Control: tags -1 - moreinfo
"Adam D. Barratt" <a...@adam-barratt.org.uk> writes:
> - --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
> + --oknodo --exec $DAEMON -- -g $BUSER -g $BGROUP -c $CONFIG
>
> The first of those "-g" is presumably supposed to be "-u". I realise
> this may seem a small point, but it does make me wonder how it wasn't
> caught in testing.
Thank you for your work and for catching this. A new version of the
patch is attached.
Regards,
Carsten
diff --git a/debian/bacula-common.preinst b/debian/bacula-common.preinst
index 056c2944..d0b323fa 100644
--- a/debian/bacula-common.preinst
+++ b/debian/bacula-common.preinst
@@ -12,6 +12,14 @@ case "$1" in
echo "Ok."
fi
;;
+ install|upgrade)
+ # purging bacula-director-common can mistakenly delete bacula-dir.conf
+ # neutralize the offending line in its postrm; see bug #880529 for details
+ if dpkg-query -l bacula-director-common > /dev/null 2>&1 && \
+ [ -e /var/lib/dpkg/info/bacula-director-common.postrm ]; then
+ sed -i 's/rm -f $CONFFILE $CONFFILE.dist/#disabled: bug #880529# rm -f $CONFFILE $CONFFILE.dist/' /var/lib/dpkg/info/bacula-director-common.postrm
+ fi
+ ;;
esac
# dh_installdeb will replace this with shell code automatically
diff --git a/debian/bacula-director.init b/debian/bacula-director.init
index 8ac7c36a..89cfbe65 100644
--- a/debian/bacula-director.init
+++ b/debian/bacula-director.init
@@ -67,7 +67,7 @@ do_start()
{
if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
start-stop-daemon --start --quiet --pidfile $PIDFILE \
- --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+ --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
return 0
else
log_progress_msg "- the configtest"
diff --git a/debian/bacula-fd.init b/debian/bacula-fd.init
index 649b9cc1..698e4ea3 100644
--- a/debian/bacula-fd.init
+++ b/debian/bacula-fd.init
@@ -54,7 +54,7 @@ do_start()
{
if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
start-stop-daemon --start --quiet --pidfile $PIDFILE \
- --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+ --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
return 0
else
log_progress_msg "- the configtest"
diff --git a/debian/bacula-sd.init b/debian/bacula-sd.init
index 47c3d07d..8559f335 100644
--- a/debian/bacula-sd.init
+++ b/debian/bacula-sd.init
@@ -51,9 +51,9 @@ PIDFILE=/run/bacula/$NAME.$PORT.pid
do_start()
{
- if $DAEMON -g $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
+ if $DAEMON -u $BUSER -g $BGROUP -t -c $CONFIG > /dev/null 2>&1; then
start-stop-daemon --start --quiet --pidfile $PIDFILE \
- --oknodo --exec $DAEMON --chuid $BUSER:$BGROUP -- -c $CONFIG
+ --oknodo --exec $DAEMON -- -u $BUSER -g $BGROUP -c $CONFIG
return 0
else
log_progress_msg "- the configtest"
diff --git a/debian/changelog b/debian/changelog
index d0a4ac54..81b0627a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+bacula (7.4.4+dfsg-6+deb9u1) stretch; urgency=medium
+
+ [Sven Hartge]
+ * Let PID files be owned by root. Mitigates a minor security problem
+ similar to CVE 2017-14610. Note that this change disables automatic
+ tracebacks.
+
+ [Carsten Leonhardt]
+ * Added transitional package bacula-director-common, the old leftover
+ package can't be safely purged otherwise (it deletes
+ /etc/bacula/bacula-dir.conf in postrm which now belongs to the
+ bacula-director package). For the case when the package
+ bacula-director-common is deinstalled but not purged, we neutralize
+ the offending postrm script when upgrading bacula-common. (Closes:
+ #880529)
+
+ -- Carsten Leonhardt <l...@debian.org> Wed, 15 Nov 2017 22:55:15 +0100
+
bacula (7.4.4+dfsg-6) unstable; urgency=medium
[Sven Hartge]
diff --git a/debian/control b/debian/control
index 19418610..7c310185 100644
--- a/debian/control
+++ b/debian/control
@@ -357,3 +357,13 @@ Description: network backup service - Bacula Administration Tool
.
This GUI interface has been designed to ease restore operations as much as
possible as compared to the basic text console.
+
+Package: bacula-director-common
+Section: oldlibs
+Architecture: any
+Pre-Depends: ${misc:Pre-Depends}
+Depends:
+ bacula-common (= ${binary:Version}),
+ ${misc:Depends}
+Description: transitional package
+ This is a transitional package. It can safely be removed.
diff --git a/debian/patches/non-forking-systemd-units.patch b/debian/patches/non-forking-systemd-units.patch
index 636c9153..03cdabd7 100644
--- a/debian/patches/non-forking-systemd-units.patch
+++ b/debian/patches/non-forking-systemd-units.patch
@@ -20,13 +20,13 @@ Author: Sven Hartge <s...@svenhartge.de>
-PIDFile=@piddir@/bacula-dir.@dir_port@.pid
-ExecReload=@sbindir@/bacula-dir -t -c @sysconfdir@/bacula-dir.conf
+Type=simple
-+User=bacula
-+Group=bacula
++User=root
++Group=root
+Environment="CONFIG=/etc/bacula/bacula-dir.conf"
+EnvironmentFile=-/etc/default/bacula-dir
-+ExecStartPre=@sbindir@/bacula-dir -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-dir -f -c $CONFIG
-+ExecReload=@sbindir@/bacula-dir -t -c $CONFIG
++ExecStartPre=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
++ExecStart=@sbindir@/bacula-dir -f -u bacula -g bacula -c $CONFIG
++ExecReload=@sbindir@/bacula-dir -t -u bacula -g bacula -c $CONFIG
ExecReload=/bin/kill -HUP $MAINPID
+SuccessExitStatus=15
StandardError=syslog
@@ -67,12 +67,12 @@ Author: Sven Hartge <s...@svenhartge.de>
-ExecStart=@sbindir@/bacula-sd -c @sysconfdir@/bacula-sd.conf
-PIDFile=@piddir@/bacula-sd.@sd_port@.pid
+Type=simple
-+User=bacula
-+Group=tape
++User=root
++Group=root
+Environment="CONFIG=/etc/bacula/bacula-sd.conf"
+EnvironmentFile=-/etc/default/bacula-sd
-+ExecStartPre=@sbindir@/bacula-sd -t -c $CONFIG
-+ExecStart=@sbindir@/bacula-sd -f -c $CONFIG
++ExecStartPre=@sbindir@/bacula-sd -t -u bacula -g tape -c $CONFIG
++ExecStart=@sbindir@/bacula-sd -f -u bacula -g tape -c $CONFIG
+ExecReload=/bin/kill -HUP $MAINPID
+SuccessExitStatus=15
StandardError=syslog
