Bug#365892: marked as done (dcc-client: dccproc can't open /var/lib/dcc/map)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 26 Sep 2006 09:32:06 -0700
with message-id <E1GSFqo-0007lH-1H@spohr.debian.org>
and subject line Bug#365892: fixed in dcc 1.3.42-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: dcc-client: dccproc can't open /var/lib/dcc/map
• From: "Peter T. Breuer" <ptb@inv.it.uc3m.es>
• Date: Wed, 03 May 2006 12:34:23 +0200
• Message-id: <200605031034.k43AYNiV025859@xilofon.it.uc3m.es>

Package: dcc-client
Version: 1.2.74-2
Severity: normal


dccproc, called from spamassassin, does not seem to be able to open the
/var/lib/dcc/map file, even though dccproc is suid root. Here is a
strace ...

   % strace -f spamassassin -t < /tmp/spamex5 | & grep -i dcc 

   read(8, ärm/) {\n      dbg (\"DCCifd check"..., 4096) = 4096
   read(8, "{body} of $self->{conf}->{dcc_bo"..., 4096) = 4096
   stat("/usr/local/bin/dccproc", 0x503140) = -1 ENOENT (No such file or directory)
   stat("/bin/dccproc", 0x503140)          = -1 ENOENT (No such file or directory)
   stat("/usr/bin/dccproc", {st_mode=S_IFREG|S_ISUID|0755, st_size=530728, ...}) = 0
   stat("/usr/bin/dccproc", {st_mode=S_IFREG|S_ISUID|0755, st_size=530728, ...}) = 0
   stat("/usr/bin/dccproc", {st_mode=S_IFREG|S_ISUID|0755, st_size=530728, ...}) = 0
   [pid 24999] execve("/usr/bin/dccproc", ["/usr/bin/dccproc", "-H", "-R"], [/* 54 vars */]) = 0
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   [pid 24999] chdir("/var/lib/dcc")       = 0
   [pid 24999] open("/var/lib/dcc/map", O_RDWR) = -1 EACCES (Permission denied)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   [pid 24999] write(2, "open(/var/lib/dcc/map): Permissi"..., 41 <unfinished ...>
   [pid 24969] <... read resumed> "open(/var/lib/dcc/map): Permissi"..., 4096) = 41
   [pid 24999] sendto(3, "<19>May  3 12:24:51 dccproc[2499"..., 77, 0, NULL, 0) = 77

You can see that process 24999 turns itself into dccproc and then fails
to access the map file. Here are the relevant permissions:

   -rwsr-xr-x  1 root root 530728 Apr  6  2005 /usr/bin/dccproc
   drwxr-xr-x  2 dcc dcc 1024 May  2 15:07 /var/lib/dcc
   -rw-rw----  1 dcc dcc 4792 May  2 15:07 /var/lib/dcc/map

I would guess that execve in this libc loses suid perms? Or maybe a
second exec does. A soultion might be to add myself to the dcc group
(I alreadty made the map writable by dcc) .... yes, confirmed:

     [pid 25771] chdir("/var/lib/dcc")       = 0
     [pid 25771] open("/var/lib/dcc/map", O_RDWR) = 3
     [pid 25771] write(2, "/var/lib/dcc/map is not private", 31 <unfinished ...>
     [pid 25748] <... read resumed> "/var/lib/dcc/map is not private", 4096) = 31

however, that leads to a second complaint! Well, its test is wrong
anyway. It shouldn't be testing for access by non-owner, but access by
non-group.


-- System Information:
Debian Release: 3.1
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.15.5
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)

Versions of packages dcc-client depends on:
ii  dcc-common                  1.2.74-2     Distributed Checksum Clearinghouse
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an

-- no debconf information

Peter

--- End Message ---

--- Begin Message ---

• To: 365892-close@bugs.debian.org
• Subject: Bug#365892: fixed in dcc 1.3.42-2
• From: Pierre Habouzit <madcoder@debian.org>
• Date: Tue, 26 Sep 2006 09:32:06 -0700
• Message-id: <E1GSFqo-0007lH-1H@spohr.debian.org>

Source: dcc
Source-Version: 1.3.42-2

We believe that the bug you reported is fixed in the latest version of
dcc, which is due to be installed in the Debian FTP archive:

dcc-common_1.3.42-2_amd64.deb
  to pool/main/d/dcc/dcc-common_1.3.42-2_amd64.deb
dcc-milter_1.3.42-2_amd64.deb
  to pool/main/d/dcc/dcc-milter_1.3.42-2_amd64.deb
dcc-server_1.3.42-2_amd64.deb
  to pool/main/d/dcc/dcc-server_1.3.42-2_amd64.deb
dcc_1.3.42-2.diff.gz
  to pool/main/d/dcc/dcc_1.3.42-2.diff.gz
dcc_1.3.42-2.dsc
  to pool/main/d/dcc/dcc_1.3.42-2.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 365892@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pierre Habouzit <madcoder@debian.org> (supplier of updated dcc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Sep 2006 18:14:20 +0200
Source: dcc
Binary: dcc-milter dcc-common dcc-server
Architecture: source amd64
Version: 1.3.42-2
Distribution: unstable
Urgency: low
Maintainer: Pierre Habouzit <madcoder@debian.org>
Changed-By: Pierre Habouzit <madcoder@debian.org>
Description: 
 dcc-common - Distributed Checksum Clearinghouse - common files
 dcc-milter - Distributed Checksum Clearinghouse - sendmail milter plugin
 dcc-server - Distributed Checksum Clearinghouse - main programs
Closes: 320943 353446 365892
Changes: 
 dcc (1.3.42-2) unstable; urgency=low
 .
   * Drop dcc-client, merge it into dcc-server (see NEWS.Debian).
 .
   * debian/dcc-common.preinst:
     + remove legacy upgrades (from woody ?).
     + rename /etc/default/dcc-server into /etc/default/dcc-common
 .
   * Simplify postinst scripts:
     + avoid conditionnal chowns/chmods where we can force them.
     + move /var/{run,log}/dcc existence into the package, just chown them.
     + use a more robust way to generate random strings, involving /dev/urandom
       rather than ps.
 .
   * Update /etc/default/dcc-commmon from upstream one.
 .
   * Update debian example whitelist.
 .
   * Simplify update-dccmaps.
 .
   * Remove DH_VERBOSE set to 1, renders the output unreadable, for few
     important information anyway.
 .
   * fix dblist.8 man page (add the missing 8 section in .Dt)
 .
   * Init scripts:
     + install upstream start-* and stop-dccd into /usr/lib/dcc.
     + completely rework init scripts to use upstream ways to start daemons. It
       does not ignore the configuration anymore.
 .
   * This upload fixes numerous packaging problems including:
     + daemons are not enabled by default, one need to explicitely activate
       them in /etc/dcc/dcc_conf (Closes: 320943).
     + permissions were not always enforced on /var/lib/dcc/map in the postinst
       (Closes: 365892).
     + Using upstream scripts makes us read dcc_conf for dccifd as well
       (Closes: 353446).
Files: 
 92f8821582c01f8c2ce84007fdc8f6db 612 mail extra dcc_1.3.42-2.dsc
 724dfc2ec5a59d607929056dbc62c908 15065 mail extra dcc_1.3.42-2.diff.gz
 e1b3673551774459597abed0e118d164 234504 mail extra dcc-common_1.3.42-2_amd64.deb
 8604db4decad674b885e20d1b1853606 242598 mail extra dcc-milter_1.3.42-2_amd64.deb
 ffc21696ad64dd2dbccfa0ac0c28636d 719234 mail extra dcc-server_1.3.42-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFGVJrvGr7W6HudhwRAjmaAJ0cE13iBr7yt3/F+YunwFjfw9uZCQCfYgJ+
mzetVA8k+fT8wLvs+dnfJtk=
=068d
-----END PGP SIGNATURE-----

--- End Message ---