packages that disagree on file/directory ownership/permissions
Hi,
there are several packages that don't "agree" on the
ownership/permissions of some files or directories. Usually one package
(e.g. foo-common) ships some files and/or directories while another
(e.g. foo-bar with Depends: foo-common) ships an overlapping directory
tree and has a postinst script that runs chown/chmod.
Possible problems that could arise out of this:
* foo-common and foo-bar have disagreeing chown/chmod commands in their postinst
* foo-common gets updated and permissions/ownership might get (partially) reset, breaking foo-bar or opening a security hole
* foo-common's maintainer scripts (run as root) have to be more careful when handling files/directories that are writable by less privileged users
What's the best way to handle these things properly?
IMO it would be best if some "common" package would do the initial
setup, create the user if needed and fix permissions and ownership,
while all other packages "sharing" this tree would depend on the
"common" package
A few examples from piuparts --install-purge-install which does
install dependencies($PKG)
snapshot $CHROOT
install $PKG
purge $PKG
verify snapshot
opennebula_3.4.1-3.1
0m29.4s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/one/.one/ (101, 0, d 40700, 40, None) != (101, 103, d 40700, 60, None)
0m30.0s ERROR: FAIL: After purging files have been modified:
/var/lib/one/.one/ owned by: opennebula
# looks like some dependency already does mkdir /var/lib/one && chown
cups-pdf_2.6.1-7
0m43.9s DEBUG: Modified(uid, gid, mode, size, target): /var/log/cups/ (0, 0, d 40755, 40, None) != (0, 102, d 40755, 40, None)
0m44.2s ERROR: FAIL: After purging files have been modified:
/var/log/cups/ owned by: cups-pdf, cups
# hmm, chgrp lpadmin but not chmod g+w - that looks useless
xymon_4.3.0~beta2.dfsg-9.1
0m26.7s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/hobbit/ (0, 0, d 40755, 60, None) != (101, 102, d 40755, 60, None)
0m27.1s ERROR: FAIL: After purging files have been modified:
/var/lib/hobbit/ owned by: xymon, xymon-client
solr-tomcat_3.6.0+dfsg-1
0m25.5s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/solr/data/ (0, 0, d 40755, 40, None) != (101, 102, d 40770, 40, None)
0m25.9s ERROR: FAIL: After purging files have been modified:
/var/lib/solr/data/ owned by: solr-common
snort_2.9.2.2-3
0m14.6s DEBUG: Modified(uid, gid, mode, size, target): /etc/snort/snort.conf (0, 0, - 100644, 26450, None) != (0, 103, - 100640, 26450, None)
0m14.9s ERROR: FAIL: After purging files have been modified:
/etc/snort/snort.conf owned by: snort-common
snmpd_5.4.3~dfsg-2.5
0m22.9s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/snmp/ (0, 0, d 40755, 40, None) != (101, 102, d 40755, 40, None)
0m23.3s ERROR: FAIL: After purging files have been modified:
/var/lib/snmp/ owned by: libsnmp15, libsnmp-base
quantum-server_2012.1-6
0m25.8s DEBUG: Modified(uid, gid, mode, size, target): /etc/quantum/plugins/ (0, 0, d 40755, 60, None) != (101, 102, d 40755, 60, None)
0m25.8s DEBUG: Modified(uid, gid, mode, size, target): /etc/quantum/ (0, 0, d 40755, 60, None) != (101, 102, d 40700, 60, None)
0m25.8s DEBUG: Modified(uid, gid, mode, size, target): /etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini (0, 0, - 100644, 2191, None) != (101, 102, - 100644, 2191, None)
0m25.8s DEBUG: Modified(uid, gid, mode, size, target): /etc/quantum/plugins/openvswitch/ (0, 0, d 40755, 60, None) != (101, 102, d 40755, 60, None)
0m26.2s ERROR: FAIL: After purging files have been modified:
/etc/quantum/ owned by: quantum-server, quantum-plugin-openvswitch
/etc/quantum/plugins/ owned by: quantum-plugin-openvswitch
/etc/quantum/plugins/openvswitch/ owned by: quantum-plugin-openvswitch
/etc/quantum/plugins/openvswitch/ovs_quantum_plugin.ini owned by: quantum-plugin-openvswitch
firebird2.5-classic_2.5.2~svn+54698.ds4-1
0m17.1s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/firebird/2.5/backup/no_empty (0, 0, - 100644, 0, None) != (101, 102, - 100660, 0, None)
0m17.1s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/firebird/2.5/data/ (0, 0, d 40755, 60, None) != (101, 102, d 40770, 60, None)
0m17.1s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/firebird/2.5/backup/ (0, 0, d 40755, 60, None) != (101, 102, d 40770, 60, None)
0m17.1s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/firebird/2.5/data/no_empty (0, 0, - 100644, 0, None) != (101, 102, - 100660, 0, None)
0m17.1s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/firebird/2.5/system/help.fdb (0, 0, - 100644, 819200, None) != (101, 102, - 100660, 819200, None)
0m17.1s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/firebird/2.5/system/ (0, 0, d 40755, 80, None) != (101, 102, d 40770, 100, None)
0m17.1s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/firebird/2.5/ (0, 0, d 40755, 120, None) != (101, 102, d 40770, 120, None)
0m17.1s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/firebird/2.5/system/default-security2.fdb (0, 0, - 100644, 729088, None) != (101, 102, - 100660, 729088, None)
0m17.3s ERROR: FAIL: After purging files have been modified:
/var/lib/firebird/2.5/ owned by: firebird2.5-server-common
/var/lib/firebird/2.5/backup/ owned by: firebird2.5-server-common
/var/lib/firebird/2.5/backup/no_empty owned by: firebird2.5-server-common
/var/lib/firebird/2.5/data/ owned by: firebird2.5-server-common
/var/lib/firebird/2.5/data/no_empty owned by: firebird2.5-server-common
/var/lib/firebird/2.5/system/ owned by: firebird2.5-server-common
/var/lib/firebird/2.5/system/default-security2.fdb owned by: firebird2.5-server-common
/var/lib/firebird/2.5/system/help.fdb owned by: firebird2.5-server-common
spam_3.10.2+dfsg-2
0m14.3s DEBUG: Modified(uid, gid, mode, size, target): /var/spool/dspam/ (0, 0, d 40755, 40, None) != (101, 102, d 40770, 40, None)
0m14.6s ERROR: FAIL: After purging files have been modified:
/var/spool/dspam/ owned by: dspam, libdspam7:amd64
heartbeat_1:3.0.5-3
0m29.7s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/heartbeat/cores/hacluster/ (0, 0, d 40755, 40, None) != (101, 0, d 40700, 40, None)
0m29.7s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/heartbeat/cores/nobody/ (0, 0, d 40755, 40, None) != (65534, 0, d 40700, 40, None)
0m29.7s DEBUG: Modified(uid, gid, mode, size, target): /var/lib/heartbeat/cores/root/ (0, 0, d 40755, 40, None) != (0, 0, d 40700, 40, None)
0m30.3s ERROR: FAIL: After purging files have been modified:
/var/lib/heartbeat/cores/hacluster/ owned by: heartbeat, cluster-glue
/var/lib/heartbeat/cores/nobody/ owned by: heartbeat, cluster-glue
/var/lib/heartbeat/cores/root/ owned by: heartbeat, cluster-glue
asterisk_1:1.8.13.1~dfsg-1
0m15.3s DEBUG: Modified(uid, gid, mode, size, target): /etc/asterisk/logger.conf (0, 0, - 100640, 4294, None) != (101, 102, - 100640, 4294, None)
0m15.3s DEBUG: Modified(uid, gid, mode, size, target): /etc/asterisk/telcordia-1.adsi (0, 0, - 100640, 1384, None) != (101, 102, - 100640, 1384, None)
0m15.3s DEBUG: Modified(uid, gid, mode, size, target): /etc/asterisk/indications.conf (0, 0, - 100640, 24955, None) != (101, 102, - 100640, 24955, None)
0m15.3s DEBUG: Modified(uid, gid, mode, size, target): /etc/asterisk/queuerules.conf (0, 0, - 100640, 1440, None) != (101, 102, - 100640, 1440, None)
0m15.3s DEBUG: Modified(uid, gid, mode, size, target): /etc/asterisk/amd.conf (0, 0, - 100640, 767, None) != (101, 102, - 100640, 767, None)
0m15.3s DEBUG: Modified(uid, gid, mode, size, target): /etc/asterisk/chan_dahdi.conf (0, 0, - 100640, 56496, None) != (101, 102, - 100640, 56496, None)
[...]
0m15.6s ERROR: FAIL: After purging files have been modified:
/etc/asterisk/ owned by: asterisk, asterisk-config
/etc/asterisk/adsi.conf owned by: asterisk-config
/etc/asterisk/agents.conf owned by: asterisk-config
/etc/asterisk/ais.conf owned by: asterisk-config
/etc/asterisk/alarmreceiver.conf owned by: asterisk-config
/etc/asterisk/alsa.conf owned by: asterisk-config
[...]
Andreas
Reply to: