Bug#689289: unblock: keystone/2012.1.1-9 (CVE-2012-445{6,7}, +policy RC fixes)
On 11/08/2012 01:36 AM, Moritz Muehlenhoff wrote:
> On Wed, Oct 10, 2012 at 06:52:16PM +0200, Julien Cristau wrote:
>> On Mon, Oct 1, 2012 at 15:00:25 +0800, Thomas Goirand wrote:
>>
>>> diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst
>>> --- keystone-2012.1.1/debian/keystone.postinst 2012-09-12 16:33:13.000000000 +0000
>>> +++ keystone-2012.1.1/debian/keystone.postinst 2012-10-01 06:51:43.000000000 +0000
>>> @@ -1,77 +1,64 @@
>> [...]
>>> + chown keystone:keystone -R /var/lib/keystone /var/log/keystone /etc/keystone
>>> + chmod 0750 /etc/keystone
>>> + chmod 0750 /var/log/keystone
>>
>> What's the point of this (in particular the recursive chown)? Why is it
>> done every time the package is configured, rather than when these
>> directories are initially created?
>>
>> [...]
>>> diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules
>>> --- keystone-2012.1.1/debian/rules 2012-09-12 16:33:13.000000000 +0000
>>> +++ keystone-2012.1.1/debian/rules 2012-10-01 06:51:43.000000000 +0000
>>> @@ -42,6 +42,11 @@
>>> rm -rf debian/python-keystone/usr/lib/python*/*/doc
>>> rm -rf debian/python-keystone/usr/lib/python*/*/tools
>>> rm -rf debian/python-keystone/usr/lib/python*/*/examples
>>> + install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf
>>> +
>>> +override_dh_fixperms:
>>> + dh_fixperms
>>> + chmod 0640 debian/keystone/usr/share/keystone/keystone.conf
>>>
>>> override_dh_clean:
>>> rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache
>>
>> I don't think that (overriding fixperms) should be necessary, can't the
>> permissions be set when installing the file in postinst?
>
> Thomas,
> what's the status?
>
> Cheers,
> Moritz
Hi,
I did the requested changes, plus 2 more important fixes, and uploaded
to SID. Debdiff is attached.
Let me know,
Cheers,
Thomas
diff -Nru keystone-2012.1.1/debian/changelog keystone-2012.1.1/debian/changelog
--- keystone-2012.1.1/debian/changelog 2012-10-01 06:51:43.000000000 +0000
+++ keystone-2012.1.1/debian/changelog 2012-11-08 22:17:39.000000000 +0000
@@ -1,3 +1,16 @@
+keystone (2012.1.1-10) unstable; urgency=low
+
+ * Fixes keystone.config which wasn't starting dbconfig-common at first
+ setup.
+ * Do not use override_dh_fixperms:, sets the permissions of keystone.conf in
+ the postinst using "install -m" instead of cp -auxf.
+ * The default db is now sqlite:///var/lib/keystone/keystonedb, since that's
+ what we run with Folsom, and that it might cause problems as
+ "keystone.sqlite" isn't a valid MySQL db name. Changed debian/keystone.config
+ accordingly.
+
+ -- Thomas Goirand <zigo@debian.org> Wed, 10 Oct 2012 15:46:14 +0000
+
keystone (2012.1.1-9) unstable; urgency=high
* Fixes sometimes failing keystone.postrm (db_get in some conditions can
diff -Nru keystone-2012.1.1/debian/keystone.config keystone-2012.1.1/debian/keystone.config
--- keystone-2012.1.1/debian/keystone.config 2012-10-01 06:51:43.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.config 2012-11-08 22:17:39.000000000 +0000
@@ -19,24 +19,28 @@
db_go
db_get keystone/configure_db
-if [ "$RET" = "true" ] && [ -e "${KEY_CONF}" ] && [ -f /usr/share/dbconfig-common/dpkg/config ] ; then
+if [ "$RET" = "true" ] && [ -f /usr/share/dbconfig-common/dpkg/config ] ; then
. /usr/share/dbconfig-common/dpkg/config
- KEY_CONF_DB_CON_INFO=`grep -E "^([ \t])*connection([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'`
+ if [ -e "${KEY_CONF}" ] ; then
+ KEY_CONF_DB_CON_INFO=`grep -E "^([ \t])*connection([ \t])*=([ \t])*" ${KEY_CONF} | awk '{print $3}'`
+ else
+ KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystonedb"
+ fi
KEY_CONF_DB_TYPE=`echo ${KEY_CONF_DB_CON_INFO} | cut -d":" -f1`
# If we have an undefined SQL type, we go back to a more sane default (eg: SQLite)
if [ "${KEY_CONF_DB_TYPE}" != "sqlite" ] && [ "${KEY_CONF_DB_TYPE}" != "mysql" ] && [ "${KEY_CONF_DB_TYPE}" != "pgsql" ] ; then
- KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite"
+ KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystonedb"
KEY_CONF_DB_TYPE="sqlite"
fi
if [ "${KEY_CONF_DB_TYPE}" = "sqlite" ] ; then
# This is the invalid default in the etc/keystone.conf in the source package
if [ "${KEY_CONF_DB_CON_INFO}" = "sqlite:///keystone.db" ] ; then
- KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystone.sqlite"
+ KEY_CONF_DB_CON_INFO="sqlite:///var/lib/keystone/keystonedb"
fi
KEY_CONF_DB_PATH=`echo "${KEY_CONF_DB_CON_INFO}" | awk '{print substr($0,11)}'`
if [ -z "${KEY_CONF_DB_PATH}" ] ; then
- KEY_CONF_DB_PATH=/var/lib/keystone/keystone.sqlite
+ KEY_CONF_DB_PATH=/var/lib/keystone/keystonedb
fi
dbc_basepath=`dirname "${KEY_CONF_DB_PATH}"`
dbc_dbname=`basename "${KEY_CONF_DB_PATH}"`
diff -Nru keystone-2012.1.1/debian/keystone.postinst keystone-2012.1.1/debian/keystone.postinst
--- keystone-2012.1.1/debian/keystone.postinst 2012-10-01 06:51:43.000000000 +0000
+++ keystone-2012.1.1/debian/keystone.postinst 2012-11-08 22:17:39.000000000 +0000
@@ -12,7 +12,7 @@
mkdir /etc/keystone
fi
if ! [ -e "${KEY_CONF}" ] && [ -r /usr/share/keystone/keystone.conf ] ; then
- cp -auxf /usr/share/keystone/keystone.conf ${KEY_CONF}
+ install -D -m 0640 /usr/share/keystone/keystone.conf ${KEY_CONF}
fi
adduser --system \
diff -Nru keystone-2012.1.1/debian/rules keystone-2012.1.1/debian/rules
--- keystone-2012.1.1/debian/rules 2012-10-01 06:51:43.000000000 +0000
+++ keystone-2012.1.1/debian/rules 2012-11-08 22:17:39.000000000 +0000
@@ -42,11 +42,7 @@
rm -rf debian/python-keystone/usr/lib/python*/*/doc
rm -rf debian/python-keystone/usr/lib/python*/*/tools
rm -rf debian/python-keystone/usr/lib/python*/*/examples
- install -D -m 0640 etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf
-
-override_dh_fixperms:
- dh_fixperms
- chmod 0640 debian/keystone/usr/share/keystone/keystone.conf
+ install -D etc/keystone.conf debian/keystone/usr/share/keystone/keystone.conf
override_dh_clean:
rm -rf $(CURDIR)/build $(CURDIR)/keystone.egg-info $(CURDIR)/.cache
Reply to: