Dominique Leuenberger changed bug 1201385
What Removed Added
Flags needinfo?(dimstar@opensuse.org)  

Comment # 17 on bug 1201385 from 
@Christian,

The build of postfix currently fails with:

[  132s] --------------------------------------------------------------------
[  132s] ERROR: chkstat --level secure modified package postfix
[  132s] Please add '%verify(not mode,...) for those to avoid listings in rpm
-V.
[  132s] diff for both runs of rpm -V:
[  132s] --- //.build_rpmVp_orig    2022-08-01 13:44:14.812000000 +0000
[  132s] +++ //.build_rpmVp_easy    2022-08-01 13:44:14.876000000 +0000
[  132s] @@ -0,0 +1 @@
[  132s] +.M....G..    /usr/sbin/postlog
[  132s] --------------------------------------------------------------------
[  132s] --------------------------------------------------------------------
[  132s] ERROR: chkstat --level paranoid modified package postfix
[  132s] Please add '%verify(not mode,...) for those to avoid listings in rpm
-V.
[  132s] diff for both runs of rpm -V:
[  132s] --- //.build_rpmVp_orig    2022-08-01 13:44:14.812000000 +0000
[  132s] +++ //.build_rpmVp_paranoid    2022-08-01 13:44:14.932000000 +0000
[  132s] @@ -0,0 +1 @@
[  132s] +.M....G..    /usr/sbin/postlog
[  132s] --------------------------------------------------------------------

And, indeed, /usr/sbin/postlog is not listed in the set_permissions and
verify_permissions scripts sections of postfix.spec, also the files section
does not correspond to this:

i.e %post contains:

%set_permissions %{_sbindir}/postqueue
%set_permissions %{_sbindir}/postdrop
%set_permissions %{_sysconfdir}/%{name}/sasl_passwd
%set_permissions %{_sbindir}/sendmail

(missing /usr/sbin/postlog)

%verifyscript is:
%verify_permissions -e %{_sbindir}/postqueue
%verify_permissions -e %{_sbindir}/postdrop
%verify_permissions -e %{_sysconfdir}/%{name}/sasl_passwd
%verify_permissions -e %{_sbindir}/sendmail
(again, missing postlog)

and files section is
%attr(0755,root,root) %{_sbindir}/postlog

lacking verify (not mode, group) as the mode is adjusted by the permissions
profile to 2755 and group changes to maildrop

group is actually debatable why it should not be packaged as :maildrop'
directly, as all security profiles (easy,secure, paranoid) set that group (rule
is to set the rpm metadata to match the paranoid setting, i.e. 
  32+/usr/sbin/postlog root:maildrop 0755

Hope that helps

You are receiving this mail because: