Your message dated Fri, 25 Aug 2023 22:49:32 +0200
with message-id <e83232dc-4d8c-49a3-b49c-77b10aac8...@rclobus.nl>
and subject line Fixed since bullseye
has caused the Debian Bug report #959716,
regarding live-build: 0140-remove-log-files.hook.chroot fails with
fs.protected_regular = 2 and files in sticky directories
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
959716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959716
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: live-build
Version: 1:20191221
Severity: important
User: de...@kali.org
Usertags: origin-kali
live-build has been failing when run in Debian Testing and when your live
image includes a package like postgresql-12 which creates a log directory
with the sticky bit set (o+t):
2020-05-04 12:22:55] lb chroot_hooks
P: Begin executing hooks...
/root/0140-remove-log-files.hook.chroot: 8: cannot create
/var/log/postgresql/postgresql-12-main.log: Permission denied
E: config/hooks/normal/0140-remove-log-files.hook.chroot failed (exit
non-zero). You should check for errors.
After investigation and with the help of #debian-kernel, it turns out that
this is due to a recent procps change. Since version 2:3.3.16-1 the
package is setting some supplementary hardening restrictions in
/usr/lib/sysctl.d/protect-links.conf
The one that's causing us trouble here is "fs.protected_regular = 2"
because /var/log/postgresql is a group writable directory with the sticky
bit set:
(live)root@x260-buxy:/# ls -al /var/log/postgresql/
total 8
drwxrwxr-t 2 root postgres 4096 mai 4 09:34 .
drwxr-xr-x 15 root root 4096 mai 4 09:36 ..
-rw-r----- 1 postgres adm 0 mai 4 09:34 postgresql-12-main.log
(live)root@x260-buxy:/# :>/var/log/postgresql/postgresql-12-main.log
bash: /var/log/postgresql/postgresql-12-main.log: Permission denied
To me it really seems like live-build is doing nothing wrong... but at the
same time, the default change is likely desirable as well.
So I guess we will have to work around it in live-build.
Simple solution with truncate:
# truncate --no-create --size=0 /var/log/postgresql/postgresql-12-main.log
More complicated solution, detect sticky directories and run the command
as the user owning the file.
-- Package-specific info:
-- System Information:
Debian Release: bullseye/sid
APT prefers oldoldstable
APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500,
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8),
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages live-build depends on:
ii debootstrap 1.0.123
Versions of packages live-build recommends:
ii apt-utils 2.0.2
ii bzip2 1.0.8-2
ii cpio 2.13+dfsg-2
ii file 1:5.38-4
ii live-boot-doc 1:20190614
ii live-config-doc 11.0.1
ii live-manual-html [live-manual] 2:20151217.1
ii wget 1.20.3-1+b2
ii xz-utils 5.2.4-1+b1
Versions of packages live-build suggests:
ii e2fsprogs 1.45.6-1
pn mtd-utils <none>
ii parted 3.3-4
-- no debconf information
--- End Message ---
--- Begin Message ---
Control: fixed 959716 1:20210407
'truncate' is used since the bullseye version of live-build
https://sources.debian.org/src/live-build/1%3A20210407/share/hooks/normal/0140-remove-log-files.hook.chroot/
OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---
