[Bug 1120189] New: 389-ds build fail in the post-check due to modified permissions
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Bug ID: 1120189 Summary: 389-ds build fail in the post-check due to modified permissions Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: varkoly@suse.com Reporter: mlin@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- 389-ds build failed in Leap 15.1 recently, it fails in the post-check due to caught modified permissions, the full build log can be found at https://build.opensuse.org/package/live_build_log/openSUSE:Leap:15.1/389-ds/... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c1 --- Comment #1 from Max Lin <mlin@suse.com> --- The error log: [ 163s] ... testing for modified permissions [ 163s] -------------------------------------------------------------------- [ 163s] package: 389-ds [ 163s] /usr/bin/chkstat modified files that are not properly handled! [ 163s] this will break rpm -V, ask ro for details. [ 163s] diff for both runs of rpm -V: [ 163s] +.M....G.P /usr/sbin/ns-slapd [ 163s] -------------------------------------------------------------------- -- You are receiving this mail because: You are on the CC list for the bug.
From the security perspective we've reviewed 389-ds version 1.4.0.18 in bug
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c4 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mrueckert@suse.com --- Comment #4 from Matthias Gerstner <matthias.gerstner@suse.com> --- It looks like the 389-ds package is not yet prepared to handle the capability setting correctly. It also fails in the devel project for the same reason at the moment. There was no explicit request to backport this permission setting to SLE-15, but I synced the permissions package in SLE-15-SP1 with Factory to avoid a bunch of backports. Correctly using the CAP_NET_BIND_SERVICE capability would be an improvement for SLE-15-SP1, too. It shouldn't be too much effort to get it working. The capability bit for ns-slapd is set anyways even in SLE-15:GA already, even if it not actually used. 1111564. In SLE-15-SP1 we have version 1.4.03. 1.4.0.18 contains only maintenance changes and it looks like no major changes in the area of the initialization code are existing. Therefore it should be safe to apply the capability bit there as well. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c5 --- Comment #5 from Ludwig Nussel <lnussel@suse.com> --- The package is not prepared for permissions handling at all, not even in Factory. So you either can't set that stuff in the permissions package at all or the maintainer has to fix the package. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c6 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|matthias.gerstner@suse.com |varkoly@suse.com --- Comment #6 from Matthias Gerstner <matthias.gerstner@suse.com> --- (In reply to lnussel@suse.com from comment #5)
The package is not prepared for permissions handling at all, not even in Factory. So you either can't set that stuff in the permissions package at all or the maintainer has to fix the package.
Since we've been asked to review this in bug 1111564, the whitelisting in the permissions package was just the natural result. Therefore I suggest the maintainer adjusts the package accordingly. It shouldn't be too much effort and result is a more consistent package. Reassigning to the 389-ds maintainer. Can you please take care of this? Thank you. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c7 --- Comment #7 from Marcus Rückert <mrueckert@suse.com> --- The real problem is that the fixed package is stuck behind some ring0 changes to go in. in the devel project it is fixed for a while. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Peter Varkoly <varkoly@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|varkoly@suse.com |bnc-team-screening@forge.pr | |ovo.novell.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 William Brown <william@blackhats.net.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |william@blackhats.net.au Assignee|bnc-team-screening@forge.pr |william@blackhats.net.au |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c8 --- Comment #8 from William Brown <william@blackhats.net.au> --- Hi there, If I'm following correctly, the fixes for this are already upstream, but were blocked on an selinux module import error. I have fixed this upstream with https://pagure.io/389-ds-base/pull-request/50124 . Is there anything that that you require from me for upstream to help fix this? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|william@blackhats.net.au |varkoly@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Peter Varkoly <varkoly@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|varkoly@suse.com |bnc-team-screening@forge.pr | |ovo.novell.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Peter Varkoly <varkoly@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|bnc-team-screening@forge.pr |samba-maintainers@SuSE.de |ovo.novell.com | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Peter Varkoly <varkoly@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|varkoly@suse.com | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c10 --- Comment #10 from Ludwig Nussel <lnussel@suse.com> --- quoting my reply from a query by email: The package comes from SLE, as such you need to apply the fix on top of the SLE version and submit back as maintenance update there. $ osc -A ibs bco SUSE:SLE-15:GA 389-ds $ cd *SUSE:SLE-15:GA/389-ds [add your fix] $ osc ci $ osc sr Any ETA for that? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|samba-maintainers@SuSE.de |william.brown@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Ludwig Nussel <lnussel+factory@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1127976 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c11 --- Comment #11 from William Brown <william.brown@suse.com> --- Hi there, When I attempt this, I get a permission denied on the internal build.suse.de service. I'm going to try to follow this up today. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c12 --- Comment #12 from Ludwig Nussel <lnussel@suse.com> --- Based on an email discussion William wanted to submit a maintenance update to SLE15 due to numerous bugs. William, could you please elaborate on that for the record here? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c13 --- Comment #13 from Ludwig Nussel <lnussel@suse.com> --- Any update? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c14 --- Comment #14 from William Brown <william.brown@suse.com> --- Ummm, I sent you the updates as you requested to the OpenSUSE Leap versions. My account still has no access to the internal build systems. So I'm not sure what I'm missing here, but I think I did everything you asked? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c15 --- Comment #15 from Ludwig Nussel <lnussel@suse.com> --- Arguments why the version update is needed are still missing in this bug report. Also, the .changes file needs to refer to this bug (bsc#1120189). Then I can forward your request internally. Nevertheless please escalate the missing access to build.suse.de. I've never seen issues related to obs login unresolved for that long. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c16 --- Comment #16 from William Brown <william.brown@suse.com> ---
Arguments why the version update is needed are still missing in this bug report. Also, the .changes file needs to refer to this bug (bsc#1120189). Then I can forward your request internally.
I sent the following text to my manager, so I'll paste it here: """ I’d like to recommend that we upgrade and repackage 389-ds for SLE-15-SP1 over the current version. As you have mentioned, the installed userbase is likely small, so making a change like this is unlikely to be disruptive. Red Hat and upstream design each series (1.4.x.x) to be able to be stable and upgraded over the course of an enterprise distributions life. This means that there should be very little changing from an administrator perspective there. However, a major changed has occured between 1.4.0.x and 1.4.1.x with regard to suse packaging of the 389-ds project. As an upstream core team member, I corrected a number of issues in the way the packaging was performed, and most notably, enabled the python administration toolkit. This has not been reflected in 1.4.0.x versions in SLE yet. It’s important to note, upstream had deprecated the perl admin tools since 1.3.x, So 1.4.x.x with perl was never an upstream supported combination. Enabling the python admin tools makes the setup process easier, and many administrative tasks become far easier to manage. An additional point is (this is my mistake) I have been working with the fantastic suse docs team, and reworking the SLE guide’s 389-ds section (from openldap) to assume the 1.4.x.x was used with the enabled python tools. This means the documentation doesn’t currently align to the packages in SLE-15-SP1. It would be awkward to rewrite the documentation to the old perl tools, only to have to bring it back to the python tools later. A risk to keep in mind is that YaST may or may not work with the python tools, however I am proactively reaching out to the YaST team to discuss this and to work with them to improve this situation. """ It's worth noting that the YAST situation is resolved, with the code approved for merge within the last 24 hours, so hopefully that can be backported without difficulty for yast-auth-server.
Nevertheless please escalate the missing access to build.suse.de. I've never seen issues related to obs login unresolved for that long.
I think it's a ticket system issue. I contacted the buildops team direct and my account works now. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c17 --- Comment #17 from Ludwig Nussel <lnussel@suse.com> --- I'm sure you do this with the best intentions but this is opening a can of worms. So since this change has impact on yast and the documentation means it won't be releasable as maintenance update for GA? Means SP1 only? Note SP1 is heading for RC2 so no new features while this one pretty much sounds like one. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c18 --- Comment #18 from Ludwig Nussel <lnussel@suse.com> --- (In reply to William Brown from comment #16)
It's worth noting that the YAST situation is resolved, with the code approved for merge within the last 24 hours, so hopefully that can be backported without difficulty for yast-auth-server.
Do you have a link or bug number for that? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c19 --- Comment #19 from William Brown <william.brown@suse.com> --- I don't have a bugzilla number no, I have the yast-auth-server PR on github though? https://github.com/yast/yast-auth-server/pull/49 I understand that yes, it will be a can of worms, and it's not my decision to make. My advice is as mentioned, directly because the current packaging decisions made in 15.0/15.1 are not supported configurations by upstream - the use of the perl installer is not recommended. The majority of value in changing from openldap to 389ds is the accessible tooling we have developed in 1.4.x. So we can either re-do our SUSE docs from openldap -> 389ds + python (already mostly done anyway), or we have to double handle and do openldap -> 389ds + perl -> 389ds + python. I will leave it to others to decide what is the correct course of action here for SLES, but anything I can do to unblock or improve the situation please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 William Brown <william.brown@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jmcdonough@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c20 --- Comment #20 from Swamp Workflow Management <swamp@suse.de> --- This is an autogenerated message for OBS integration: This bug (1120189) was mentioned in https://build.opensuse.org/request/show/691432 15.1 / 389-ds -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c21 --- Comment #21 from Ludwig Nussel <lnussel@suse.com> --- The version upgrade with the dependencies to yast and documentation exceeds the scope of what is manageable for Leap at this point. I've raised the issue to SLE release coordination and submitted a minimal build fix to Leap myself. I've also submitted the same change the the factory devel project. Please include it and make sure your future submission to SLE also includes it. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c22 --- Comment #22 from William Brown <william.brown@suse.com> --- Thanks, the fix is already included in the specs I provided and upstream. This doesn't really answer the issue that the suse package is an unsupported upstream configuration, and that our documentation won't align with upstream or suse (as I did expect to be doing the upstream supported configuration). So I'll still wait for other input as to what is correct steps from here. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Frederic Crozat <fcrozat@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fcrozat@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |maint:planned:update -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |maint:planned:update | |ibs:running:11727:important -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|maint:planned:update |ibs:running:11727:important |ibs:running:11727:important | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 http://bugzilla.suse.com/show_bug.cgi?id=1120189#c33 --- Comment #33 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2019:2155-1: An update that solves 8 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1083689,1092187,1099465,1105606,1108674,1109609,1120189,1132385,1144797,991201 CVE References: CVE-2016-5416,CVE-2018-1054,CVE-2018-10871,CVE-2018-1089,CVE-2018-10935,CVE-2018-14638,CVE-2018-14648,CVE-2019-3883 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 SUSE Linux Enterprise Module for Server Applications 15 (src): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): 389-ds-1.4.0.26~git0.8a2d3de6f-4.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|ibs:running:11727:important | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard| |obs:running:10882:important -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1120189 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:10882:important | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com