Hello List, for quite some time, I've noticed that the permissions and group of /var/log/lastlog (and sometimes a few others, like [bw]tmp) differ from what chkstat expects. This is, of course, easily fixed with chmod and chown, but the old permissions tend to re-appear after zypper updates. It's probably not really a problem, but does anyone know where the diffence comes from? Thanks, A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics http://www.mpibpc.mpg.de/grubmueller/esztermann
On 29/07/2021 16.27, Ansgar Esztermann-Kirchner wrote:
Hello List,
for quite some time, I've noticed that the permissions and group of /var/log/lastlog (and sometimes a few others, like [bw]tmp) differ from what chkstat expects. This is, of course, easily fixed with chmod and chown,
chkstat --set will correct them all. Or --system. Could be set on a cron job.
but the old permissions tend to re-appear after zypper updates. It's probably not really a problem, but does anyone know where the diffence comes from?
It could be packaging error or logrotate error. A bugzilla could be in order. -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))
On Thu, Jul 29, 2021 at 04:37:37PM +0200, Carlos E. R. wrote:
On 29/07/2021 16.27, Ansgar Esztermann-Kirchner wrote:
Hello List,
for quite some time, I've noticed that the permissions and group of /var/log/lastlog (and sometimes a few others, like [bw]tmp) differ from what chkstat expects. This is, of course, easily fixed with chmod and chown,
chkstat --set
Yes, you're right. I forgot about that one.
will correct them all. Or --system. Could be set on a cron job.
True, but that feels like treating symptoms only. A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics http://www.mpibpc.mpg.de/grubmueller/esztermann
On 30/07/2021 09.00, Ansgar Esztermann-Kirchner wrote:
On Thu, Jul 29, 2021 at 04:37:37PM +0200, Carlos E. R. wrote:
On 29/07/2021 16.27, Ansgar Esztermann-Kirchner wrote:
Hello List,
for quite some time, I've noticed that the permissions and group of /var/log/lastlog (and sometimes a few others, like [bw]tmp) differ from what chkstat expects. This is, of course, easily fixed with chmod and chown,
chkstat --set
Yes, you're right. I forgot about that one.
will correct them all. Or --system. Could be set on a cron job.
True, but that feels like treating symptoms only.
Long ago, there was a script that could be run manually after installs, named 'SuSEconfig', which did these things like calling 'chkstat --system'. It was also called by YaST. Easy to remember to call it after manual actions to make sure we did what YaST would have done. Alas, the script is gone. I don't know if zypper or yast now call 'chkstat --system' and why not. -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))
On 30.07.2021 12:13, Carlos E. R. wrote:
I don't know if zypper or yast now call 'chkstat --system' and why not.
Packages that install files that are known to be managed by /etc/permissions are expected to call chkstat in their installation scripts. At least some of them do. If you encounter the case of installing file listed in default /etc/permissions* but not calling chkstat you should file bug report. /var/log/lastlog is not listed in default /etc/permssions* so no package tries to fix its permissions. If you have local modifications you should probably install permissions-zypp-plugin which runs chkstat after zypper finished installing packages.
On 30/07/2021 12.16, Andrei Borzenkov wrote:
On 30.07.2021 12:13, Carlos E. R. wrote:
I don't know if zypper or yast now call 'chkstat --system' and why not.
Packages that install files that are known to be managed by /etc/permissions are expected to call chkstat in their installation scripts. At least some of them do. If you encounter the case of installing file listed in default /etc/permissions* but not calling chkstat you should file bug report.
/var/log/lastlog is not listed in default /etc/permssions* so no package tries to fix its permissions. If you have local modifications you should probably install permissions-zypp-plugin which runs chkstat after zypper finished installing packages.
Ah! No, I don't have that one. Installing. Thanks. But even without local permissions, there are often differences between the packages and the /etc/permissions* settings. I don't know which I found the other day, they have flowed out of the terminal history. trying on my server: Isengard:~ # chkstat --warn --system Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.easy /etc/permissions.d/postfix /etc/permissions.local /var/log/lastlog should be root:root 0644. (wrong owner/group root:utmp permissions 0664) /var/log/btmp should be root:utmp 0600. (wrong permissions 0660) Isengard:~ # It is possible that the correct group is indeed "root:utmp"? -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))
On Fri, Jul 30, 2021 at 1:26 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
Isengard:~ # chkstat --warn --system Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.easy /etc/permissions.d/postfix /etc/permissions.local /var/log/lastlog should be root:root 0644. (wrong owner/group root:utmp permissions 0664) /var/log/btmp should be root:utmp 0600. (wrong permissions 0660) Isengard:~ #
Which file contains lastlog and btmp? I do not see lastlog on my Leap 15.3
On 30/07/2021 13.32, Andrei Borzenkov wrote:
On Fri, Jul 30, 2021 at 1:26 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
Isengard:~ # chkstat --warn --system Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.easy /etc/permissions.d/postfix /etc/permissions.local /var/log/lastlog should be root:root 0644. (wrong owner/group root:utmp permissions 0664) /var/log/btmp should be root:utmp 0600. (wrong permissions 0660) Isengard:~ #
Which file contains lastlog and btmp? I do not see lastlog on my Leap 15.3
No, I'm using 15.2 (as signature says). Isengard:~ # rpm -qf /var/log/lastlog /var/log/btmp aaa_base-84.87+git20180409.04c9dae-lp152.14.7.1.x86_64 file /var/log/btmp is not owned by any package Isengard:~ # Isengard:~ # file /var/log/btmp /var/log/btmp: dBase III DBT, version number 0, next free block index 6 Isengard:~ # Command "lastb" uses it (bad login attempts) utmpdump /var/log/btmp dumps it. https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files... I have not found what creates and keeps them, and I have forgotten. -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))
On Fri, Jul 30, 2021 at 2:51 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 30/07/2021 13.32, Andrei Borzenkov wrote:
On Fri, Jul 30, 2021 at 1:26 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
Isengard:~ # chkstat --warn --system Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.easy /etc/permissions.d/postfix /etc/permissions.local /var/log/lastlog should be root:root 0644. (wrong owner/group root:utmp permissions 0664) /var/log/btmp should be root:utmp 0600. (wrong permissions 0660) Isengard:~ #
Which file contains lastlog and btmp? I do not see lastlog on my Leap 15.3
No, I'm using 15.2 (as signature says).
Isengard:~ # rpm -qf /var/log/lastlog /var/log/btmp aaa_base-84.87+git20180409.04c9dae-lp152.14.7.1.x86_64 file /var/log/btmp is not owned by any package Isengard:~ #
Isengard:~ # file /var/log/btmp /var/log/btmp: dBase III DBT, version number 0, next free block index 6 Isengard:~ #
that is not what I asked.
Command "lastb" uses it (bad login attempts)
utmpdump /var/log/btmp
dumps it.
https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files...
I have not found what creates and keeps them, and I have forgotten.
-- Cheers / Saludos,
Carlos E. R.
(from oS Leap 15.2 x86_64 (Minas Tirith))
On 30/07/2021 14.19, Andrei Borzenkov wrote:
On Fri, Jul 30, 2021 at 2:51 PM Carlos E. R. <> wrote:
On 30/07/2021 13.32, Andrei Borzenkov wrote:
On Fri, Jul 30, 2021 at 1:26 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
Isengard:~ # chkstat --warn --system Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.easy /etc/permissions.d/postfix /etc/permissions.local /var/log/lastlog should be root:root 0644. (wrong owner/group root:utmp permissions 0664) /var/log/btmp should be root:utmp 0600. (wrong permissions 0660) Isengard:~ #
Which file contains lastlog and btmp? I do not see lastlog on my Leap 15.3
No, I'm using 15.2 (as signature says).
Isengard:~ # rpm -qf /var/log/lastlog /var/log/btmp aaa_base-84.87+git20180409.04c9dae-lp152.14.7.1.x86_64 file /var/log/btmp is not owned by any package Isengard:~ #
Isengard:~ # file /var/log/btmp /var/log/btmp: dBase III DBT, version number 0, next free block index 6 Isengard:~ #
that is not what I asked.
Then please explain, I don't understand what it is you want. -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))
On Fri, Jul 30, 2021 at 3:52 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
On 30/07/2021 14.19, Andrei Borzenkov wrote:
On Fri, Jul 30, 2021 at 2:51 PM Carlos E. R. <> wrote:
On 30/07/2021 13.32, Andrei Borzenkov wrote:
On Fri, Jul 30, 2021 at 1:26 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
Isengard:~ # chkstat --warn --system Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.easy /etc/permissions.d/postfix /etc/permissions.local /var/log/lastlog should be root:root 0644. (wrong owner/group root:utmp permissions 0664) /var/log/btmp should be root:utmp 0600. (wrong permissions 0660) Isengard:~ #
Which file contains lastlog and btmp? I do not see lastlog on my Leap 15.3
No, I'm using 15.2 (as signature says).
Isengard:~ # rpm -qf /var/log/lastlog /var/log/btmp aaa_base-84.87+git20180409.04c9dae-lp152.14.7.1.x86_64 file /var/log/btmp is not owned by any package Isengard:~ #
Isengard:~ # file /var/log/btmp /var/log/btmp: dBase III DBT, version number 0, next free block index 6 Isengard:~ #
that is not what I asked.
Then please explain, I don't understand what it is you want.
I asked which /etc/permissions* file contains lastlog and btmp.
On 30/07/2021 15.01, Andrei Borzenkov wrote:
On Fri, Jul 30, 2021 at 3:52 PM Carlos E. R. <> wrote:
On 30/07/2021 14.19, Andrei Borzenkov wrote:
On Fri, Jul 30, 2021 at 2:51 PM Carlos E. R. <> wrote:
On 30/07/2021 13.32, Andrei Borzenkov wrote:
On Fri, Jul 30, 2021 at 1:26 PM Carlos E. R. <> wrote:
Isengard:~ # chkstat --warn --system Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.easy /etc/permissions.d/postfix /etc/permissions.local /var/log/lastlog should be root:root 0644. (wrong owner/group root:utmp permissions 0664) /var/log/btmp should be root:utmp 0600. (wrong permissions 0660) Isengard:~ #
Which file contains lastlog and btmp? I do not see lastlog on my Leap 15.3
No, I'm using 15.2 (as signature says).
Isengard:~ # rpm -qf /var/log/lastlog /var/log/btmp aaa_base-84.87+git20180409.04c9dae-lp152.14.7.1.x86_64 file /var/log/btmp is not owned by any package Isengard:~ #
Isengard:~ # file /var/log/btmp /var/log/btmp: dBase III DBT, version number 0, next free block index 6 Isengard:~ #
that is not what I asked.
Then please explain, I don't understand what it is you want.
I asked which /etc/permissions* file contains lastlog and btmp.
Ah. Isengard:~ # grep "lastlog\|btmp" /etc/permissions* /etc/permissions:/var/log/lastlog root:root 644 /etc/permissions:/var/log/btmp root:utmp 600 grep: /etc/permissions.d: Is a directory Isengard:~ # -- Cheers / Saludos, Carlos E. R. (from oS Leap 15.2 x86_64 (Minas Tirith))
On 30.07.2021 16:14, Carlos E. R. wrote:
Isengard:~ # grep "lastlog\|btmp" /etc/permissions* /etc/permissions:/var/log/lastlog root:root 644 /etc/permissions:/var/log/btmp root:utmp 600 grep: /etc/permissions.d: Is a directory Isengard:~ #
Well, this can be considered a bug, but as this is no more present in 15.3 I guess there is little point in reporting against 15.2 ...
On Fri, Jul 30, 2021 at 04:29:05PM +0300, Andrei Borzenkov wrote:
On 30.07.2021 16:14, Carlos E. R. wrote:
Isengard:~ # grep "lastlog\|btmp" /etc/permissions* /etc/permissions:/var/log/lastlog root:root 644 /etc/permissions:/var/log/btmp root:utmp 600 grep: /etc/permissions.d: Is a directory Isengard:~ #
Well, this can be considered a bug, but as this is no more present in 15.3 I guess there is little point in reporting against 15.2 ...
.. and maybe it has already been reported, but as Bug #1182899 is not public, I cannot check. Anyway, since the entries are gone in 15.3, they cannot have been too important, so my solution was to add /var/log/lastlog root:utmp 664 to permissions.local. A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics http://www.mpibpc.mpg.de/grubmueller/esztermann
On 29.07.2021 17:27, Ansgar Esztermann-Kirchner wrote:
Hello List,
for quite some time, I've noticed that the permissions and group of /var/log/lastlog (and sometimes a few others, like [bw]tmp) differ from what chkstat expects. This is, of course, easily fixed with chmod and chown, but the old permissions tend to re-appear after zypper updates.
Which is the exact reason why chkstat exists in the first place. RPM package can only store one static value for any file attribute, but chkstat allows you to change file attributes based on chosen policy.
It's probably not really a problem, but does anyone know where the diffence comes from?
Thanks,
A.
On Fri, Jul 30, 2021 at 07:39:02AM +0300, Andrei Borzenkov wrote:
Which is the exact reason why chkstat exists in the first place. RPM package can only store one static value for any file attribute, but chkstat allows you to change file attributes based on chosen policy.
I see. I would expect default policy and (official) rpms to agree, though. I hadn't noticed before (since most of our machines are 15.2), but the conflicting entries seem to have disappeared from /etc/permissions* in Leap 15.3, possibly related to Bug #1182899 (not public). A. -- Ansgar Esztermann Sysadmin Dep. Theoretical and Computational Biophysics http://www.mpibpc.mpg.de/grubmueller/esztermann
participants (3)
-
Andrei Borzenkov -
Ansgar Esztermann-Kirchner -
Carlos E. R.