Bug 258365

Summary: security/logcheck: incorrect permissions on /usr/local/etc/logcheck
Product: Ports & Packages Reporter: Dan Langille <dvl>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed FIXED    
Severity: Affects Some People CC: lwhsu, yasu
Priority: --- Flags: bugzilla: maintainer-feedback? (yasu)
Version: Latest   
Hardware: Any   
OS: Any   
Bug Depends on: 257980    
Bug Blocks:    
Attachments:
Description Flags
set permissions on ETCDIR and subdirectories none

Description Dan Langille freebsd_committer freebsd_triage 2021-09-08 12:38:21 UTC 
This affects new installs only. It does not affect existing installs which are upgraded.

The problem: missing chgrp on /usr/local/etc/logcheck and several subdirectories

When logcheck runs, the errors are:

ls: /usr/local/etc/logcheck/cracking.d: Permission denied
ls: /usr/local/etc/logcheck/violations.d: Permission denied
ls: /usr/local/etc/logcheck/violations.ignore.d: Permission denied
ls: /usr/local/etc/logcheck/ignore.d.server: Permission denied
ls: /usr/local/etc/logcheck/ignore.d.paranoid: Permission denied

Looking in the directory, we find:

[root@nginx01:/usr/local/etc/logcheck] $ ls -l
total 122
drwxr-x---  2 root  wheel        8 Sep  8 12:24 cracking.d
drwxr-x---  2 root  wheel       17 Sep  8 12:24 ignore.d.paranoid
drwxr-x---  2 root  wheel      141 Sep  8 12:24 ignore.d.server
drwxr-x---  2 root  wheel       38 Sep  8 12:24 ignore.d.workstation
-rw-r-----  1 root  logcheck  1121 Sep  7 21:07 logcheck.conf
-rw-r--r--  1 root  logcheck  3092 Aug 10 04:34 logcheck.conf.sample
-rw-r-----  1 root  logcheck   150 Sep  7 21:07 logcheck.logfiles
-rw-r--r--  1 root  logcheck   133 Aug 10 04:34 logcheck.logfiles.sample
drwxr-x---  2 root  wheel        7 Sep  8 12:24 violations.d
drwxr-x---  2 root  wheel        5 Sep  8 12:24 violations.ignore.d


Also:

[root@nginx01:/usr/local/etc/logcheck] $ ls -ld .
drwxr-xr-x  8 root  wheel  12 Sep  8 12:24 .

Looking at the port, I cannot find the cause yet.
Comment 1 Dan Langille freebsd_committer freebsd_triage 2021-09-08 13:00:28 UTC 
Created attachment 227760 [details]
set permissions on ETCDIR and subdirectories

I think I understand. This line in pkg-plist affects only items which will between it and the next @group command:

@group %%LOGCHECK_GROUP%%

Therefore, it does not affect the directories in question.

Adding this to the end of pkg-plist fixes those directories

@postexec %%FIND%% %%PREFIX%%/%%ETCDIR%%/* -type d -exec %%CHGRP%% logcheck {} +

This fixes the ETCDIR permissions:

@dir(%%LOGCHECK_USER%%,%%LOGCHECK_GROUP%%,) %%RUNDIR%%
Comment 2 Dan Langille freebsd_committer freebsd_triage 2021-09-08 13:08:36 UTC 
This will fix broken installs:

* cd /usr/local/etc/logcheck
* chgrp logcheck . cracking.d ignore.d.paranoid ignore.d.server ignore.d.workstation violations.d violations.ignore.d
Comment 3 Yasuhiro Kimura freebsd_committer freebsd_triage 2021-09-18 07:41:20 UTC 
Sorry for breakage. Patch submitted as bug #257980 will fix the problem.
Comment 4 Dan Langille freebsd_committer freebsd_triage 2021-09-19 15:35:12 UTC 
Solved via above mentioned ticket. Thank you.