Hello!
On Thu, Mar 23, 2017 at 02:17:28AM +0100, Andreas Beckmann wrote:
> Package: diaspora-common
> Version: 0.6.3.0+debian3
> Severity: critical
> Justification: breaks the whole system
> User: debian...@lists.debian.org
> Usertags: piuparts
>
> Hi,
>
> during a test with piuparts I noticed your package makes havoc in the
> chroot.
[...]
> This very much looks like an 'rm -rf /' in the chroot ... rm is gone, sh is
> gone, ...
Looks like it does 'rm -rf /bin' to me.
Here's a completely untested patch which should hopefully prevent
disaster. Testing help welcome.
The package is still very likely RC buggy though. This patch just tries
to avoid the disaster of hosing the system.
(Consider for example the case where you already have a user named
"diaspora", making the install fail and then disaster again strikes
when you try to remove/purge your way out of the failed install removing
the user and all its data. Just one example out of many. Nowhere does it
seem to account for conffiles having been removed by the admin as another
example. These maintainer scripts are just waaaaaay to buggy/unreliable.)
HTH
Regards,
Andreas Henriksson
diff -uri diaspora-installer-0.6.3.0+debian3.orig/debian/diaspora-common.postrm diaspora-installer-0.6.3.0+debian3/debian/diaspora-common.postrm
--- diaspora-installer-0.6.3.0+debian3.orig/debian/diaspora-common.postrm 2017-03-20 14:15:32.000000000 +0100
+++ diaspora-installer-0.6.3.0+debian3/debian/diaspora-common.postrm 2017-03-23 08:42:46.277478171 +0100
@@ -6,6 +6,9 @@
# Abort if any command returns an error value
set -e
+# Abort if any unbound variables are used
+#set -u
+
# This script is called twice during the removal of the package; once
# after the removal of the package's files from the system, and as
# the final step in the removal of this package, after the package's
@@ -13,6 +16,17 @@
# Ensure the menu system is updated
+# defaults as shipped in /etc/diaspora/diaspora-common.conf
+diaspora_home=/usr/share/diaspora
+diaspora_user=diaspora
+#diaspora_user_home="$(getent passwd ${diaspora_user} | cut -d: -f6)"
+diaspora_user_home=/var/lib/diaspora
+
+# Source variables (if conffile still exists)
+if [ -f /etc/diaspora/diaspora-common.conf ]; then
+ . /etc/diaspora/diaspora-common.conf
+fi
+
case "$1" in
remove)
# This package is being removed, but its configuration has not yet
@@ -52,6 +66,11 @@
ucf --purge /etc/dbconfig-common/diaspora-common.conf
ucfr --purge diaspora-common /etc/dbconfig-common/diaspora-common.conf
fi
+
+ # safety check
+ [ "${diaspora_user_home}" != "" ] || exit 1
+ [ "${diaspora_home}" != "" ] || exit 1
+
rm -rf ${diaspora_user_home}/public
rm -rf ${diaspora_user_home}/app-assets
rm -rf ${diaspora_user_home}/Gemfile.lock
@@ -61,8 +80,8 @@
rm -rf ${diaspora_home}/db
rm -rf ${diaspora_home}/bin
rm -rf /var/cache/diaspora /var/log/diaspora
- echo "Removing user: diaspora"
- id -u diaspora && userdel -r diaspora
+ echo "Removing user: ${diaspora_user}"
+ id -u ${diaspora_user} && userdel -r ${diaspora_user}
fi
# Remove my changes to the db.
