Hi,
here is a new version of the patch. I now additionally let
bacula-common.preinst check for the existence of
bacula-director-common.postrm and comment out the offending line if
found (first chunk in the diff). I chose to use bacula-common because it
is depended upon by all other bacula packages.
I've also amended the text in the changelog, otherwise the rest of the
patch is the same as the previous version.
The patch is also viewable at
https://salsa.debian.org/bacula-team/bacula/compare/debian%2F7.4.4+dfsg-6...stretch
Thanks,
Carsten
diff --git a/debian/bacula-common.preinst b/debian/bacula-common.preinst
index 056c2944..d0b323fa 100644
--- a/debian/bacula-common.preinst
+++ b/debian/bacula-common.preinst
@@ -12,6 +12,14 @@ case "$1" in
echo "Ok."
fi
;;
+ install|upgrade)
+ # purging bacula-director-common can mistakenly delete bacula-dir.conf
+ # neutralize the offending line in its postrm; see bug #880529 for details
+ if dpkg-query -l bacula-director-common > /dev/null 2>&1 && \
+ [ -e /var/lib/dpkg/info/bacula-director-common.postrm ]; then
+ sed -i 's/rm -f $CONFFILE $CONFFILE.dist/#disabled: bug #880529# rm -f $CONFFILE $CONFFILE.dist/' /var/lib/dpkg/info/bacula-director-common.postrm
+ fi
+ ;;
esac
# dh_installdeb will replace this with shell code automatically
diff --git a/debian/bacula-director.init b/debian/bacula-director.init
index 8ac7c36a..89cfbe65 100644
--- a/debian/bacula-director.init
+++ b/debian/bacula-director.init
@@ -67,7 +67,7 @@ do_start()
{
if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
start-stop-daemon --start --quiet --pidfile $PIDFILE \
- --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+ --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
return 0
else
log_progress_msg "- the configtest"
diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init
index 649b9cc1..698e4ea3 100644
--- a/debian/bacula-fd.init
+++ b/debian/bacula-fd.init
@@ -54,7 +54,7 @@ do_start()
{
if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
start-stop-daemon --start --quiet --pidfile $PIDFILE \
- --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+ --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
return 0
else
log_progress_msg "- the configtest"
diff --git a/debian/bacula-sd.init b/debian/bacula-sd.init
index 47c3d07d..e3863840 100644
--- a/debian/bacula-sd.init
+++ b/debian/bacula-sd.init
@@ -53,7 +53,7 @@ do_start()
{
if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
start-stop-daemon --start --quiet --pidfile $PIDFILE \
- --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+ --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
return 0
else
log_progress_msg "- the configtest"
diff --git a/debian/changelog b/debian/changelog
index d0a4ac54..81b0627a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium
+
+ [Sven Hartge]
+ * Let PID files be owned by root. Mitigates a minor security problem
+ similar to CVE 2017-14610. Note that this change disables automatic
+ tracebacks.
+
+ [Carsten Leonhardt]
+ * Added transitional package bacula-director-common, the old leftover
+ package can't be safely purged otherwise (it deletes
+ /etc/bacula/bacula-dir.conf in postrm which now belongs to the
+ bacula-director package). For the case when the package
+ bacula-director-common is deinstalled but not purged, we neutralize
+ the offending postrm script when upgrading bacula-common. (Closes:
+ #880529)
+
+ -- Carsten Leonhardt <l...@debian.org> Wed, 15 Nov 2017 22:55:15 +0100
+
bacula (7.4.4+dfsg-6) unstable; urgency=medium
[Sven Hartge]
diff --git a/debian/control b/debian/control
index 19418610..7c310185 100644
--- a/debian/control
+++ b/debian/control
@@ -357,3 +357,13 @@ Description: network backup service - Bacula Administration Tool
.
This GUI interface has been designed to ease restore operations as much as
possible as compared to the basic text console.
+
+Package: bacula-director-common
+Section: oldlibs
+Architecture: any
+Pre-Depends: ${misc:Pre-Depends}
+Depends:
+ bacula-common (= ${binary:Version}),
+ ${misc:Depends}
+Description: transitional package
+ This is a transitional package. It can safely be removed.
diff --git a/debian/patches/non-forking-systemd-units.patch b/debian/patches/non-forking-systemd-units.patch
index 636c9153..03cdabd7 100644
--- a/debian/patches/non-forking-systemd-units.patch
+++ b/debian/patches/non-forking-systemd-units.patch
@@ -20,13 +20,13 @@ Author: Sven Hartge <s...@svenhartge.de>
-PIDFile=@piddir@/bacula-dir.@dir_port@.pid
-ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf
+Type=simple
-+User=bacula
-+Group=bacula
++User=root
++Group=root
+Environment="CONFIG=/etc/bacula/bacula-dir.conf"
+EnvironmentFile=-/etc/default/bacula-dir
-+ExecStartPre=@sbindir@/bacula-dir -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-dir -f -c $CONFIG
-+ExecReload=@sbindir@/bacula-dir -t -c $CONFIG
++ExecStartPre=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
++ExecStart=@sbindir@/bacula-dir -f -u bacula -g bacula -c $CONFIG
++ExecReload=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
ExecReload=/bin/kill -HUP $MAINPID
+SuccessExitStatus=15
StandardError=syslog
@@ -67,12 +67,12 @@ Author: Sven Hartge <s...@svenhartge.de>
-ExecStart=@sbindir@/bacula-sd -c @sysconfdir@/bacula-sd.conf
-PIDFile=@piddir@/bacula-sd.@sd_port@.pid
+Type=simple
-+User=bacula
-+Group=tape
++User=root
++Group=root
+Environment="CONFIG=/etc/bacula/bacula-sd.conf"
+EnvironmentFile=-/etc/default/bacula-sd
-+ExecStartPre=@sbindir@/bacula-sd -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-sd -f -c $CONFIG
++ExecStartPre=@sbindir@/bacula-sd -t -u bacula -g tape -c $CONFIG
++ExecStart=@sbindir@/bacula-sd -f -u bacula -g tape -c $CONFIG
+ExecReload=/bin/kill -HUP $MAINPID
+SuccessExitStatus=15
StandardError=syslog
