Bug#927395: Do not touch(1) update-exim4.conf.conf for no good reason
Marc Haber
mh+debian.packages at zugschlus.de
Mon Apr 22 19:00:26 BST 2019
severity #927395 wishlist
thanks
On Thu, Apr 18, 2019 at 09:44:05PM +0800, 積丹尼 Dan Jacobson wrote:
> $ cat /var/log/apt/history.log
> Start-Date: 2019-04-18 01:32:49
> Upgrade: exim4-base:amd64 (4.92-5, 4.92-6), openssl:amd64 (1.1.1b-1, 1.1.1b-2), unicode-data:amd64 (12.0.0-1, 12.1.0~pre1-1), exim4-daemon-light:amd64 (4.92-5, 4.92-6), rsyslog:amd64 (8.1903.0-4, 8.1904.0-1), exim4-config:amd64 (4.92-5, 4.92-6), exim4:amd64 (4.92-5, 4.92-6), libssl1.1:amd64 (1.1.1b-1, 1.1.1b-2), libfaad2:amd64 (2.8.8-1, 2.8.8-2)
> End-Date: 2019-04-18 01:32:56
>
> some process did a touch(1) or otherwise changing
> $ stat /etc/exim4/update-exim4.conf.conf
> File: /etc/exim4/update-exim4.conf.conf
> Size: 1154 Blocks: 8 IO Block: 4096 regular file
> Device: 803h/2051d Inode: 524387 Links: 1
> Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
> Modify: 2019-04-18 01:32:53.473019451 +0800 <------------THIS
> Change: 2019-04-18 01:32:53.477019558 +0800
Tihs is probably the debconf-driven generation of ue4cc that happens
during package upgrades. Things have always been that way, and I bet
that a hundred other packages do the same thing. The file belongs to the
package and IMO it is ok to expect that a file that belongs to a
package changes during an update.
To avoid this, one would need to write the output to
update.exim4.conf.conf.temp, compare checksums and only move the temp
file to the real file if they are different. This probably opens the
possibility of five insecure temp file name, cruft left around bugs and
in addition a bunch of nice race conditions. I am unsure whether this is
really worth the trouble.
> causing alarm bells to ring on my homebrew security system.
Local problem ;-) lowering severity.
> (Plus I bet it is a policy violation.)
citation needed
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the Pkg-exim4-maintainers
mailing list