Summary: | security/tripwire clobbers config files on install | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | Lupe Christoph <lupe> |
Component: | Individual Port(s) | Assignee: | Cy Schubert <cy> |
Status: | Closed FIXED | ||
Severity: | Affects Only Me | ||
Priority: | Normal | ||
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any |
Description
Lupe Christoph
2005-08-20 14:00:27 UTC
Responsible Changed From-To: freebsd-ports-bugs->cy Over to maintainer. The policy file (twpol.txt) is not is not overwritten however a new copy of the configuration file (tw.cfg) is generated from values defined in the port's makefile and from the install.cfg file. I believe the proper solution would be to use a dialogue to get preferences from the user at build time and store them in the /var/db/ports directory (FreeBSD standard). In regards to the policy file, this is not currently a problem. If no comments regarding this are received, I will assume that everyone is in agreement and will proceed with the proposal. Cheers, Cy Schubert <Cy.Schubert@komquats.com> Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org BC Government: <Cy.Schubert@gov.bc.ca> "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper State Changed From-To: open->feedback Awaiting a reply from the originator. On Friday, 2005-09-16 at 13:43:08 -0700, Cy Schubert wrote: > The policy file (twpol.txt) is not is not overwritten however a new copy of > the configuration file (tw.cfg) is generated from values defined in the > port's makefile and from the install.cfg file. I believe the proper > solution would be to use a dialogue to get preferences from the user at > build time and store them in the /var/db/ports directory (FreeBSD > standard). In regards to the policy file, this is not currently a problem. > If no comments regarding this are received, I will assume that everyone is > in agreement and will proceed with the proposal. You have my blessings ;-) Yes, this sounds reasonable. Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle | State Changed From-To: feedback->closed The install/install.sh script in 2.3.1-2 and the contrib/install.sh script in the recently committed 2.4.0.1 port will not clobber existing config files uless CLOBBER is set. The port only set CLOBBER if the user specifies the TRIPWIRE_CLOBBER option to the port. In message <20060220070753.GB10609@lupe-christoph.de>, Lupe Christoph writes: > On Sunday, 2006-02-19 at 20:47:51 +0000, Cy Schubert wrote: > > Synopsis: security/tripwire clobbers config files on install > > > State-Changed-From-To: feedback->closed > > State-Changed-By: cy > > State-Changed-When: Sun Feb 19 20:45:26 UTC 2006 > > State-Changed-Why: > > The install/install.sh script in 2.3.1-2 and the contrib/install.sh script > > in the recently committed 2.4.0.1 port will not clobber existing config > > files uless CLOBBER is set. The port only set CLOBBER if the user > > specifies the TRIPWIRE_CLOBBER option to the port. > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=85155 > --- Also sprach Cy Schubert --- > > I'm afraid this is not true. Please reopen this PR. > > This is the ls -l of the files before a "make install": > > -rw-r----- 1 root wheel 931 Aug 24 2002 janus.rfc.octogon.de-local.key > -rw-r----- 1 root wheel 931 Aug 24 2002 site.key > -rw-r----- 1 root wheel 4586 Feb 19 08:20 tw.cfg > -rw-r----- 1 root wheel 4586 Jun 12 2004 tw.cfg.59753.bak > -rw-r----- 1 root wheel 4586 Nov 21 07:36 tw.cfg.79018.bak > -rw-r----- 1 root wheel 8287 Feb 19 08:20 tw.pol > -rw-r----- 1 root wheel 8287 Jan 1 2005 tw.pol.59753.bak > -rw-r----- 1 root wheel 8287 Nov 21 07:36 tw.pol.79018.bak > -rw-r----- 1 root wheel 532 Feb 19 08:20 twcfg.txt > -rw-r----- 1 root wheel 25077 Feb 19 08:20 twpol.txt > -rw-r----- 1 root wheel 20837 Jun 12 2004 twpol.txt.orig > > "make install" says (excerpts): > > This program will copy Tripwire files to the following directories: > > TWBIN: /usr/local/sbin > TWMAN: /usr/local/man > TWPOLICY: /usr/local/etc/tripwire > TWREPORT: /var/db/tripwire/report > TWDB: /var/db/tripwire > TWSITEKEYDIR: /usr/local/etc/tripwire > TWLOCALKEYDIR: /usr/local/etc/tripwire > > CLOBBER is false. > > Continue with installation? [y/n] y > > Generating Tripwire configuration file... > > > A clear-text version of the Tripwire configuration file > /usr/local/etc/tripwire/twcfg.txt > has been preserved for your inspection. It is recommended > that you delete this file manually after you have examined it. > > Customizing default policy file... > > A clear-text version of the Tripwire policy file > /usr/local/etc/tripwire/twpol.txt > has been preserved for your inspection. This implements > a minimal policy, intended only to test essential > Tripwire functionality. You should edit the policy file > to describe your system, and then use twadmin to generate > a new signed copy of the Tripwire policy. > > And after the installation: > > -rw-r----- 1 root wheel 931 Aug 24 2002 janus.rfc.octogon.de-local.key > -rw-r----- 1 root wheel 931 Aug 24 2002 site.key > -rw-r----- 1 root wheel 4586 Feb 20 08:01 tw.cfg > -rw-r----- 1 root wheel 4586 Jun 12 2004 tw.cfg.59753.bak > -rw-r----- 1 root wheel 4586 Nov 21 07:36 tw.cfg.79018.bak > -rw-r----- 1 root wheel 4586 Feb 19 08:20 tw.cfg.94748.bak > -rw-r----- 1 root wheel 8287 Feb 20 08:01 tw.pol > -rw-r----- 1 root wheel 8287 Jan 1 2005 tw.pol.59753.bak > -rw-r----- 1 root wheel 8287 Nov 21 07:36 tw.pol.79018.bak > -rw-r----- 1 root wheel 8287 Feb 19 08:20 tw.pol.94748.bak > -rw-r----- 1 root wheel 532 Feb 20 08:01 twcfg.txt > -rw-r----- 1 root wheel 17946 Feb 20 08:01 twpol.txt > -rw-r----- 1 root wheel 25077 Feb 20 08:01 twpol.txt.bak > -rw-r----- 1 root wheel 20837 Jun 12 2004 twpol.txt.orig > > Both twcfg.txt and twpol.txt have been overwritten, twcfg.txt without > even a backup. Fortunately I use the defaults... > > It does not seem that calling install.sh without -f does accomplish what > you intended. > > Thanks for your efforts, please try again ;-) This is what I get: twpol.txt and twcfg.txt are the same. The timestamps have changed but the contents have not. I would have noticed a difference as my twpol and twcfg are heavily customised. The customisations remain after an install/reinstall. The binary database files and the binary twpol and twcfg files are rebuilt, however using whatever twpol.txt and twcfg.txt files were there before the install. In summary, you're seeing the timestamps change but not noticing that the contents of the files remain the same. Following is output from my testing. Towards the end of all the output you will see a dircmp -s which reports that the files are different which indeed their timestamps are but doing a diff comparing the old and new files we see that the text files are the same. Whether the binary files are rebuilt is irrelevant. The files are the same. See the bottom of all this output. gmake[2]: Leaving directory `/export/local-ports/cvs-ports/ports/security/tr ipwire/work/tripwire-2.4.0.1' gmake[1]: Leaving directory `/export/local-ports/cvs-ports/ports/security/tr ipwire/work/tripwire-2.4.0.1' Installer program for: Tripwire(R) 2.3 Open Source Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc. Tripwire (R) is a registered trademark of the Purdue Research Foundation and is licensed exclusively to Tripwire (R) Security Systems, Inc. LICENSE AGREEMENT for Tripwire(R) 2.3 Open Source Please read the following license agreement. You must accept the agreement to continue installing Tripwire. Press ENTER to view the License Agreement. GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for Please type "accept" to indicate your acceptance of this license agreement. [do not accept] accept Using configuration file ./install/install.cfg Checking for programs specified in install configuration file.... /usr/sbin/sendmail exists. Continuing installation. /usr/bin/vi exists. Continuing installation. ---------------------------------------------- Verifying existence of binaries... ./bin/siggen found ./bin/tripwire found ./bin/twprint found ./bin/twadmin found This program will copy Tripwire files to the following directories: TWBIN: /usr/local/sbin TWMAN: /usr/local/man TWPOLICY: /usr/local/etc/tripwire TWREPORT: /var/db/tripwire/report TWDB: /var/db/tripwire TWSITEKEYDIR: /usr/local/etc/tripwire TWLOCALKEYDIR: /usr/local/etc/tripwire CLOBBER is false. Continue with installation? [y/n] y ---------------------------------------------- Creating directories... /usr/local/sbin: already exists /usr/local/etc/tripwire: already exists /var/db/tripwire/report: already exists /var/db/tripwire: already exists /usr/local/etc/tripwire: already exists /usr/local/etc/tripwire: already exists /usr/local/man: already exists /usr/local/share/doc/tripwire: created ---------------------------------------------- Copying files... /usr/local/share/doc/tripwire/COPYING: copied /usr/local/share/doc/tripwire/TRADEMARK: copied /usr/local/share/doc/tripwire/policyguide.txt: copied /usr/local/etc/tripwire/twpol-FreeBSD.txt: copied ---------------------------------------------- The Tripwire site and local passphrases are used to sign a variety of files, such as the configuration, policy, and database files. Passphrases should be at least 8 characters in length and contain both letters and numbers. See the Tripwire manual for more information. ---------------------------------------------- Creating key files... The site key file "/usr/local/etc/tripwire/site.key" exists and will not be overwritten. The site key file "/usr/local/etc/tripwire/cwsys-local.key" exists and will not be overwritten. ---------------------------------------------- Generating Tripwire configuration file... ---------------------------------------------- Creating signed configuration file... Backing up /usr/local/etc/tripwire/tw.cfg to /usr/local/etc/tripwire/tw.cfg.80144.bak Please enter your site passphrase: Wrote configuration file: /usr/local/etc/tripwire/tw.cfg A clear-text version of the Tripwire configuration file /usr/local/etc/tripwire/twcfg.txt has been preserved for your inspection. It is recommended that you delete this file manually after you have examined it. ---------------------------------------------- Customizing default policy file... ---------------------------------------------- Creating signed policy file... Backing up /usr/local/etc/tripwire/tw.pol to /usr/local/etc/tripwire/tw.pol.80144.bak Please enter your site passphrase: Wrote policy file: /usr/local/etc/tripwire/tw.pol A clear-text version of the Tripwire policy file /usr/local/etc/tripwire/twpol.txt has been preserved for your inspection. This implements a minimal policy, intended only to test essential Tripwire functionality. You should edit the policy file to describe your system, and then use twadmin to generate a new signed copy of the Tripwire policy. ---------------------------------------------- The installation succeeded. Please refer to /usr/local/share/doc/tripwire/ for release information and to the printed user documentation for further instructions on using Tripwire 2.3 Open Source. Creating tripwire database Please enter your local passphrase: Parsing policy file: /usr/local/etc/tripwire/tw.pol Generating the database... *** Processing Unix File System *** ### Warning: File system error. ### Filename: /usr/src/sys/compile ### No such file or directory ### Continuing... Wrote database file: /var/db/tripwire/cwsys.twd The database was successfully generated. The tripwire database, configuration file and policy file are signed using the local and site keys, therefore according to the support staff at tripwiresecurity.com, creating a floppy is not necessary. ===> Compressing manual pages for tripwire-2.4.0.1 ===> Registering installation for tripwire-2.4.0.1 cwsys# dircmp -s /usr/local/etc/tripwire.old /usr/local/etc/tripwire Feb 20 08:21 2006 /usr/local/etc/tripwire.old only and /usr/local/etc/tripwire only Page 1 ./tw.cfg.80144.bak ./tw.pol.80144.bak Feb 20 08:21 2006 Comparison of /usr/local/etc/tripwire.old and /usr/local/etc/tripwire Page 1 different ./tw.cfg different ./tw.pol different ./twpol.txt.bak cwsys# ls -l /usr/local/etc/tripwire.old total 165 -rw-r----- 1 root wheel 931 Apr 12 2005 cwsys-local.key -rw-r----- 1 root wheel 931 Apr 12 2005 site.key -rw-r----- 1 root wheel 4586 Feb 16 06:39 tw.cfg -rw-r----- 1 root wheel 4586 Aug 23 19:00 tw.cfg.13387.bak -rw-r----- 1 root wheel 4586 Feb 15 11:54 tw.cfg.21997.bak -rw-r----- 1 root wheel 4586 Aug 9 2005 tw.cfg.37496.bak -rw-r----- 1 root wheel 4586 Apr 12 2005 tw.cfg.4059.bak -rw-r----- 1 root wheel 4586 Aug 10 2005 tw.cfg.41047.bak -rw-r----- 1 root wheel 4586 Aug 10 2005 tw.cfg.4183.bak -rw-r----- 1 root wheel 4586 Apr 12 2005 tw.cfg.62035.bak -rw-r----- 1 root wheel 4586 May 10 2005 tw.cfg.82544.bak -rw-r----- 1 root wheel 8287 Feb 16 06:39 tw.pol -rw-r----- 1 root wheel 8287 Aug 23 19:00 tw.pol.13387.bak -rw-r----- 1 root wheel 8287 Feb 15 11:54 tw.pol.21997.bak -rw-r----- 1 root wheel 8287 Aug 9 2005 tw.pol.37496.bak -rw-r----- 1 root wheel 8287 Apr 12 2005 tw.pol.4059.bak -rw-r----- 1 root wheel 8287 Aug 10 2005 tw.pol.41047.bak -rw-r----- 1 root wheel 8287 Aug 10 2005 tw.pol.4183.bak -rw-r----- 1 root wheel 8287 Apr 12 2005 tw.pol.62035.bak -rw-r----- 1 root wheel 8287 May 10 2005 tw.pol.82544.bak -rw-r----- 1 root wheel 517 Feb 16 06:39 twcfg.txt -rw-r----- 1 root wheel 17931 Feb 16 06:39 twpol.txt -rw-r----- 1 root wheel 17815 Feb 16 06:39 twpol.txt.bak cwsys# ls -l /usr/local/etc/tripwire total 179 -rw-r----- 1 root wheel 931 Apr 12 2005 cwsys-local.key -rw-r----- 1 root wheel 931 Apr 12 2005 site.key -rw-r----- 1 root wheel 4586 Feb 20 07:53 tw.cfg -rw-r----- 1 root wheel 4586 Aug 23 19:00 tw.cfg.13387.bak -rw-r----- 1 root wheel 4586 Feb 15 11:54 tw.cfg.21997.bak -rw-r----- 1 root wheel 4586 Aug 9 2005 tw.cfg.37496.bak -rw-r----- 1 root wheel 4586 Apr 12 2005 tw.cfg.4059.bak -rw-r----- 1 root wheel 4586 Aug 10 2005 tw.cfg.41047.bak -rw-r----- 1 root wheel 4586 Aug 10 2005 tw.cfg.4183.bak -rw-r----- 1 root wheel 4586 Apr 12 2005 tw.cfg.62035.bak -rw-r----- 1 root wheel 4586 Feb 16 06:39 tw.cfg.80144.bak -rw-r----- 1 root wheel 4586 May 10 2005 tw.cfg.82544.bak -rw-r----- 1 root wheel 8287 Feb 20 07:53 tw.pol -rw-r----- 1 root wheel 8287 Aug 23 19:00 tw.pol.13387.bak -rw-r----- 1 root wheel 8287 Feb 15 11:54 tw.pol.21997.bak -rw-r----- 1 root wheel 8287 Aug 9 2005 tw.pol.37496.bak -rw-r----- 1 root wheel 8287 Apr 12 2005 tw.pol.4059.bak -rw-r----- 1 root wheel 8287 Aug 10 2005 tw.pol.41047.bak -rw-r----- 1 root wheel 8287 Aug 10 2005 tw.pol.4183.bak -rw-r----- 1 root wheel 8287 Apr 12 2005 tw.pol.62035.bak -rw-r----- 1 root wheel 8287 Feb 16 06:39 tw.pol.80144.bak -rw-r----- 1 root wheel 8287 May 10 2005 tw.pol.82544.bak -rw-r----- 1 root wheel 517 Feb 20 07:53 twcfg.txt -rw-r----- 1 root wheel 17931 Feb 20 07:53 twpol.txt -rw-r----- 1 root wheel 17931 Feb 20 07:53 twpol.txt.bak cwsys# diff -u /usr/local/etc/tripwire.old/twpol.txt /usr/local/etc/tripwire/twpol.txt cwsys# diff -u /usr/local/etc/tripwire.old/twcfg.txt /usr/local/etc/tripwire/twcfg.txt cwsys# Cheers, Cy Schubert <Cy.Schubert@komquats.com> Web: http://www.komquats.com and http://www.bcbodybuilder.com FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org BC Government: <Cy.Schubert@gov.bc.ca> "Lift long enough and I believe arrogance is replaced by humility and fear by courage and selfishness by generosity and rudeness by compassion and caring." -- Dave Draper State Changed From-To: closed->feedback Reopening this PR, as a problem does appear to exist. Hi all, I think that this problem was solved, thus we can close this PR, right ? -- lippe@FreeBSD.org Felippe de Meirelles Motta State Changed From-To: feedback->closed Submitter requests closure. Not a problem. |