Bug#862485: fwsnort mustn't set iptables rules when purged

To: Axel Beckert <abe@debian.org>
Cc: 862485@bugs.debian.org
Subject: Bug#862485: fwsnort mustn't set iptables rules when purged
From: Adrian Bunk <bunk@debian.org>
Date: Sat, 13 May 2017 21:10:20 +0300
Message-id: <[🔎] 20170513181020.wdkwhjzcbfhhewea@localhost>
Reply-to: Adrian Bunk <bunk@debian.org>, 862485@bugs.debian.org
In-reply-to: <[🔎] 20170513172727.GQ6510@sym.noone.org>
References: <[🔎] 149468419444.453.5347700095890788448.reportbug@localhost> <[🔎] 20170513172727.GQ6510@sym.noone.org>

Control: severity -1 serious

On Sat, May 13, 2017 at 07:27:27PM +0200, Axel Beckert wrote:
> Control: tag -1 + moreinfo
> Control: severity -1 important
> 
> Hi Adrian,

Hi Axel,

> Adrian Bunk wrote:
> > Severity: critical
> 
> I think that's overly exaggerated.
> 
> > Tags: security
> 
> I also disagree with this tag.

messing up the iptables setup at an unexpected time can have bad 
consequences.

> > The #861999 fix adds the following on purging:
> >   grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore
> 
> Yes. In postrm on purge.
> 
> > Imagine the following:
> > 1. today I install fwsnort and try it
> > 2. later today I uninstall it
> 
> You usually purge package if you play with packages which make changes
> to your system.
> 
> > This would in 2 years set the iptables rules to what they
> > were today before I shortly played with fwsnort.
> 
> I consider this (i.e. just removing but not purging when wanting to
> get rid of a package and all its effects) to be the admin's fault, not
> the package's fault.
> 
> > A case could be made for "fwsnort --ipt-flush" in prerm.
> 
> This would be against the expectation of users that configurations,
> settings etc. are removed on purge and not on removal.

When you remove (not purge) a package containing a webserver, do you 
expect that the webserver is stopped or do you expect that the webserver
is still running after removing the package?

> > Or considering that activating any fwsnort rules is not done
> > automatically and that the package should not interfere with
> > what the the admin has done.
>
> I disagree. I expect a package to clean up its changes on purge which
> result on common usage. To be more specifically, seeing 11'000
> iptables rules left on my system after pruging fwsnort with no chance
> to remove them without reinstalling the package or removing 11'000
> rules by hand. Not cleaning up these rules is a bug. And cleaning up
> is a task for "purge", not for "remove".

"Remove an installed package. This removes everything except conffiles"
This the dpkg (and similar in apt) description of what remove does.

A package that is removed but not purged is in the Config-Files states.
This means the old configuration is still present if the package gets
installed again.

Purging is supposed to remove the (at that point already unused)
configuration files of the package.

Purging is not supposed to do any reconfiguration of the system.

> 		Regards, Axel

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Reply to:

Follow-Ups:
- Bug#862485: fwsnort mustn't set iptables rules when purged
  - From: Axel Beckert <abe@debian.org>

References:
- Bug#862485: fwsnort mustn't set iptables rules when purged
  - From: Adrian Bunk <bunk@debian.org>
- Bug#862485: fwsnort mustn't set iptables rules when purged
  - From: Axel Beckert <abe@debian.org>

Prev by Date: Processed: Re: Bug#862485: fwsnort mustn't set iptables rules when purged
Next by Date: Processed: Re: Bug#862485: fwsnort mustn't set iptables rules when purged
Previous by thread: Bug#862485: fwsnort mustn't set iptables rules when purged
Next by thread: Bug#862485: fwsnort mustn't set iptables rules when purged
Index(es):
- Date
- Thread