Bug 85155

Summary: security/tripwire clobbers config files on install
Product: Ports & Packages Reporter: Lupe Christoph <lupe>
Component: Individual Port(s)Assignee: Cy Schubert <cy>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Lupe Christoph 2005-08-20 14:00:27 UTC 
	"make install" overwrites twcfg.txt and twpol.txt. It should
	only install samples and copy then to the real files if those
	don't yet exist.

How-To-Repeat: 	make install
	edit /usr/local/etc/tripwire*.txt
	make install
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2005-08-22 02:42:15 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->cy

Over to maintainer.
Comment 2 Cy Schubert 2005-09-16 21:43:08 UTC 
The policy file (twpol.txt) is not is not overwritten however a new copy of 
the configuration file (tw.cfg) is generated from values defined in the 
port's makefile and from the install.cfg file. I believe the proper 
solution would be to use a dialogue to get preferences from the user at 
build time and store them in the /var/db/ports directory (FreeBSD 
standard). In regards to the policy file, this is not currently a problem.

If no comments regarding this are received, I will assume that everyone is 
in agreement and will proceed with the proposal.


Cheers,
Cy Schubert <Cy.Schubert@komquats.com>
Web:  http://www.komquats.com and http://www.bcbodybuilder.com
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
BC Government:  <Cy.Schubert@gov.bc.ca>

    "Lift long enough and I believe arrogance is replaced by
    humility and fear by courage and selfishness by generosity
    and rudeness by compassion and caring."
        -- Dave Draper
Comment 3 Cy Schubert freebsd_committer freebsd_triage 2005-09-16 22:32:32 UTC 
State Changed
From-To: open->feedback

Awaiting a reply from the originator.
Comment 4 Lupe Christoph 2005-09-18 18:54:13 UTC 
On Friday, 2005-09-16 at 13:43:08 -0700, Cy Schubert wrote:
> The policy file (twpol.txt) is not is not overwritten however a new copy of 
> the configuration file (tw.cfg) is generated from values defined in the 
> port's makefile and from the install.cfg file. I believe the proper 
> solution would be to use a dialogue to get preferences from the user at 
> build time and store them in the /var/db/ports directory (FreeBSD 
> standard). In regards to the policy file, this is not currently a problem.

> If no comments regarding this are received, I will assume that everyone is 
> in agreement and will proceed with the proposal.

You have my blessings ;-)

Yes, this sounds reasonable.
Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear     |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?                               |
| Rockhound in "Armageddon", 1998, about the Space Shuttle               |
Comment 5 Cy Schubert freebsd_committer freebsd_triage 2006-02-19 20:45:26 UTC 
State Changed
From-To: feedback->closed

The install/install.sh script in 2.3.1-2 and the contrib/install.sh script 
in the recently committed 2.4.0.1 port will not clobber existing config 
files uless CLOBBER is set. The port only set CLOBBER if the user 
specifies the TRIPWIRE_CLOBBER option to the port.
Comment 6 Cy Schubert 2006-02-20 16:33:18 UTC 
In message <20060220070753.GB10609@lupe-christoph.de>, Lupe Christoph 
writes:
> On Sunday, 2006-02-19 at 20:47:51 +0000, Cy Schubert wrote:
> > Synopsis: security/tripwire clobbers config files on install
> 
> > State-Changed-From-To: feedback->closed
> > State-Changed-By: cy
> > State-Changed-When: Sun Feb 19 20:45:26 UTC 2006
> > State-Changed-Why: 
> > The install/install.sh script in 2.3.1-2 and the contrib/install.sh script
> > in the recently committed 2.4.0.1 port will not clobber existing config
> > files uless CLOBBER is set. The port only set CLOBBER if the user
> > specifies the TRIPWIRE_CLOBBER option to the port.
> 
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=85155
> --- Also sprach Cy Schubert ---
> 
> I'm afraid this is not true. Please reopen this PR.
> 
> This is the ls -l of the files before a "make install":
> 
> -rw-r-----  1 root  wheel    931 Aug 24  2002 janus.rfc.octogon.de-local.key
> -rw-r-----  1 root  wheel    931 Aug 24  2002 site.key
> -rw-r-----  1 root  wheel   4586 Feb 19 08:20 tw.cfg
> -rw-r-----  1 root  wheel   4586 Jun 12  2004 tw.cfg.59753.bak
> -rw-r-----  1 root  wheel   4586 Nov 21 07:36 tw.cfg.79018.bak
> -rw-r-----  1 root  wheel   8287 Feb 19 08:20 tw.pol
> -rw-r-----  1 root  wheel   8287 Jan  1  2005 tw.pol.59753.bak
> -rw-r-----  1 root  wheel   8287 Nov 21 07:36 tw.pol.79018.bak
> -rw-r-----  1 root  wheel    532 Feb 19 08:20 twcfg.txt
> -rw-r-----  1 root  wheel  25077 Feb 19 08:20 twpol.txt
> -rw-r-----  1 root  wheel  20837 Jun 12  2004 twpol.txt.orig
> 
> "make install" says (excerpts):
> 
> This program will copy Tripwire files to the following directories:
> 
>         TWBIN: /usr/local/sbin
>         TWMAN: /usr/local/man
>      TWPOLICY: /usr/local/etc/tripwire
>      TWREPORT: /var/db/tripwire/report
>          TWDB: /var/db/tripwire
>  TWSITEKEYDIR: /usr/local/etc/tripwire
> TWLOCALKEYDIR: /usr/local/etc/tripwire
> 
> CLOBBER is false.
> 
> Continue with installation? [y/n] y
> 
> Generating Tripwire configuration file...
> 
> 
> A clear-text version of the Tripwire configuration file
> /usr/local/etc/tripwire/twcfg.txt
> has been preserved for your inspection.  It is recommended
> that you delete this file manually after you have examined it.
> 
> Customizing default policy file...
> 
> A clear-text version of the Tripwire policy file
> /usr/local/etc/tripwire/twpol.txt
> has been preserved for your inspection.  This implements
> a minimal policy, intended only to test essential
> Tripwire functionality.  You should edit the policy file
> to describe your system, and then use twadmin to generate
> a new signed copy of the Tripwire policy.
> 
> And after the installation:
> 
> -rw-r-----  1 root  wheel    931 Aug 24  2002 janus.rfc.octogon.de-local.key
> -rw-r-----  1 root  wheel    931 Aug 24  2002 site.key
> -rw-r-----  1 root  wheel   4586 Feb 20 08:01 tw.cfg
> -rw-r-----  1 root  wheel   4586 Jun 12  2004 tw.cfg.59753.bak
> -rw-r-----  1 root  wheel   4586 Nov 21 07:36 tw.cfg.79018.bak
> -rw-r-----  1 root  wheel   4586 Feb 19 08:20 tw.cfg.94748.bak
> -rw-r-----  1 root  wheel   8287 Feb 20 08:01 tw.pol
> -rw-r-----  1 root  wheel   8287 Jan  1  2005 tw.pol.59753.bak
> -rw-r-----  1 root  wheel   8287 Nov 21 07:36 tw.pol.79018.bak
> -rw-r-----  1 root  wheel   8287 Feb 19 08:20 tw.pol.94748.bak
> -rw-r-----  1 root  wheel    532 Feb 20 08:01 twcfg.txt
> -rw-r-----  1 root  wheel  17946 Feb 20 08:01 twpol.txt
> -rw-r-----  1 root  wheel  25077 Feb 20 08:01 twpol.txt.bak
> -rw-r-----  1 root  wheel  20837 Jun 12  2004 twpol.txt.orig
> 
> Both twcfg.txt and twpol.txt have been overwritten, twcfg.txt without
> even a backup. Fortunately I use the defaults...
> 
> It does not seem that calling install.sh without -f does accomplish what
> you intended.
> 
> Thanks for your efforts, please try again ;-)

This is what I get:

twpol.txt and twcfg.txt are the same. The timestamps have changed but the 
contents have not. I would have noticed a difference as my twpol and twcfg 
are heavily customised. The customisations remain after an 
install/reinstall.

The binary database files and the binary twpol and twcfg files are rebuilt, 
however using whatever twpol.txt and twcfg.txt files were there before the 
install.

In summary, you're seeing the timestamps change but not noticing that the 
contents of the files remain the same.

Following is output from my testing. Towards the end of all the output you 
will see a dircmp -s  which reports that the files are different which 
indeed their timestamps are but doing a diff comparing the old and new 
files we see that the text files are the same. Whether the binary files are 
rebuilt is irrelevant.

The files are the same. See the bottom of all this output.


gmake[2]: Leaving directory `/export/local-ports/cvs-ports/ports/security/tr
ipwire/work/tripwire-2.4.0.1'
gmake[1]: Leaving directory `/export/local-ports/cvs-ports/ports/security/tr
ipwire/work/tripwire-2.4.0.1'

Installer program for:
Tripwire(R) 2.3 Open Source

Copyright (C) 1998-2000 Tripwire (R) Security Systems, Inc.  Tripwire (R)
is a registered trademark of the Purdue Research Foundation and is
licensed exclusively to Tripwire (R) Security Systems, Inc.


LICENSE AGREEMENT for Tripwire(R) 2.3 Open Source

Please read the following license agreement.  You must accept the
agreement to continue installing Tripwire.

Press ENTER to view the License Agreement.


                    GNU GENERAL PUBLIC LICENSE
                       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
                       59 Temple Place, Suite 330, Boston, MA  02111-1307  
USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

                            Preamble

  The licenses for most software are designed to take away your
freedom to share and change it.  By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users.  This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it.  (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.)  You can apply it to
your programs, too.

  When we speak of free software, we are referring to freedom, not
price.  Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for

Please type "accept" to indicate your acceptance of this
license agreement. [do not accept] accept
Using configuration file ./install/install.cfg

Checking for programs specified in install configuration file....

/usr/sbin/sendmail exists.  Continuing installation.

/usr/bin/vi exists.  Continuing installation.


----------------------------------------------
Verifying existence of binaries...

./bin/siggen found
./bin/tripwire found
./bin/twprint found
./bin/twadmin found

This program will copy Tripwire files to the following directories:

        TWBIN: /usr/local/sbin
        TWMAN: /usr/local/man
     TWPOLICY: /usr/local/etc/tripwire
     TWREPORT: /var/db/tripwire/report
         TWDB: /var/db/tripwire
 TWSITEKEYDIR: /usr/local/etc/tripwire
TWLOCALKEYDIR: /usr/local/etc/tripwire

CLOBBER is false.

Continue with installation? [y/n] y

----------------------------------------------
Creating directories...

/usr/local/sbin: already exists
/usr/local/etc/tripwire: already exists
/var/db/tripwire/report: already exists
/var/db/tripwire: already exists
/usr/local/etc/tripwire: already exists
/usr/local/etc/tripwire: already exists
/usr/local/man: already exists
/usr/local/share/doc/tripwire: created

----------------------------------------------
Copying files...

/usr/local/share/doc/tripwire/COPYING: copied
/usr/local/share/doc/tripwire/TRADEMARK: copied
/usr/local/share/doc/tripwire/policyguide.txt: copied
/usr/local/etc/tripwire/twpol-FreeBSD.txt: copied

----------------------------------------------
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.

Passphrases should be at least 8 characters in length
and contain both letters and numbers.

See the Tripwire manual for more information.

----------------------------------------------
Creating key files...
The site key file "/usr/local/etc/tripwire/site.key"
exists and will not be overwritten.
The site key file "/usr/local/etc/tripwire/cwsys-local.key"
exists and will not be overwritten.

----------------------------------------------
Generating Tripwire configuration file...

----------------------------------------------
Creating signed configuration file...
Backing up /usr/local/etc/tripwire/tw.cfg
        to /usr/local/etc/tripwire/tw.cfg.80144.bak
Please enter your site passphrase:
Wrote configuration file: /usr/local/etc/tripwire/tw.cfg

A clear-text version of the Tripwire configuration file
/usr/local/etc/tripwire/twcfg.txt
has been preserved for your inspection.  It is recommended
that you delete this file manually after you have examined it.


----------------------------------------------
Customizing default policy file...

----------------------------------------------
Creating signed policy file...
Backing up /usr/local/etc/tripwire/tw.pol
        to /usr/local/etc/tripwire/tw.pol.80144.bak
Please enter your site passphrase:
Wrote policy file: /usr/local/etc/tripwire/tw.pol

A clear-text version of the Tripwire policy file
/usr/local/etc/tripwire/twpol.txt
has been preserved for your inspection.  This implements
a minimal policy, intended only to test essential
Tripwire functionality.  You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.


----------------------------------------------
The installation succeeded.

Please refer to /usr/local/share/doc/tripwire/
for release information and to the printed user documentation
for further instructions on using Tripwire 2.3 Open Source.

Creating tripwire database
Please enter your local passphrase:
Parsing policy file: /usr/local/etc/tripwire/tw.pol
Generating the database...
*** Processing Unix File System ***
### Warning: File system error.
### Filename: /usr/src/sys/compile
### No such file or directory
### Continuing...
Wrote database file: /var/db/tripwire/cwsys.twd
The database was successfully generated.

The tripwire database, configuration file and
policy file are signed using the local and site keys,
therefore according to the support staff at
tripwiresecurity.com, creating a floppy is not necessary.
===>   Compressing manual pages for tripwire-2.4.0.1
===>   Registering installation for tripwire-2.4.0.1
cwsys# dircmp -s /usr/local/etc/tripwire.old /usr/local/etc/tripwire


Feb 20 08:21 2006 /usr/local/etc/tripwire.old only and 
/usr/local/etc/tripwire only Page 1


                                            ./tw.cfg.80144.bak
                                            ./tw.pol.80144.bak


Feb 20 08:21 2006 Comparison of /usr/local/etc/tripwire.old and 
/usr/local/etc/tripwire Page 1


different       ./tw.cfg
different       ./tw.pol
different       ./twpol.txt.bak


cwsys# ls -l /usr/local/etc/tripwire.old
total 165
-rw-r-----  1 root  wheel    931 Apr 12  2005 cwsys-local.key
-rw-r-----  1 root  wheel    931 Apr 12  2005 site.key
-rw-r-----  1 root  wheel   4586 Feb 16 06:39 tw.cfg
-rw-r-----  1 root  wheel   4586 Aug 23 19:00 tw.cfg.13387.bak
-rw-r-----  1 root  wheel   4586 Feb 15 11:54 tw.cfg.21997.bak
-rw-r-----  1 root  wheel   4586 Aug  9  2005 tw.cfg.37496.bak
-rw-r-----  1 root  wheel   4586 Apr 12  2005 tw.cfg.4059.bak
-rw-r-----  1 root  wheel   4586 Aug 10  2005 tw.cfg.41047.bak
-rw-r-----  1 root  wheel   4586 Aug 10  2005 tw.cfg.4183.bak
-rw-r-----  1 root  wheel   4586 Apr 12  2005 tw.cfg.62035.bak
-rw-r-----  1 root  wheel   4586 May 10  2005 tw.cfg.82544.bak
-rw-r-----  1 root  wheel   8287 Feb 16 06:39 tw.pol
-rw-r-----  1 root  wheel   8287 Aug 23 19:00 tw.pol.13387.bak
-rw-r-----  1 root  wheel   8287 Feb 15 11:54 tw.pol.21997.bak
-rw-r-----  1 root  wheel   8287 Aug  9  2005 tw.pol.37496.bak
-rw-r-----  1 root  wheel   8287 Apr 12  2005 tw.pol.4059.bak
-rw-r-----  1 root  wheel   8287 Aug 10  2005 tw.pol.41047.bak
-rw-r-----  1 root  wheel   8287 Aug 10  2005 tw.pol.4183.bak
-rw-r-----  1 root  wheel   8287 Apr 12  2005 tw.pol.62035.bak
-rw-r-----  1 root  wheel   8287 May 10  2005 tw.pol.82544.bak
-rw-r-----  1 root  wheel    517 Feb 16 06:39 twcfg.txt
-rw-r-----  1 root  wheel  17931 Feb 16 06:39 twpol.txt
-rw-r-----  1 root  wheel  17815 Feb 16 06:39 twpol.txt.bak
cwsys# ls -l /usr/local/etc/tripwire
total 179
-rw-r-----  1 root  wheel    931 Apr 12  2005 cwsys-local.key
-rw-r-----  1 root  wheel    931 Apr 12  2005 site.key
-rw-r-----  1 root  wheel   4586 Feb 20 07:53 tw.cfg
-rw-r-----  1 root  wheel   4586 Aug 23 19:00 tw.cfg.13387.bak
-rw-r-----  1 root  wheel   4586 Feb 15 11:54 tw.cfg.21997.bak
-rw-r-----  1 root  wheel   4586 Aug  9  2005 tw.cfg.37496.bak
-rw-r-----  1 root  wheel   4586 Apr 12  2005 tw.cfg.4059.bak
-rw-r-----  1 root  wheel   4586 Aug 10  2005 tw.cfg.41047.bak
-rw-r-----  1 root  wheel   4586 Aug 10  2005 tw.cfg.4183.bak
-rw-r-----  1 root  wheel   4586 Apr 12  2005 tw.cfg.62035.bak
-rw-r-----  1 root  wheel   4586 Feb 16 06:39 tw.cfg.80144.bak
-rw-r-----  1 root  wheel   4586 May 10  2005 tw.cfg.82544.bak
-rw-r-----  1 root  wheel   8287 Feb 20 07:53 tw.pol
-rw-r-----  1 root  wheel   8287 Aug 23 19:00 tw.pol.13387.bak
-rw-r-----  1 root  wheel   8287 Feb 15 11:54 tw.pol.21997.bak
-rw-r-----  1 root  wheel   8287 Aug  9  2005 tw.pol.37496.bak
-rw-r-----  1 root  wheel   8287 Apr 12  2005 tw.pol.4059.bak
-rw-r-----  1 root  wheel   8287 Aug 10  2005 tw.pol.41047.bak
-rw-r-----  1 root  wheel   8287 Aug 10  2005 tw.pol.4183.bak
-rw-r-----  1 root  wheel   8287 Apr 12  2005 tw.pol.62035.bak
-rw-r-----  1 root  wheel   8287 Feb 16 06:39 tw.pol.80144.bak
-rw-r-----  1 root  wheel   8287 May 10  2005 tw.pol.82544.bak
-rw-r-----  1 root  wheel    517 Feb 20 07:53 twcfg.txt
-rw-r-----  1 root  wheel  17931 Feb 20 07:53 twpol.txt
-rw-r-----  1 root  wheel  17931 Feb 20 07:53 twpol.txt.bak
cwsys# diff -u /usr/local/etc/tripwire.old/twpol.txt 
/usr/local/etc/tripwire/twpol.txt
cwsys# diff -u /usr/local/etc/tripwire.old/twcfg.txt 
/usr/local/etc/tripwire/twcfg.txt
cwsys#


Cheers,
Cy Schubert <Cy.Schubert@komquats.com>
Web:  http://www.komquats.com and http://www.bcbodybuilder.com
FreeBSD UNIX:  <cy@FreeBSD.org>   Web:  http://www.FreeBSD.org
BC Government:  <Cy.Schubert@gov.bc.ca>

    "Lift long enough and I believe arrogance is replaced by
    humility and fear by courage and selfishness by generosity
    and rudeness by compassion and caring."
        -- Dave Draper
Comment 7 Cy Schubert freebsd_committer freebsd_triage 2006-02-21 18:51:27 UTC 
State Changed
From-To: closed->feedback

Reopening this PR, as a problem does appear to exist.
Comment 8 Felippe de Meirelles Motta freebsd_committer freebsd_triage 2008-05-29 17:19:39 UTC 
Hi all,

I think that this problem was solved, thus we can close this PR, right ?

-- 
lippe@FreeBSD.org
Felippe de Meirelles Motta
Comment 9 Cy Schubert freebsd_committer freebsd_triage 2008-05-29 17:56:37 UTC 
State Changed
From-To: feedback->closed

Submitter requests closure. Not a problem.