Bug#773107: dbus-daemon-launch-helper permissions temporarily wrong during upgrades

Sun, 14 Dec 2014 04:54:43 -0800 

Package: dbus
Version: 1.8.12-1
Severity: important

dbus-daemon-launch-helper is expected to be setuid root and executable
by group messagebus, i.e. "root messagebus 4754" in dpkg-statoverride syntax.
However, because messagebus is a dynamically-allocated system group,
the file in the .deb is actually "root root 0755", with ownership
and permissions fixed up during installation.

At the moment we just do a trivial chown/chmod in the postinst:

    if ! dpkg-statoverride --list "$LAUNCHER" >/dev/null 2>&1; then
            chown root:"$MESSAGEUSER" "$LAUNCHER"
            chmod 4754 "$LAUNCHER"
    fi

However, this is not as robust as it could be. When a new dbus has been
unpacked but not yet configured, dbus-daemon-launch-helper is
temporarily "root root 0755", breaking system service activation.

While upgrading a wheezy laptop to jessie, I hit one of the current dpkg
bugs with trigger cycles (man-db -> man-db) which stopped the upgrade
while dbus was in this state. An error message from PackageKit notification
demonstrated the bug:

dpkg: cycle found while processing triggers:
 chain of packages whose triggers are or may be responsible:
  man-db -> man-db
...
Error: GDBus.Error:org.freedesktop.DBus.Error.Spawn.PermissionsInvalid: The 
permission of the setuid helper is not correct
E: Sub-process /usr/bin/dpkg returned an error code (1)

I think we could make dbus more robust by following the pattern
suggested in Policy §10.9:

    # postinst
    if ! dpkg-statoverride --list "$LAUNCHER" >/dev/null 2>&1; then
        dpkg-statoverride --update --add root "$MESSAGEUSER" 4754 "$LAUNCHER"
    fi

    # postrm, $1 = purge
    if dpkg-statoverride --list "$LAUNCHER" >/dev/null 2>&1 ; then
        dpkg-statoverride --remove "$LAUNCHER"
    fi

This would not immediately help upgrades from current dbus versions to the
first version with this bug fixed, but all subsequent upgrades
(e.g. jessie -> stretch) would avoid the broken transitional state.

We could optionally also do something like this in preinst:

    # preinst
    if getent group "$MESSAGEUSER" >/dev/null && \
            -x "$LAUNCHER" && \
            ! dpkg-statoverride --list "$LAUNCHER" >/dev/null 2>&1; then
        dpkg-statoverride --update --add root "$MESSAGEUSER" 4754 "$LAUNCHER"
    fi

to improve the robustness of upgrades from current dbus versions to the
fixed version.

Regards,
    S


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to