[Bug 827751] New: file permissions wrong after distribution upgrade
https://bugzilla.novell.com/show_bug.cgi?id=827751 https://bugzilla.novell.com/show_bug.cgi?id=827751#c0 Summary: file permissions wrong after distribution upgrade Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86-64 OS/Version: openSUSE 12.3 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: R.Vickers@cs.rhul.ac.uk QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20100101 Firefox/20.0 I recently upgraded a system from opensuse 12.1 to 12.2 and then to 12.3 using the procedure documented in https://en.opensuse.org/SDB:System_upgrade . Afterwards some services failed because a few of the permission settings in /etc/permissions.local had not been honoured. Here is the result of running "chkstat --system": # chkstat --system Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.secure /etc/permissions.d/mail-server /etc/permissions.d/sendmail /etc/permissions.local setting /usr/lib/ssh/ssh-keysign to root:root 4755. (wrong permissions 0755) setting /usr/lib/nagios/plugins to root:nagios 0755. (wrong owner/group root:root) setting /usr/lib/nagios/plugins/check_dhcp to root:nagios 4750. (wrong owner/group root:root permissions 0755) Note that this was a small minority: most files mentioned in permissions.secure and permissions.local did have the right permissions. Reproducible: Didn't try Steps to Reproduce: 1. Run distribution upgrade (including final reboot) 2. Run chkstat --system chkstat should not report any changes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827751 https://bugzilla.novell.com/show_bug.cgi?id=827751#c FeiXiang Zhang <fxzhang@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fxzhang@suse.com AssignedTo|bnc-team-screening@forge.pr |meissner@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827751 https://bugzilla.novell.com/show_bug.cgi?id=827751#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |R.Vickers@cs.rhul.ac.uk --- Comment #1 from Marcus Meissner <meissner@suse.com> 2013-07-17 11:11:04 UTC --- /usr/lib/ssh/ssh-keysign does not seem to be tracked in our files. same for nagios is this a local setting only on your side? The rpms need to have code to check the files, otherwise these will appear. (We do not do blanket runs of chkstat --system anymore, but only focused ones for the binaries we know that need it.) does this help? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827751 https://bugzilla.novell.com/show_bug.cgi?id=827751#c2 --- Comment #2 from Bob Vickers <R.Vickers@cs.rhul.ac.uk> 2013-09-02 11:19:31 UTC --- Sorry I didn't reply earlier, I've just been reminded of this because it bit me again with another system. Yes: this is a local setting to fix the problem that ssh-keysign does not function unless it is setuid. I really don't understand the rationale behind taking away the blanket "chkstat --system". In the old days there was a simple system which was well understood: if you want to make changes to permissions of distributed files then put those changes in /etc/permissions.local. Now we have a system that only works sometimes. In this case ignoring the administrator's wishes causes a loss of functionality; in other cases it might introduce a security exposure. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827751 https://bugzilla.novell.com/show_bug.cgi?id=827751#c3 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com --- Comment #3 from Marcus Meissner <meissner@suse.com> 2013-09-03 15:11:06 UTC --- That stopped as we removed the SuSEconfig global calls. SuSEconfig --module permissions was one of those calls. we could in theory hook a global call in , but when... per boot up? daily? :/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827751 https://bugzilla.novell.com/show_bug.cgi?id=827751#c4 --- Comment #4 from Bob Vickers <R.Vickers@cs.rhul.ac.uk> 2013-09-03 15:49:08 UTC --- Ideally it should occur after packages have been installed. Boot time would be too infrequent, but daily would probably be a reasonable compromise. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827751 https://bugzilla.novell.com/show_bug.cgi?id=827751#c5 --- Comment #5 from Ludwig Nussel <lnussel@suse.com> 2013-09-04 09:15:57 CEST --- Well, there are two opinions, the ones that think using suseconfig style global calls is suprising and the ones that like it. There has been a general decision to get rid of SuSEconfig so we have a different way now. If there are files in packages that may or may not be setuid root depending on local preference feel free to file a bug for those packages to include the files in the perimssions tracking. Additionally the system upgrade docu should simply recommend to run "chkstat --system" after the upgrade. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827751 https://bugzilla.novell.com/show_bug.cgi?id=827751#c6 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED CC| |meissner@suse.com InfoProvider|R.Vickers@cs.rhul.ac.uk | Resolution| |NORESPONSE --- Comment #6 from Marcus Meissner <meissner@suse.com> 2014-02-11 10:53:13 UTC --- noresponse -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=827751 https://bugzilla.novell.com/show_bug.cgi?id=827751#c7 --- Comment #7 from Bob Vickers <R.Vickers@cs.rhul.ac.uk> 2014-02-11 11:16:25 UTC --- I can understand the conflict of opinion over suseconfig. Very often on SuSE you have a choice of managing via Yast or of editing configuration files by hand and it is important the two mechanisms do not fight each other. However, on the specific issue of permissions I would say that relying on chmod for any distribution-provided file is always foolish and bound to lead to surprises sooner or later. So you shouldn't try to protect the foolish administrator but instead protect the sensible one who relies on the documented procedure for maintaining permissions. Bob -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com