Bug#1037203: aide release notes to work around #1037171
On Wed, Jun 07, 2023 at 08:01:23PM +0100, Justin B Rye wrote:
> Marc Haber wrote:
> > I am really sorry for this. #1037171 is an embarrassing one, sadly too
> > late for the release, but I'll try to do a fix via spu.
>
> I gather from the version data that when the bug submitter says buster
> that's a typo for bookworm?
Yes. It is.
> > Suggested wording for something along chapter 5.4:
>
> It'll also need a section title and a summary of what the bug actually
> is, which isn't completely clear to me. Does the bug mean that
> bullseye systems where aide was already working will break on
> dist-upgrade to bookworm, or is it only a bug for systems where aide
> is installed subsequently?
Sadly, aide will be broken after upgrades. bookworm's aide is the first
version that doesn't run as root and thus needs the account.
>I'm guessing:
>
> <section id="aide-user-creation-bug">
> <title>Bug in <literal>aide</literal> user creation</title>
> <para>
> The version of <systemitem role="package">aide</systemitem> in the
> initial 12.0 release of bookworm has a bug
> (<ulink url="https://bugs.debian.org/1037171">#1037171</ulink>) in
> its package scripts which results in the <literal>_aide</literal>
> user not being created, preventing <command>aideinit</command>
> from creating a new database.
> </para>
Yes. It prevents the package from working at all on systemd systems at
least.
> > Before upgrading your aide packages, create
>
> So this needs to be done before the dist-upgrade?
It is the cleanest way, yes. Or the local admin can reinstall aide after
creating the account.
> > /usr/lib/sysusers.d/aide-common.conf with the following contents:
>
> Isn't this the sort of thing that's usually overridable via files with
> names like /etc/sysusers.d/aide-common.conf? I'll assume for now that
> this needs to live in /usr/lib (because we *want* it trampled when the
> point release version installs its own copy).
Yes. That's the idea.
> > #Type Name ID GECOS Home directory Shell↲
> > u _aide - "Advanced Intrusion Detection Environment" /var/lib/aide /usr/sbin/nologin↲
>
> (I'm assuming "↲" just means "newline"...)
Yes, sorry, that's a cut and paste error.
>
> > and call systemd-sysusers to work around Bug #1037171.
>
> (...and that this is a plain root-privileged invocation of bullseye
> "systemd-sysusers". So:)
>
> <para>
> The bug can be avoided by creating the user before the dist-upgrade.
> Create a file <filename>/usr/lib/sysusers.d/aide-common.conf</filename>
> containing:
> <screen>
> #Type Name ID GECOS Home directory Shell
> u _aide - "Advanced Intrusion Detection Environment" /var/lib/aide /usr/sbin/nologin
> </screen>
> and then run <command>systemd-sysusers</command>.
> </para>
> </section>
Yes, that's it.
Thanks for helping.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
Reply to: