[Pkg-net-snmp-devel] Bug#610630: snmpd upgrade unnecessarily removes and re-adds user and group.

Dameon Wagner d.wagner at ru.ac.za
Thu Jan 20 14:16:29 UTC 2011 

Package: snmpd
Version: 5.4.3~dfsg-2
Severity: normal

Upgrading snmpd (and possibly snmp also) from lenny to squeeze appears
to remove any existing snmp user and group, and recreate them.  In our
case this ultimately meant that the UID and GID of the snmp user and
group changed, which affected some of our automated script, but also
caused rkhunter to report warnings due to changes in /etc/passwd and
/etc/group.

I don't think that there is _any_ need for this to hold up squeeze,
and may only cause issues in specific environments (and therefore a
small number of cases), but I do think it's a bug as it negatively
impacted our environment (albeit, only in a minor way).

Looking into the dpkg scripts that run, my guess is that the issue is
from /var/lib/dpkg/info/snmpd.postinst.

I realise that one of the new features in squeeze's is that the
package now configures and snmp group, rather than using "nogroup",
and this has to be managed on upgrading the package, but I'm not sure
I understand the logic in the postinst script.

To me, and confirmed by my simple tests, the relevant steps in the
script do the following (comments added to explain what I think is
happening, in case I may have my reasoning wrong):

#---8<-----------------------------------------------------------------

# Check if an snmp group exists
if [ ! `getent group snmp >/dev/null` ]; then
        # A snmp group does exist, delete the snmp user, which
        # removes the existing group too.
        deluser --quiet --system snmp
fi
# (Re)create an snmp user, with primary group
adduser --quiet --system --group --no-create-home --home /var/lib/snmp snmp
# Assign file-system permissions as necessary
chown -R snmp:snmp /var/lib/snmp

#---8<-----------------------------------------------------------------

My question is, if the snmp group already exists, why delete the user
and re-create it?  Normally this shouldn't be an issue, as in some
cases dropping and creating users/groups will be idempotent -- they'll
end up with the same UID/GID as they previously had.

However, it seems that if there are "holes" in the sequence of lowest
available UID/GID adduser will fill in the gap, which results in the
UID/GID changing, which in hand may effect something else on the
system that sits outside the scope of the upgrade script.

I've attached a patch which should do the trick.  I'm not sure if the
last else clause of the patch is necessary, but should keep things in
line with the aim of the initial script, without the issue of changing
UID/GID numbers around. (The comments are just to explain my thinking,
feel free to remove them).

Thanks for your time.

Dameon

--
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dr. Dameon Wagner,
Lead System Administrator and Senior ICT Specialist,
Depts. of Computer Science & Information Systems,
Rhodes University, Grahamstown, South Africa.
:Beta tester for Pegasus & Mercury/32 (www.pmail.com):
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_ZA.UTF-8, LC_CTYPE=en_ZA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages snmpd depends on:
ii  adduser                 3.112+nmu2       add and remove users and groups
ii  debconf [debconf-2.0]   1.5.36           Debian configuration management sy
ii  libc6                   2.11.2-7         Embedded GNU C Library: Shared lib
ii  libsnmp15               5.4.3~dfsg-2     SNMP (Simple Network Management Pr
ii  libwrap0                7.6.q-19         Wietse Venema's TCP wrappers libra
ii  lsb-base                3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip

snmpd recommends no packages.

snmpd suggests no packages.

-- Configuration Files:
/etc/snmp/snmpd.conf [Errno 13] Permission denied:
u'/etc/snmp/snmpd.conf'
/etc/snmp/snmptrapd.conf [Errno 13] Permission denied:
u'/etc/snmp/snmptrapd.conf'

-- debconf information:
  snmpd/upgradefrom521:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snmpd.postinst.patch
Type: text/x-diff
Size: 1084 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20110120/7915815f/attachment.patch>

More information about the Pkg-net-snmp-devel mailing list