Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 881871@bugs.debian.org, Julien Cristau <jcristau@debian.org>, pkg-bacula-devel@lists.alioth.debian.org
Subject: Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
From: Carsten Leonhardt <leo@debian.org>
Date: Sun, 04 Mar 2018 11:08:00 +0100
Message-id: <[🔎] 87h8pwqhkv.fsf@arioch.leonhardt.eu>
Reply-to: Carsten Leonhardt <leo@debian.org>, 881871@bugs.debian.org
In-reply-to: <[🔎] 1520084060.15218.64.camel@adam-barratt.org.uk> (Adam D. Barratt's message of "Sat, 03 Mar 2018 13:34:20 +0000")
References: <878tf7m9h6.fsf@arioch.leonhardt.eu> <20180113162327.mhtlg2uki5kjjuha@betterave.cristau.org> <87bmhvpof7.fsf@arioch.leonhardt.eu> <b933b8ea-28a1-fdce-7ead-2a692d7cb08c@debian.org> <87o9lvmhch.fsf@arioch.leonhardt.eu> <878tf7m9h6.fsf@arioch.leonhardt.eu> <87606kuew3.fsf@arioch.leonhardt.eu> <[🔎] 1520084060.15218.64.camel@adam-barratt.org.uk> <878tf7m9h6.fsf@arioch.leonhardt.eu>

Control: tags -1 - moreinfo

"Adam D. Barratt" <adam@adam-barratt.org.uk> writes:

> -		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
> +		--oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
>
> The first of those "-g" is presumably supposed to be "-u". I realise
> this may seem a small point, but it does make me wonder how it wasn't
> caught in testing.

Thank you for your work and for catching this. A new version of the
patch is attached.

Regards,

Carsten

diff --git a/debian/bacula-common.preinst b/debian/bacula-common.preinst
index 056c2944..d0b323fa 100644
--- a/debian/bacula-common.preinst
+++ b/debian/bacula-common.preinst
@@ -12,6 +12,14 @@ case "$1" in
 			echo "Ok."
 		fi
 	;;
+	install|upgrade)
+		# purging bacula-director-common can mistakenly delete bacula-dir.conf
+		# neutralize the offending line in its postrm; see bug #880529 for details
+		if dpkg-query -l bacula-director-common > /dev/null 2>&1 && \
+		   [ -e /var/lib/dpkg/info/bacula-director-common.postrm ]; then
+			sed -i 's/rm -f $CONFFILE $CONFFILE.dist/#disabled: bug #880529# rm -f $CONFFILE $CONFFILE.dist/' /var/lib/dpkg/info/bacula-director-common.postrm
+		fi
+	;;
 esac
 
 # dh_installdeb will replace this with shell code automatically
diff --git a/debian/bacula-director.init b/debian/bacula-director.init
index 8ac7c36a..89cfbe65 100644
--- a/debian/bacula-director.init
+++ b/debian/bacula-director.init
@@ -67,7 +67,7 @@ do_start()
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init
index 649b9cc1..698e4ea3 100644
--- a/debian/bacula-fd.init
+++ b/debian/bacula-fd.init
@@ -54,7 +54,7 @@ do_start()
 {
 	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/bacula-sd.init b/debian/bacula-sd.init
index 47c3d07d..8559f335 100644
--- a/debian/bacula-sd.init
+++ b/debian/bacula-sd.init
@@ -51,9 +51,9 @@ PIDFILE=/run/bacula/$NAME.$PORT.pid
 
 do_start()
 {
-	if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
+	if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
 		start-stop-daemon --start --quiet --pidfile $PIDFILE \
-		--oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+		--oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
 		return 0
 	else
 		log_progress_msg "- the configtest"
diff --git a/debian/changelog b/debian/changelog
index d0a4ac54..81b0627a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium
+
+  [Sven Hartge]
+  * Let PID files be owned by root. Mitigates a minor security problem
+    similar to CVE 2017-14610. Note that this change disables automatic
+    tracebacks.
+
+  [Carsten Leonhardt]
+  * Added transitional package bacula-director-common, the old leftover
+    package can't be safely purged otherwise (it deletes
+    /etc/bacula/bacula-dir.conf in postrm which now belongs to the
+    bacula-director package). For the case when the package
+    bacula-director-common is deinstalled but not purged, we neutralize
+    the offending postrm script when upgrading bacula-common. (Closes:
+    #880529)
+
+ -- Carsten Leonhardt <leo@debian.org>  Wed, 15 Nov 2017 22:55:15 +0100
+
 bacula (7.4.4+dfsg-6) unstable; urgency=medium
 
   [Sven Hartge]
diff --git a/debian/control b/debian/control
index 19418610..7c310185 100644
--- a/debian/control
+++ b/debian/control
@@ -357,3 +357,13 @@ Description: network backup service - Bacula Administration Tool
  .
  This GUI interface has been designed to ease restore operations as much as
  possible as compared to the basic text console.
+
+Package: bacula-director-common
+Section: oldlibs
+Architecture: any
+Pre-Depends: ${misc:Pre-Depends}
+Depends:
+ bacula-common (= ${binary:Version}),
+ ${misc:Depends}
+Description: transitional package
+ This is a transitional package. It can safely be removed.
diff --git a/debian/patches/non-forking-systemd-units.patch b/debian/patches/non-forking-systemd-units.patch
index 636c9153..03cdabd7 100644
--- a/debian/patches/non-forking-systemd-units.patch
+++ b/debian/patches/non-forking-systemd-units.patch
@@ -20,13 +20,13 @@ Author: Sven Hartge <sven@svenhartge.de>
 -PIDFile=@piddir@/bacula-dir.@dir_port@.pid
 -ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf
 +Type=simple
-+User=bacula
-+Group=bacula
++User=root
++Group=root
 +Environment="CONFIG=/etc/bacula/bacula-dir.conf"
 +EnvironmentFile=-/etc/default/bacula-dir
-+ExecStartPre=@sbindir@/bacula-dir -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-dir -f -c $CONFIG
-+ExecReload=@sbindir@/bacula-dir -t -c $CONFIG
++ExecStartPre=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
++ExecStart=@sbindir@/bacula-dir -f -u bacula -g bacula -c $CONFIG
++ExecReload=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
  ExecReload=/bin/kill -HUP $MAINPID
 +SuccessExitStatus=15
  StandardError=syslog
@@ -67,12 +67,12 @@ Author: Sven Hartge <sven@svenhartge.de>
 -ExecStart=@sbindir@/bacula-sd -c @sysconfdir@/bacula-sd.conf
 -PIDFile=@piddir@/bacula-sd.@sd_port@.pid
 +Type=simple
-+User=bacula
-+Group=tape
++User=root
++Group=root
 +Environment="CONFIG=/etc/bacula/bacula-sd.conf"
 +EnvironmentFile=-/etc/default/bacula-sd
-+ExecStartPre=@sbindir@/bacula-sd -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-sd -f -c $CONFIG
++ExecStartPre=@sbindir@/bacula-sd -t -u bacula -g tape -c $CONFIG
++ExecStart=@sbindir@/bacula-sd -f -u bacula -g tape -c $CONFIG
 +ExecReload=/bin/kill -HUP $MAINPID
 +SuccessExitStatus=15
  StandardError=syslog

Reply to:

Follow-Ups:
- Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
  - From: Julien Cristau <jcristau@debian.org>

References:
- Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Processed: Re: Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Next by Date: Bug#892024: RM: dolibarr/4.0.2+dfsg4-2
Previous by thread: Bug#881871: [pkg-bacula-devel] Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Next by thread: Processed: Re: Bug#881871: stretch-pu: package bacula/7.4.4+dfsg-6
Index(es):
- Date
- Thread