Ubuntu
frr package

Merge ~ahasenack/ubuntu/+source/frr:kinetic-syslog-user-not-present into ubuntu/+source/frr:ubuntu/kinetic-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/frr
  3. kinetic-syslog-user-not-present
  4. Merge into ubuntu/kinetic-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: 641e1301cf43ad05cf1245c5965ea3e632adf961
Proposed branch: ~ahasenack/ubuntu/+source/frr:kinetic-syslog-user-not-present
Merge into: ubuntu/+source/frr:ubuntu/kinetic-devel
Diff against target: 69 lines (+30/-20)
2 files modified
debian/changelog (+8/-0)
debian/frr.postinst (+22/-20)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Lucas Kanashiro (community) Approve
Canonical Server Reporter Pending
Review via email: mp+432330@code.launchpad.net

Description of the change

Don't take any action if the syslog user does not exist, as that is a strong indication of local configuration changes, and our chown (later on) would not work anyway.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/frr-no-syslog/

The linked bug has the SRU details filled in, including test cases and other information like a justification.

Diff review hint: use "git show -w HEAD^" to ignore whitespace changes.

To post a comment you must log in.
Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Thanks for the fix Andreas. The SRU bug described well the issue and how to reproduce/test it. I am not sure what was your rationale to rule out the creation of syslog user in postinst which would be the other possible option, however, I agree with the proposed solution, being more cautious and checking if the user exists before using it seems reasonable to me.

I did test it in a kinetic container and the package in your PPA does fix the issue (following the Test Plan section of the bug). I am not testing all the others since the change is pretty much the same.

FWIW DEP-8 tests are also passing:

autopkgtest [16:23:45]: @@@@@@@@@@@@@@@@@@@@ summary
zebra-lo PASS
bgpd-snmp-rpki PASS
py-frr-reload PASS

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, lucaskanashiro
Uploaders: ahasenack, lucaskanashiro
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Uploaded:
Uploading frr_8.1-1ubuntu3.1.dsc
Uploading frr_8.1-1ubuntu3.1.debian.tar.xz
Uploading frr_8.1-1ubuntu3.1_source.buildinfo
Uploading frr_8.1-1ubuntu3.1_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index 6a923e5..b3ab065 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
1frr (8.1-1ubuntu3.1) kinetic; urgency=medium
2
3 * d/frr.postinst: don't change log ownership if the syslog user
4 doesn't exist. Thanks to Alessandro Ratti
5 <alessandro.ratti@exoscale.ch> for the fix (LP: #1991812).
6
7 -- Andreas Hasenack <andreas@canonical.com> Fri, 28 Oct 2022 11:37:23 -0300
8
1frr (8.1-1ubuntu3) kinetic; urgency=medium9frr (8.1-1ubuntu3) kinetic; urgency=medium
210
3 * SECURITY UPDATE: DoS via out-of-bounds read11 * SECURITY UPDATE: DoS via out-of-bounds read
diff --git a/debian/frr.postinst b/debian/frr.postinst
index 382edcb..7152e62 100644
--- a/debian/frr.postinst
+++ b/debian/frr.postinst
@@ -50,26 +50,28 @@ done
50# fix logging for Ubuntu, which does not run rsyslog as root (LP: #1958162),50# fix logging for Ubuntu, which does not run rsyslog as root (LP: #1958162),
51# and upgrades from quagga (what the block above used to do also for /var/log)51# and upgrades from quagga (what the block above used to do also for /var/log)
5252
53# frr user was created above, this really shouldn't fail53if getent passwd syslog > /dev/null; then
54frruid=`getent passwd frr | cut -d : -f 3`54 # frr user was created above, this really shouldn't fail
55frrgid=`getent group frr | cut -d : -f 3`55 frruid=`getent passwd frr | cut -d : -f 3`
5656 frrgid=`getent group frr | cut -d : -f 3`
57find \57
58 /var/log/frr \58 find \
59 \( -uid 0 -o -uid $quaggauid -o -uid $frruid \) -a \59 /var/log/frr \
60 \( -gid 0 -o -gid $quaggauid -o -gid $frrgid \) | \60 \( -uid 0 -o -uid $quaggauid -o -uid $frruid \) -a \
61 while read filename; do61 \( -gid 0 -o -gid $quaggauid -o -gid $frrgid \) | \
6262 while read filename; do
63 # don't chown anything that has ACLs (but don't fail if we don't63
64 # have getfacl)64 # don't chown anything that has ACLs (but don't fail if we don't
65 if { getfacl -c "$filename" 2>/dev/null || true; } \65 # have getfacl)
66 | egrep -q -v '^((user|group|other)::|$)'; then66 if { getfacl -c "$filename" 2>/dev/null || true; } \
67 :67 | egrep -q -v '^((user|group|other)::|$)'; then
68 else68 :
69 chown syslog:adm "$filename"69 else
70 chmod o-rwx "$filename"70 chown syslog:adm "$filename"
71 fi71 chmod o-rwx "$filename"
72done72 fi
73 done
74fi
7375
74# fix misconfigured vtysh.conf & frr.conf ownership caused by config save76# fix misconfigured vtysh.conf & frr.conf ownership caused by config save
75# mishandling in earlier FRR (and Quagga) versions77# mishandling in earlier FRR (and Quagga) versions

Subscribers

People subscribed via source and target branches