Bug#361956: marked as done (nagios2-common: postinstall script uses unconditional chmod/chown, breaking any dpkg-statoverride)

Fri, 12 May 2006 08:41:45 -0700 

Your message dated Fri, 12 May 2006 08:02:10 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#361956: fixed in nagios2 2.3-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: nagios2-common
Version: 2.1-1
Severity: serious
Tags: patch
Justification: Policy 10.9.1

As stated in the subject -- the postinstall uses unconditionally
chmod/chown.  If the local admin tries to change permissions using
dpkg-statoverride, these local changes are not respected.

-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.jumper
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

diff -ruN nagios2-2.1/debian/lintian/overrides/nagios2-common 
nagios2-2.hs/debian/lintian/overrides/nagios2-common
--- nagios2-2.1/debian/lintian/overrides/nagios2-common 2006-04-11 
14:15:11.000000000 +0200
+++ nagios2-2.hs/debian/lintian/overrides/nagios2-common        1970-01-01 
01:00:00.000000000 +0100
@@ -1 +0,0 @@
-non-standard-file-perm etc/nagios2/resource.cfg 0600 != 0644
diff -ruN nagios2-2.1/debian/nagios2-common.install 
nagios2-2.hs/debian/nagios2-common.install
--- nagios2-2.1/debian/nagios2-common.install   2006-04-11 14:15:11.000000000 
+0200
+++ nagios2-2.hs/debian/nagios2-common.install  2006-04-11 14:09:30.000000000 
+0200
@@ -5,6 +5,5 @@
 sample-config/template-object/README 
/usr/share/doc/nagios2-common/examples/template-object
 sample-config/template-object/*.cfg 
/usr/share/doc/nagios2-common/examples/template-object
 debian/httpd.webapps-common /usr/share/nagios2/debian
-debian/lintian/overrides/nagios2-common usr/share/lintian/overrides
 debian/gateway.cfg usr/share/nagios2/debian
 debian/extcommands.cfg usr/share/nagios2/debian
diff -ruN nagios2-2.1/debian/nagios2-common.postinst 
nagios2-2.hs/debian/nagios2-common.postinst
--- nagios2-2.1/debian/nagios2-common.postinst  2006-04-11 14:15:11.000000000 
+0200
+++ nagios2-2.hs/debian/nagios2-common.postinst 2006-04-11 11:48:57.000000000 
+0200
@@ -20,6 +20,16 @@
 # location of the default htpasswd authentication file.
 htpw=$en/htpasswd.users
 
+# useful functions
+setperm() {
+    local user="$1"; shift
+    local group="$1"; shift
+    local mode="$1"; shift
+    local file="$1"; shift
+    dpkg-statoverride --list "$file" >/dev/null && return 0
+    dpkg-statoverride --update --add "$user" "$group" "$mode" "$file"
+}
+
 case "$1" in
   configure)
     if ! getent passwd nagios > /dev/null ; then
@@ -76,14 +86,15 @@
 
        # explicitly set permissions on some files that are dependent
        # on the uid/gid of the nagios user, which is dynamically created.
-       chown root:nagios $en/resource.cfg
-       chmod 640 $en/resource.cfg
-    install -d -onagios -gadm -m2751 /var/log/nagios2
-    install -d -onagios -gnagios -m750 /var/run/nagios2
-    install -d -onagios -gnagios -m750 /var/lib/nagios2
-       # chown instead of install to preserve permission bits
-       chown nagios /var/lib/nagios2/rw
-    install -d -onagios -gwww-data -m2750 /var/cache/nagios2
+       # .hs
+       # Do not forget to remove these statoverrides when purging the
+       # package!
+       setperm root nagios 0640 $en/resource.cfg
+       setperm nagios adm 2751 /var/log/nagios2
+       setperm nagios nagios 0750 /var/run/nagios2
+       setperm nagios nagios 0750 /var/lib/nagios2
+       setperm nagios www-data 02750 /var/cache/nagios2
+       setperm nagios www-data 0700 /var/lib/nagios2/rw
 
        # everything went well, so now let's reset the password
        db_set nagios2/adminpassword ""
diff -ruN nagios2-2.1/debian/nagios2-common.postrm 
nagios2-2.hs/debian/nagios2-common.postrm
--- nagios2-2.1/debian/nagios2-common.postrm    2006-04-11 14:15:11.000000000 
+0200
+++ nagios2-2.hs/debian/nagios2-common.postrm   2006-04-11 11:50:02.000000000 
+0200
@@ -13,6 +13,13 @@
        ucf --purge /etc/nagios2/apache2.conf
        ucf --purge /etc/nagios2/conf.d/host-gateway_nagios2.cfg
        #ucf --purge /etc/nagios2/conf.d/extcommands_nagios2.cfg
+
+       dpkg-statoverride --force --remove /etc/nagios2/resource.cfg
+       dpkg-statoverride --force --remove /var/log/nagios2
+       dpkg-statoverride --force --remove /var/run/nagios2
+       dpkg-statoverride --force --remove /var/lib/nagios2
+       dpkg-statoverride --force --remove /var/cache/nagios2
+       dpkg-statoverride --force --remove /var/lib/nagios2/rw
     ;;
 esac
 
diff -ruN nagios2-2.1/debian/rules nagios2-2.hs/debian/rules
--- nagios2-2.1/debian/rules    2006-04-11 14:15:11.000000000 +0200
+++ nagios2-2.hs/debian/rules   2006-04-11 14:12:23.000000000 +0200
@@ -137,10 +137,9 @@
        # remove empty directory
        rmdir --ignore-fail-on-non-empty -p $b/nagios2/var/lib/nagios2/archives
        # set up /var/cache/nagios2 for access by www-data
-       chgrp www-data ${bnc}/var/cache/nagios2
-       chmod g+s ${bnc}/var/cache/nagios2
-       chown root:www-data ${bnc}/var/lib/nagios2/rw
-       chmod 700 ${bnc}/var/lib/nagios2/rw
+       # Permissions are set in postinstall using dpkg-statoverride
+       # for following parts: /var/cache/nagios2
+       #                      /var/lib/nagios2/rw
        # alter some installed filenames/locations
        mv ${b}/nagios2/usr/sbin/nagios ${b}/nagios2/usr/sbin/nagios2
        mv ${b}/nagios2/usr/sbin/nagiostats ${b}/nagios2/usr/sbin/nagios2stats
@@ -181,7 +180,7 @@
        # XXX some stuff below here is commented out
        #install -m 755 cgi/grouplist.cgi.in 
debian/$@/usr/lib/cgi-bin/nagios/grouplist.cgi
        dh_compress          -i
-       dh_fixperms          -i -Xnagios2/resource.cfg
+       dh_fixperms          -i 
        dh_installdebconf    -i
        dh_installdeb        -i
        dh_gencontrol        -i

--- End Message ---
--- Begin Message --- 
Source: nagios2
Source-Version: 2.3-1

We believe that the bug you reported is fixed in the latest version of
nagios2, which is due to be installed in the Debian FTP archive:

nagios2-common_2.3-1_all.deb
  to pool/main/n/nagios2/nagios2-common_2.3-1_all.deb
nagios2-doc_2.3-1_all.deb
  to pool/main/n/nagios2/nagios2-doc_2.3-1_all.deb
nagios2_2.3-1.diff.gz
  to pool/main/n/nagios2/nagios2_2.3-1.diff.gz
nagios2_2.3-1.dsc
  to pool/main/n/nagios2/nagios2_2.3-1.dsc
nagios2_2.3-1_amd64.deb
  to pool/main/n/nagios2/nagios2_2.3-1_amd64.deb
nagios2_2.3.orig.tar.gz
  to pool/main/n/nagios2/nagios2_2.3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
sean finney <[EMAIL PROTECTED]> (supplier of updated nagios2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 12 May 2006 15:32:01 +0200
Source: nagios2
Binary: nagios2-doc nagios2-common nagios2
Architecture: source all amd64
Version: 2.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Nagios Maintainer Group <[EMAIL PROTECTED]>
Changed-By: sean finney <[EMAIL PROTECTED]>
Description: 
 nagios2    - A host/service/network monitoring and management system
 nagios2-common - support files for nagios2
 nagios2-doc - documentation for nagios2
Closes: 360778 360998 361239 361956 363152 366683
Changes: 
 nagios2 (2.3-1) unstable; urgency=high
 .
   * new upstream version
   * Fix nagios2 restart in init script.
     Thanks to Jim Jensen. (mh) Closes: #360778
   * Fix /usr/share/doc/nagios2/html symlink.
     Thanks to Matt Zagrabelny. (mh) Closes: #360998
   * Create pid file directory dynamically in init script.
     Thanks to Herbert Straub. (mh) Closes: #361239
   * Honor locally set file/dir permissions in postinst, fixing policy
     10.9.1 compliance. Thanks to Heiko Schlittermann. (mh) Closes: #361956
 .
   [sean finney]
   * This upstream version addresses a security issue raised in CVE-2006-2162,
     wrt malcious use of Content-Length headers on cgi scripts.  This debian
     release includes further refinement of this fix
     (10_CVE-2006-2162_content-length.dpatch)
     as we believe it's still theoretically possible to exploit the issue
     via integer overflow. Closes: #366683.
   * change eventhandlers dir to /usr/lib/nagios2/plugins/eventhandlers,
     and make sure they're included (closes: #363152).
   * security release, so urgency bumped.
Files: 
 5cc9b9cc79bdaa5a0240fb268beb8220 879 net optional nagios2_2.3-1.dsc
 6d0a01ed778f81cc49d402884d25a933 1734837 net optional nagios2_2.3.orig.tar.gz
 d183d1ba0e53c2c28640e4291a8faae7 21435 net optional nagios2_2.3-1.diff.gz
 eac14cdd16c79fec9daafaed9741fe34 1102722 net optional nagios2_2.3-1_amd64.deb
 3cd4fa6282e616cd7d902eb1e1d5ba7e 55988 net optional 
nagios2-common_2.3-1_all.deb
 a376b105dc826b254f9350aad9506003 1131480 doc optional nagios2-doc_2.3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEZJzjynjLPm522B0RAunlAJ9fI3DF5xjdqUCr1+sdAXuDmY8PjwCdFeQs
Kh37QO/YSY35EJ9dBbVrqJI=
=wo2R
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to