Bug#361956: [Pkg-nagios-devel] Bug#361956: nagios2-common: postinstall script uses unconditional chmod/chown, breaking any dpkg-statoverride

Heiko Schlittermann hs at schlittermann.de
Tue Apr 11 15:07:58 UTC 2006

Marc Haber <mh+debian-packages at zugschlus.de> (Di 11 Apr 2006 16:16:53 CEST):
> On Tue, Apr 11, 2006 at 02:35:09PM +0200, Heiko Schlittermann wrote:
> > As stated in the subject -- the postinstall uses unconditionally
> > chmod/chown.  If the local admin tries to change permissions using
> > dpkg-statoverride, these local changes are not respected.
> > +# useful functions
> > +setperm() {
> > +    local user="$1"; shift
> > +    local group="$1"; shift
> > +    local mode="$1"; shift
> > +    local file="$1"; shift
> > +    dpkg-statoverride --list "$file" >/dev/null && return 0
> > +    dpkg-statoverride --update --add "$user" "$group" "$mode" "$file"
> > +}
> The maintainer script adding the statoverride does not seem to be
> policy compliant to me. We are not to touch the dpkg-statoverride
> database.

What about the policy manual 10.9.1?

    Given the above, dpkg-statoverride is essentially a tool for system
    administrators and would not normally be needed in the maintainer scripts.
    There is one type of situation, though, where calls to dpkg-statoverride would
    be needed in the maintainer scripts, and that involves packages which use
    dynamically allocated user or group ids. In such a situation, something like
    the following idiom can be very helpful in the package's postinst, where
    sysuser is a dynamically allocated id:


Of course, both (not touching the statoverride data base - and - using
statoverride for fixing the permissions) have their pro & con.

Pro using statoverride:
    o it's clean interface
    o admin is able to see all permissions different from
        root:root 0755/0644
    o easy way to recover lost permissions of packaged files


    o probably huge data base of statoverrides

    o more steps for admin to change the permissions of 
      statoverridden files (as statoverride only changes
      the permissions during '--add', and the files are added
      already during package installation)

      (May be a new version of statoverride could solve it:
        dpkg-statoverride --update --list <pattern>)

    Best regards from Dresden
    Viele Grüße aus Dresden
    Heiko Schlittermann
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-nagios-devel/attachments/20060411/819d1891/attachment.pgp

More information about the Pkg-nagios-devel mailing list