258365 – security/logcheck: incorrect permissions on /usr/local/etc/logcheck

Bug 258365 - security/logcheck: incorrect permissions on /usr/local/etc/logcheck

Summary: security/logcheck: incorrect permissions on /usr/local/etc/logcheck

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-ports-bugs (Nobody)

URL:
Keywords:

Depends on:	257980
Blocks:
	Show dependency tree / graph

Reported:	2021-09-08 12:38 UTC by Dan Langille
Modified:	2021-09-19 15:35 UTC (History)
CC List:	2 users (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (yasu)

Attachments
set permissions on ETCDIR and subdirectories (952 bytes, patch) 2021-09-08 13:00 UTC, Dan Langille	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dan Langille freebsd_committer

2021-09-08 12:38:21 UTC

This affects new installs only. It does not affect existing installs which are upgraded.

The problem: missing chgrp on /usr/local/etc/logcheck and several subdirectories

When logcheck runs, the errors are:

ls: /usr/local/etc/logcheck/cracking.d: Permission denied
ls: /usr/local/etc/logcheck/violations.d: Permission denied
ls: /usr/local/etc/logcheck/violations.ignore.d: Permission denied
ls: /usr/local/etc/logcheck/ignore.d.server: Permission denied
ls: /usr/local/etc/logcheck/ignore.d.paranoid: Permission denied

Looking in the directory, we find:

[root@nginx01:/usr/local/etc/logcheck] $ ls -l
total 122
drwxr-x---  2 root  wheel        8 Sep  8 12:24 cracking.d
drwxr-x---  2 root  wheel       17 Sep  8 12:24 ignore.d.paranoid
drwxr-x---  2 root  wheel      141 Sep  8 12:24 ignore.d.server
drwxr-x---  2 root  wheel       38 Sep  8 12:24 ignore.d.workstation
-rw-r-----  1 root  logcheck  1121 Sep  7 21:07 logcheck.conf
-rw-r--r--  1 root  logcheck  3092 Aug 10 04:34 logcheck.conf.sample
-rw-r-----  1 root  logcheck   150 Sep  7 21:07 logcheck.logfiles
-rw-r--r--  1 root  logcheck   133 Aug 10 04:34 logcheck.logfiles.sample
drwxr-x---  2 root  wheel        7 Sep  8 12:24 violations.d
drwxr-x---  2 root  wheel        5 Sep  8 12:24 violations.ignore.d


Also:

[root@nginx01:/usr/local/etc/logcheck] $ ls -ld .
drwxr-xr-x  8 root  wheel  12 Sep  8 12:24 .

Looking at the port, I cannot find the cause yet.

Comment 1 Dan Langille freebsd_committer

2021-09-08 13:00:28 UTC

Created attachment 227760 [details]
set permissions on ETCDIR and subdirectories

I think I understand. This line in pkg-plist affects only items which will between it and the next @group command:

@group %%LOGCHECK_GROUP%%

Therefore, it does not affect the directories in question.

Adding this to the end of pkg-plist fixes those directories

@postexec %%FIND%% %%PREFIX%%/%%ETCDIR%%/* -type d -exec %%CHGRP%% logcheck {} +

This fixes the ETCDIR permissions:

@dir(%%LOGCHECK_USER%%,%%LOGCHECK_GROUP%%,) %%RUNDIR%%

Comment 2 Dan Langille freebsd_committer

2021-09-08 13:08:36 UTC

This will fix broken installs:

* cd /usr/local/etc/logcheck
* chgrp logcheck . cracking.d ignore.d.paranoid ignore.d.server ignore.d.workstation violations.d violations.ignore.d

Comment 3 Yasuhiro Kimura freebsd_committer

2021-09-18 07:41:20 UTC

Sorry for breakage. Patch submitted as bug #257980 will fix the problem.

Comment 4 Dan Langille freebsd_committer

2021-09-19 15:35:12 UTC

Solved via above mentioned ticket. Thank you.