[Pkg-nagios-devel] Bug#361956: nagios2-common: postinstall script uses unconditional chmod/chown, breaking any dpkg-statoverride

Heiko Schlittermann hs at schlittermann.de
Tue Apr 11 12:35:09 UTC 2006 

Package: nagios2-common
Version: 2.1-1
Severity: serious
Tags: patch
Justification: Policy 10.9.1

As stated in the subject -- the postinstall uses unconditionally
chmod/chown.  If the local admin tries to change permissions using
dpkg-statoverride, these local changes are not respected.

-- System Information:
Debian Release: testing/unstable
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.jumper
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
-------------- next part --------------
diff -ruN nagios2-2.1/debian/lintian/overrides/nagios2-common nagios2-2.hs/debian/lintian/overrides/nagios2-common
--- nagios2-2.1/debian/lintian/overrides/nagios2-common	2006-04-11 14:15:11.000000000 +0200
+++ nagios2-2.hs/debian/lintian/overrides/nagios2-common	1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-non-standard-file-perm etc/nagios2/resource.cfg 0600 != 0644
diff -ruN nagios2-2.1/debian/nagios2-common.install nagios2-2.hs/debian/nagios2-common.install
--- nagios2-2.1/debian/nagios2-common.install	2006-04-11 14:15:11.000000000 +0200
+++ nagios2-2.hs/debian/nagios2-common.install	2006-04-11 14:09:30.000000000 +0200
@@ -5,6 +5,5 @@
 sample-config/template-object/README /usr/share/doc/nagios2-common/examples/template-object
 sample-config/template-object/*.cfg /usr/share/doc/nagios2-common/examples/template-object
 debian/httpd.webapps-common /usr/share/nagios2/debian
-debian/lintian/overrides/nagios2-common usr/share/lintian/overrides
 debian/gateway.cfg usr/share/nagios2/debian
 debian/extcommands.cfg usr/share/nagios2/debian
diff -ruN nagios2-2.1/debian/nagios2-common.postinst nagios2-2.hs/debian/nagios2-common.postinst
--- nagios2-2.1/debian/nagios2-common.postinst	2006-04-11 14:15:11.000000000 +0200
+++ nagios2-2.hs/debian/nagios2-common.postinst	2006-04-11 11:48:57.000000000 +0200
@@ -20,6 +20,16 @@
 # location of the default htpasswd authentication file.
 htpw=$en/htpasswd.users
 
+# useful functions
+setperm() {
+    local user="$1"; shift
+    local group="$1"; shift
+    local mode="$1"; shift
+    local file="$1"; shift
+    dpkg-statoverride --list "$file" >/dev/null && return 0
+    dpkg-statoverride --update --add "$user" "$group" "$mode" "$file"
+}
+
 case "$1" in
   configure)
     if ! getent passwd nagios > /dev/null ; then
@@ -76,14 +86,15 @@
 
 	# explicitly set permissions on some files that are dependent
 	# on the uid/gid of the nagios user, which is dynamically created.
-	chown root:nagios $en/resource.cfg
-	chmod 640 $en/resource.cfg
-    install -d -onagios -gadm -m2751 /var/log/nagios2
-    install -d -onagios -gnagios -m750 /var/run/nagios2
-    install -d -onagios -gnagios -m750 /var/lib/nagios2
-	# chown instead of install to preserve permission bits
-	chown nagios /var/lib/nagios2/rw
-    install -d -onagios -gwww-data -m2750 /var/cache/nagios2
+	# .hs
+	# Do not forget to remove these statoverrides when purging the
+	# package!
+	setperm root nagios 0640 $en/resource.cfg
+	setperm nagios adm 2751 /var/log/nagios2
+	setperm nagios nagios 0750 /var/run/nagios2
+	setperm nagios nagios 0750 /var/lib/nagios2
+	setperm nagios www-data 02750 /var/cache/nagios2
+	setperm nagios www-data 0700 /var/lib/nagios2/rw
 
 	# everything went well, so now let's reset the password
 	db_set nagios2/adminpassword ""
diff -ruN nagios2-2.1/debian/nagios2-common.postrm nagios2-2.hs/debian/nagios2-common.postrm
--- nagios2-2.1/debian/nagios2-common.postrm	2006-04-11 14:15:11.000000000 +0200
+++ nagios2-2.hs/debian/nagios2-common.postrm	2006-04-11 11:50:02.000000000 +0200
@@ -13,6 +13,13 @@
 	ucf --purge /etc/nagios2/apache2.conf
 	ucf --purge /etc/nagios2/conf.d/host-gateway_nagios2.cfg
 	#ucf --purge /etc/nagios2/conf.d/extcommands_nagios2.cfg
+
+	dpkg-statoverride --force --remove /etc/nagios2/resource.cfg
+	dpkg-statoverride --force --remove /var/log/nagios2
+	dpkg-statoverride --force --remove /var/run/nagios2
+	dpkg-statoverride --force --remove /var/lib/nagios2
+	dpkg-statoverride --force --remove /var/cache/nagios2
+	dpkg-statoverride --force --remove /var/lib/nagios2/rw
     ;;
 esac
 
diff -ruN nagios2-2.1/debian/rules nagios2-2.hs/debian/rules
--- nagios2-2.1/debian/rules	2006-04-11 14:15:11.000000000 +0200
+++ nagios2-2.hs/debian/rules	2006-04-11 14:12:23.000000000 +0200
@@ -137,10 +137,9 @@
 	# remove empty directory
 	rmdir --ignore-fail-on-non-empty -p $b/nagios2/var/lib/nagios2/archives
 	# set up /var/cache/nagios2 for access by www-data
-	chgrp www-data ${bnc}/var/cache/nagios2
-	chmod g+s ${bnc}/var/cache/nagios2
-	chown root:www-data ${bnc}/var/lib/nagios2/rw
-	chmod 700 ${bnc}/var/lib/nagios2/rw
+	# Permissions are set in postinstall using dpkg-statoverride
+	# for following parts: /var/cache/nagios2
+	#                      /var/lib/nagios2/rw
 	# alter some installed filenames/locations
 	mv ${b}/nagios2/usr/sbin/nagios ${b}/nagios2/usr/sbin/nagios2
 	mv ${b}/nagios2/usr/sbin/nagiostats ${b}/nagios2/usr/sbin/nagios2stats
@@ -181,7 +180,7 @@
 	# XXX some stuff below here is commented out
 	#install -m 755 cgi/grouplist.cgi.in debian/$@/usr/lib/cgi-bin/nagios/grouplist.cgi
 	dh_compress          -i
-	dh_fixperms          -i -Xnagios2/resource.cfg
+	dh_fixperms          -i 
 	dh_installdebconf    -i
 	dh_installdeb        -i
 	dh_gencontrol        -i

More information about the Pkg-nagios-devel mailing list