[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [MoM] Packaging fis-get

On Sat, Jan 28, 2012 at 07:15:47PM -0500, Luis Ibanez wrote:
> My first naive attempt was to do:
> 
> TMPOSTINST="/tmp/fis-gtm-initial-postint"
> mkdir $TMPPOSTINST
> 
> but then during "debuild" I got this warning from lintian:
> 
> Now running lintian...
> W: fis-gtm-initial:
> possibly-insecure-handling-of-tmp-files-in-maintainer-script postinst:24
> Finished running lintian.

Lintian is correct here.
 
> Google search pointed to:
> http://lintian.debian.org/tags/possibly-insecure-handling-of-tmp-files-in-maintainer-script.html
> 
> that explains that I should have used "mktemp  --directory"
> 
> All that to say that:
> 
> MoM trainees can use a Wiki page of advice on
> best practices for managing temporary directories
> and files.     :-)
> 
> I checked now the policy document and the new
> developers guide, but didn't see instructions on
> this topic ( I may have missed thought...
> my apologies if the instructions are already there.)

While I did not checked I think there is a reason for this "lack of
information".  My guess on this is that those people who were writing
the policy assumed that people who are working on Debian packages are
just aware of "usual security means".  You just should not use the root
account to create some temporary files / directories with predictable
names.  An attacker might try a race condition to change your files
which would end up installed on your machine.  If you are using
unpredictable names for the purpose an attacker does not have a chance
to do so and mktemp was invented exactly for this purpose.  That's not
specific to Debian but "basic security knowledge" (and I admit I also
learned it via Debian several years ago).

> It took me longer that I anticipated to get it to work.
> Changes have been committed to SVN.

It at least looked correctly from the diff, however ...
 
> The process involved the following stages
> 
> a) create the temp directory
> b) expand the first tar.gz file that contains two
>     other tar.gz files
> c) then from these new two expand
>     the tar.gz corresponding to the architecture
> d) configure
> 
> 
> Before, the script was doing (a,b,d), but no (c).
> 
> I'm having trouble explaining how it worked before...    :-/
> 
> but... with the new version of the postinst script
> it is installing fine.
 
... I get some error:

1$ wajig install *.deb
(Reading database ... 344295 files and directories currently installed.)
Preparing to replace fis-gtm-initial 54002B-1 (using fis-gtm-initial_54002B-1_amd64.deb) ...
Unpacking replacement fis-gtm-initial ...
Setting up fis-gtm-initial (54002B-1) ...
Created temporary directory: 
/tmp/fis-gtm-initial.6h003VUy
Extracting last version from: 
/usr/lib/fis-gtm/distribution/gtm_V54002B_linux_x8664_pro-amd64.tar.gz
into: /tmp/fis-gtm-initial.6h003VUy
gtm_V54002B_linux_x8664_pro-amd64.tar.gz has been extracted
/var/lib/dpkg/info/fis-gtm-initial.postinst: 66: cd: can't cd to /tmp/fis-gtm-initial.6h003VUy/fis-gtm-initial
dpkg: error processing fis-gtm-initial (--install):
 subprocess installed post-installation script returned error exit status 2
Errors were encountered while processing:
 fis-gtm-initial


For today I'm to tired to check the problem, but may be you are able to
verify this?

> First, we tried the command
> 
> $ /usr/lib/fis-gtm/54002B-initial/gtm
>
> ... Success-story stripped ...
> 
> $ /usr/lib/fis-gtm/54002B-initial/gtm
> 
> GTM>write $zversion
> GT.M V5.4-002B Linux x86
> GTM>halt
> 
> 
> So,
> it looks like the fis-gtm-initial package
> is close to done.

Great.

> Subject of course, to a more expert review
> by Bhaskar, on other details that I most
> certainly missed.
> 
> 
> Since this looks good so far,
> I'm now moving to make some progress
> in the fis-gtm package itself.
> 
> 
> Starting with fixing the version from 54002A
> to 54002B. I'm going back to your previous
> emails, where you provided instructions on
> how to do this.

Sounds good.  Just keep me updated about the success or failure in this.
Perhaps you might recheck your latest commit whether you can reproduce
my installation problem above - otherwise I'll check tomorrow.

Kind regards

        Andreas.


-- 
http://fam-tille.de
Reply to: