remove
it.
> > 
> > It's not too bad though because logcheck can still read the
rulefiles.
> > It's just sloppy.  The best solution proposed thus far was to get 
> > logcheck user installed in Debian base.
>  
> i'm repeatably beaten by that revert.
> do a simple:  sudo find /etc/logcheck/ -gid 0
> and you won't be surprised. :-P
*nodnod* 
> please name the paragraph in the policy you have in mind?
Sorry, I was making things up.  It would appear that It's not disallowed by
policy.  The original complaint is in this archived report[0].
> base-passwd states that packages should cope with dynamically allocated
> system users and groups.
> "packages should avoid requesting such ids"
Hmm.  We can add a conditional chown to dh_installlogcheck.
[The condition being whether or not we have a logcheck user yet.]

It will also require yet another overwrite of all /etc/logcheck perms.

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=287184;archive=yes

-- 
Todd Troxell
http://rapidpacket.com/~xtat