On Thu, Aug 23, 2012 at 10:39:48 +0200, Michael Hanke wrote:
> Dear release team,
>
> I have uploaded an updated 'condor' package to experimental. It fixes
> all remaining (user-relevant) annoyances of the current version in
> testing. The fixes are only a few lines per bug, and they are only
> changes in the packaging itself. The full diff to the version in testing
> is attached. Here are the stats (most lines are comments/docs):
>
> debian/changelog | 18 ++++++++++++++++++
> debian/condor.links | 1 -
> debian/condor.postinst | 24 ++++++++++++++++++++----
> debian/condor_qsub | 3 +--
>
> Bugs fixed are: #684667, #684879, and #678425 (none of them RC).
>
> Would you allow for a freeze exception of an upload to unstable with these
> changes (or any subset you would name)?
>
> Thanks in advance,
>
> Michael
>
>
> --
> Michael Hanke
> http://mih.voxindeserto.de
> diff --git a/debian/changelog b/debian/changelog
> index 052d595..7d82e0b 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,21 @@
> +condor (7.8.2~dfsg.1-2) experimental; urgency=low
> +
> + * Make postinst script more robust against missing config variables (Closes:
> + #684667). Patch is courtesy of Tim Cartwright.
> + * Disable Condor's file transfer mechanism for jobs submitted via
> + condor_qsub, because a shared filesystem is assumed for these jobs
> + (Closes: #684879).
> + * This time really remove dangling symlink /usr/sbin/condor -> ../bin/condor.
> + This file no longer exists (Closes: #678425).
> + * Support deployment scenario where the administrative 'condor' user is not
> + a local system user, but is shared (e.g. through LDAP) by all machines in a
> + Condor pool (see installation manual section 3.2). The condor package will
> + accept to run under an existing non-system user account named 'condor',
> + but only when that account is locked, i.e. not login is possible
> + (Closes: #684463).
> +
> + -- Michael Hanke <mih@debian.org> Sun, 12 Aug 2012 19:20:35 +0200
> +
> condor (7.8.2~dfsg.1-1) unstable; urgency=high
>
> * Upstream security release. Prevent an attacker who is manipulating
> diff --git a/debian/condor.links b/debian/condor.links
> deleted file mode 100644
> index 50536d1..0000000
> --- a/debian/condor.links
> +++ /dev/null
> @@ -1 +0,0 @@
> -/usr/bin/condor /usr/sbin/condor
> diff --git a/debian/condor.postinst b/debian/condor.postinst
> index 04e4584..0cc4487 100755
> --- a/debian/condor.postinst
> +++ b/debian/condor.postinst
> @@ -18,8 +18,7 @@ condor_debconf_cfg=/etc/condor/config.d/00debconf
>
> condor_make_homedir() {
> for dlabel in LOCAL_UNIV_EXECUTE CRED_STORE_DIR EXECUTE LOCK LOG SPOOL; do
> - dname=$(condor_config_val $dlabel)
> - if [ $? -eq 0 ]; then
> + if dname=$(condor_config_val $dlabel 2>/dev/null); then
> mkdir -p $dname
> chown -R $condor_user: $dname
> else
> @@ -165,8 +164,25 @@ case "$1" in
> configure)
> # according to http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621833#119
> # this should always work
> - adduser --system --group --gecos "$condor_gecos" --home $condor_home \
> - --disabled-password --disabled-login $condor_user --quiet
> + if ! adduser --system --group --gecos "$condor_gecos" --home $condor_home \
> + --disabled-password --disabled-login $condor_user --quiet 2>/dev/null; then
> + # the only time where it would fail, is when there is an existing
> + # non-system 'condor' user. This could happen e.g. in a heterogenous
> + # Condor pool (various OSes) where the adminstrative Condor user
> + # comes from LDAP and the home dir is shared across machines. This
> + # is a supported deployment scenario for Condor (see installation
> + # manual section 3.2)
> + # the only problem is the possibility to conflict with an actual
> + # "human" user with the same name, so only proceed when the
> + # respective user is locked down
> + SH=$(getent passwd | egrep '^condor:'| cut -d : -f 7)
> + if [ "$SH" = "/bin/false" -o "$SH" = "/usr/sbin/nologin" ]; then
> + echo "WARNING: Condor will be running under an existing non-system user account 'condor'."
> + else
> + echo "ERROR: Condor cannot run under unlocked non-system account 'condor'" 1>&2
> + exit 1
> + fi
> + fi
I'm not too happy about the above. You probably want 'getent passwd
condor', not 'getent passwd | grep condor'. Also, the login shell is
not the only way to lock an account.
> # make sure the config and home dir are complete
> condor_local_cfg_template
> condor_put_debconf_cfg
> diff --git a/debian/condor_qsub b/debian/condor_qsub
> index 4673456..078bd0c 100755
> --- a/debian/condor_qsub
> +++ b/debian/condor_qsub
> @@ -338,8 +338,7 @@ submit_file=$(mktemp --tmpdir condor_qsub.XXXXXXXXXXXXX)
> cat << EOT > $submit_file
> # condor_qsub call: $@
> universe = vanilla
> -should_transfer_files = YES
> -when_to_transfer_output = ON_EXIT
> +should_transfer_files = NO
> #log = $log_file
> EOT
>
Cheers,
Julien
Attachment:
signature.asc
Description: Digital signature