Package: xymon Version: 4.3.28-3 Severity: serious Control: found -1 4.3.28-2 4.3.28-4 4.3.0~beta2.dfsg-9.1 Justification: upgrades fail under some valid and realistic circumstances
Originally reported in Ubuntu at https://bugs.launchpad.net/ubuntu/+source/xymon/+bug/1819378 under a slightly obscure setup. Context: The package xymon ships /etc/xymon/critical.cfg.bak on purpose because it is needed initially so that the user www-data can write backup copies of /etc/xymon/critical.cfg into it without needing the directory /etc/xymon/ being writable for www-data. This is upstream design and present in the (upstream) xymon RPMs as well. It is more or less documented in the critical.cfg(5) man page shipped with xymon. Issue: To achieve the proper permissions in the Debian package, /etc/xymon/critical.cfg.bak is shipped as conffile and xymon's postinst executes "cd /etc/xymon; chgrp www-data critical.cfg critical.cfg.bak; chmod g+w critical.cfg critical.cfg.bak" unconditionally. So if a local admin sees the .bak file and removes it because it doesn't look relevant, the next package upgrade or security update will fail unless a file named critical.cfg.bak has been created again. Thanks to sukhvirz on Launchpad for the initial bug report in Ubuntu and Thomas K Jones on Launchpad for giving me the right hint to understand the cause of this issue. While the upstream design is debatable with no doubt, the proper and unintrusive fix is to make the chown and chgrp in postinst conditional by checking the existence of the two files first. And despite this issue seems to have not been noticed by us (the package maintainers) or reported for quite a while(*), it's neverless a rather _common_ thing to clean up .bak files from /etc/, especially if /etc/ is tracked in a VCS, e.g. via etckeeper. Hence the RC severity. Will come up with a fixed package latest the upcoming weekend. Footnotes: (*) I see the relevant code even in the xymon package in Wheezy, just with different file names as this was the last release before the big conffile renaming. Regards, Axel -- ,''`. | Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
