Re: Pass argument from Pre-Install-Pkgs to Post-Invoke

To: debian-mentors@lists.debian.org
Subject: Re: Pass argument from Pre-Install-Pkgs to Post-Invoke
From: Julien Valroff <julien@kirya.net>
Date: Mon, 16 Feb 2009 06:05:51 +0100
Message-id: <[🔎] 1234760751.4154.12.camel@athyr.kirya.net>
In-reply-to: <[🔎] slrngph1es.2gm.joerg@alea.gnuu.de>
References: <[🔎] 1234687360.3329.5.camel@athyr.kirya.net> <[🔎] slrngph1es.2gm.joerg@alea.gnuu.de>

Le dimanche 15 février 2009 à 21:15 +0000, Jörg Sommer a écrit :
> Hi Julien,

Hi Jörg,

> Julien Valroff <julien@kirya.net> wrote:
> > The aim is to only update file properties of the changed packages.
> >
> > To achieve this goal, I need to get the list of changed packages, which
> > I do in a script invokef through Pre-Install-Pkgs.
> >
> > The file properties can however only be updated once the packages are
> > installed, hence I need to run rkhunter --propupd on Post-Invoke.
> >
> > How could I pass the list of changed packages between my both scripts?
> > For now, I use a temporary file (I cannot even use a random name). Is it
> > the right way? Could this have any security issues?
> 
> I think this idea is fine. I don't have any other idea. As long as you
> save only the names of the packages in the file, you shouldn't open any
> security holes. Where do you save the file? In /var/lib/rkhunter?

Yes, in /var/lib/rkhunter/tmp

I only save the name of the changed packages.

> > As a (better) alternative, is there a way to get the list of changed
> > packages in Post-Invoke?
> 
> You can search in dpkg's logfile /var/log/dpkg.log, but apt doesn't tell
> you this in the post-invoke hook.

I have thought of this, but the issue is to be sure to get the list of
changed packages for each time apt is run, and I think time is not
precise enough (should I consider parsing dpkg.log and take the entries
of the last 10 minutes? What if the machine is very slow or if apt is
called twice in this time frame?)

In the meantime, I came across two other issues that prevents me from
reaching my goal:

* rkhunter --propupd <file> feature will only work if the file is
already registered in the file properties database. This means that if a
package is installed, full db update should be run (or data added by an
external script which I am reluctant to do for security and maintenance
reasons). I will discuss with upstream to check what can be done in
rkhunter to fix this.

  * I have no idea how to deal with watched files which are in the
alternatives system. For now, I am able to compare the upgraded .deb
contents and compare with a static list of watched files. Alternative
files being symlinks, the post invoke script cannot detect them and will
hence fail to update the file properties database.
This is for example the case of unhide

For the last point, I fear there is unfortunately a good solution at the moment.

Cheers,
Julien

-- 
Membre de l'April - « promouvoir et défendre le logiciel libre » -
http://www.april.org

Rejoignez maintenant près de 4 000 personnes, associations, entreprises
et collectivités qui soutiennent notre action

Reply to:

References:
- Pass argument from Pre-Install-Pkgs to Post-Invoke
  - From: Julien Valroff <julien@kirya.net>
- Re: Pass argument from Pre-Install-Pkgs to Post-Invoke
  - From: Jörg Sommer <joerg@alea.gnuu.de>

Prev by Date: RFS: cgmail (adopted)
Next by Date: Re: [Python-apps-team] RFS: cgmail (adopted)
Previous by thread: Re: Pass argument from Pre-Install-Pkgs to Post-Invoke
Next by thread: RFS: zinnia and tegika (handwriting recognition input method from SCIM)
Index(es):
- Date
- Thread