Debian bug report logs - #1766 Bug in script checksecurity in package cron Package: cron ; Reported by: srivasta@pilgrim.umass.edu (Manoj Srivastava); Done: Ian Jackson . ----------------------------------------------------------------------- Message received at debian-bugs-done: From chiark.chu.cam.ac.uk!ian Sat Oct 28 18:42:22 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t9MlR-000DdZC; Sat, 28 Oct 95 18:42 PDT Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA08819 (5.67b/IDA-1.5 for debian-bugs-done-pipe@mongo.pixar.com); Sat, 28 Oct 1995 18:41:52 -0700 Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp (Smail3.1.29.1 #33) id m0t9MlC-0007uQC; Sun, 29 Oct 95 01:42 GMT Received: by chiark.chu.cam.ac.uk id m0t9Ml1-0002bdC (Debian /\oo/\ Smail3.1.29.1 #29.33); Sun, 29 Oct 95 01:41 GMT Message-Id: Date: Sun, 29 Oct 95 01:41 GMT From: Ian Jackson To: srivasta@pilgrim.umass.edu (Manoj Srivastava), debian-bugs-done@Pixar.com Subject: Re: Bug#1766: Bug in script checksecurity in package cron Newsgroups: chiark.mail.debian.devel In-Reply-To: References: Manoj Srivastava writes ("Bug#1766: Bug in script checksecurity in package cron"): > I'm sorry, I should have investigated further before firing > off that bug report about checksecurity. There is no problem with > multiple dir arguments to find (which is perfectly legal, as Ian > Jackson pointed out). > > The problem was that there were no > /var/log/setuid.{today,yesterday} files on my system, and > checksecurity failed to create them, resulting in a mail message > every time the cron job was run. If such a file is created, maybe > there is no problem, so a generic setuid.today file should be > installed? (From the trace below, you can see that the diff fails if > there is no setuid.today file). Should I file a fresh bug report? This is fixed in the most recent version of cron. I'll close this bug report. Thanks, Ian. ----------------------------------------------------------------------- Notification sent to srivasta@pilgrim.umass.edu (Manoj Srivastava) : Bug acknowledged by developer. Full text available. ----------------------------------------------------------------------- Reply sent to Ian Jackson : You have taken responsibility. Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From pilgrim.umass.edu!srivasta Thu Oct 26 23:26:58 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t8iFm-000BWxC; Thu, 26 Oct 95 23:26 PDT Received: from plymouth.pilgrim.umass.edu by pixar.com with SMTP id AA28262 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 26 Oct 1995 23:26:32 -0700 Received: (from srivasta@localhost) by plymouth.pilgrim.umass.edu (8.6.12/8.6.12) id CAA00947; Fri, 27 Oct 1995 02:26:52 -0400 Sender: srivasta@pilgrim.umass.edu To: debian-bugs@Pixar.com Cc: (Manoj Srivastava) Subject: Re: Bug#1766: Bug in script checksecurity in package cron X-Geek-3: GE/CS d+(--) s:++>: a C++++$ ULUHO++++$ P+++$ L+++ E+++ W+++$ N+++ K-? !w--- O-? !M-- !V-- PS+ PE- Y+ PGP++ t@ 5++ !X R++ b+++ DI+++ D- G e+++ h+ r++ y+ X-Organization: University of Massachusetts, Amherst, MA 01003 X-Time: Fri Oct 27 02:26:33 1995 Mailer: Vm 5.95 (beta) for GNU Emacs 19.14 XEmacs Lucid (beta5) References: From: srivasta@pilgrim.umass.edu (Manoj Srivastava) Date: 27 Oct 1995 02:26:33 -0400 In-Reply-To: Ian Jackson's message of Thu, 26 Oct 95 13:20 GMT Message-Id: Organization: Project Pilgrim, University of Massachusetts at Amherst Lines: 80 X-Mailer: September Gnus v0.11 Hi, I'm sorry, I should have investigated further before firing off that bug report about checksecurity. There is no problem with multiple dir arguments to find (which is perfectly legal, as Ian Jackson pointed out). The problem was that there were no /var/log/setuid.{today,yesterday} files on my system, and checksecurity failed to create them, resulting in a mail message every time the cron job was run. If such a file is created, maybe there is no problem, so a generic setuid.today file should be installed? (From the trace below, you can see that the diff fails if there is no setuid.today file). Should I file a fresh bug report? manoj Here is what I did to check that: rm -f /var/log/setuid.today bash -x checksecurity.dist + set -e + PATH=/sbin:/bin:/usr/sbin:/usr/bin + LOG=/var/log + TMP=/tmp/_secure.21828 + umask 077 + cd / ++ mount ++ grep -vE type (proc|iso9660) |^/dev/fd| on /mnt ++ cut -d -f 3 + find / /dos /usr /usr/local -xdev ( -type f -perm +06000 -o -type b -o -type c ) -ls + sort + cmp -s /var/log/setuid.today /tmp/_secure.21828 ++ hostname + echo melkor changes to setuid programs and devices: melkor changes to setuid programs and devices: + diff /var/log/setuid.today /tmp/_secure.21828 diff: /var/log/setuid.today: No such file or directory + [ 2 = 1 ] cp /var/log/setuid.yesterday /var/log/setuid.today bash -x checksecurity.dist + set -e + PATH=/sbin:/bin:/usr/sbin:/usr/bin + LOG=/var/log + TMP=/tmp/_secure.21873 + umask 077 + cd / ++ mount ++ grep -vE type (proc|iso9660) |^/dev/fd| on /mnt ++ cut -d -f 3 + find / /dos /usr /usr/local -xdev ( -type f -perm +06000 -o -type b -o -type c ) -ls + sort + cmp -s /var/log/setuid.today /tmp/_secure.21873 ++ hostname + echo melkor changes to setuid programs and devices: melkor changes to setuid programs and devices: + diff /var/log/setuid.today /tmp/_secure.21873 5c5,6 < 2111 68 -rwsr-x--- 1 root dip 69632 Oct 22 21:27 /usr/sbin/dip --- > 2098 68 -rwsr-x--- 1 root dip 69632 Oct 24 19:19 > /usr/sbin/dip [much deleted here] + [ 1 = 1 ] + mv /var/log/setuid.today /var/log/setuid.yesterday + mv /tmp/_secure.21873 /var/log/setuid.today + rm -f /tmp/_secure.21873 -- To be sure of hitting the target, shoot first, and call whatever you hit the target. Ashleigh Brilliant Manoj Srivastava Project Pilgrim, Department of Computer Science Phone: (413) 545-3918 A143B Lederle Graduate Research Center Fax: (413) 545-1249 University of Massachusetts, Amherst, MA 01003 email:srivasta@pilgrim.umass.edu http://www.pilgrim.umass.edu/~srivasta/ ----------------------------------------------------------------------- Acknowledgement sent to srivasta@pilgrim.umass.edu (Manoj Srivastava) : Extra info received and forwarded. Full text available. ----------------------------------------------------------------------- Information forwarded to debian-devel@pixar.com : Bug#1766 ; Package cron . Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From chiark.chu.cam.ac.uk!ian Thu Oct 26 06:23:59 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t8SHm-000C44C; Thu, 26 Oct 95 06:23 PDT Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA22487 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Thu, 26 Oct 1995 06:23:22 -0700 Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp (Smail3.1.29.1 #33) id m0t8SEV-0007uRC; Thu, 26 Oct 95 13:20 GMT Received: by chiark.chu.cam.ac.uk id m0t8SEJ-0002baC (Debian /\oo/\ Smail3.1.29.1 #29.33); Thu, 26 Oct 95 13:20 GMT Message-Id: Date: Thu, 26 Oct 95 13:20 GMT From: Ian Jackson To: srivasta@pilgrim.umass.edu (Manoj Srivastava), debian-bugs@Pixar.com Subject: Re: Bug#1766: Bug in script checksecurity in package cron Manoj Srivastava writes ("Bug#1766: Bug in script checksecurity in package cron"): > Explanation: The mount | grep -v command is the problem for > anyone who has more than one partitions mounted; the script actually > tries to run find with multiple starting points (which is an error), > like find dir1 dir2 dir3 -xdev ... The solution is to look at all > the directories discovered by the mount snippet and examine each in a > for loop. (This has been one of my more incoherent explanations; feel > free to mail me for clarifications). >From find(1): SYNOPSIS find [path...] [expression] You are allowed to specify several paths. What makes you think you aren't ? > Also, I think one should exclude all mounted systems of type > msdos (If nothing else, it save time). That's probably a good idea. I'll implement it. Ian. ----------------------------------------------------------------------- Acknowledgement sent to Ian Jackson : Extra info received and forwarded. Full text available. ----------------------------------------------------------------------- Information forwarded to debian-devel@pixar.com : Bug#1766 ; Package cron . Full text available. ----------------------------------------------------------------------- Message received at debian-bugs: From pilgrim.umass.edu!srivasta Wed Oct 25 18:27:18 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t8H6E-0006noC; Wed, 25 Oct 95 18:27 PDT Received: from plymouth.pilgrim.umass.edu by pixar.com with SMTP id AA14357 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Wed, 25 Oct 1995 18:26:49 -0700 Received: (from srivasta@localhost) by plymouth.pilgrim.umass.edu (8.6.12/8.6.12) id VAA25207; Wed, 25 Oct 1995 21:27:11 -0400 Sender: srivasta@pilgrim.umass.edu To: debian-bugs@Pixar.com Subject: Bug in script checksecurity in package cron X-Geek-3: GE/CS d+(--) s:++>: a C++++$ ULUHO++++$ P+++$ L+++ E+++ W+++$ N+++ K-? !w--- O-? !M-- !V-- PS+ PE- Y+ PGP++ t@ 5++ !X R++ b+++ DI+++ D- G e+++ h+ r++ y+ X-Organization: University of Massachusetts, Amherst, MA 01003 X-Time: Wed Oct 25 21:26:53 1995 Mailer: Vm 5.95 (beta) for GNU Emacs 19.14 XEmacs Lucid (beta5) From: srivasta@pilgrim.umass.edu (Manoj Srivastava) Date: 25 Oct 1995 21:26:52 -0400 Message-Id: Organization: Project Pilgrim, University of Massachusetts at Amherst Lines: 56 X-Mailer: September Gnus v0.11 Package: cron Version: 3.0pl1 Revision: 20 I have a problem with the script checksecurity, which apparently come with cron. The problem is with the lines that generate the /var/log/setuid.today file (patch follows). Explanation: The mount | grep -v command is the problem for anyone who has more than one partitions mounted; the script actually tries to run find with multiple starting points (which is an error), like find dir1 dir2 dir3 -xdev ... The solution is to look at all the directories discovered by the mount snippet and examine each in a for loop. (This has been one of my more incoherent explanations; feel free to mail me for clarifications). Also, I think one should exclude all mounted systems of type msdos (If nothing else, it save time). manoj __> dpkg -S checksecurity cron: /usr/sbin/checksecurity > diff -u -B -b -w /usr/sbin/checksecurity.dist /usr/sbin/checksecurity --- /usr/sbin/checksecurity.dist Wed Sep 20 20:52:12 1995 +++ /usr/sbin/checksecurity Thu Oct 19 11:05:23 1995 @@ -10,10 +10,9 @@ umask 077 cd / - -find `mount | grep -vE ' type (proc|iso9660) |^/dev/fd| on /mnt' | cut -d ' ' -f 3` \ - -xdev \( -type f -perm +06000 -o -type b -o -type c \) -ls \ - | sort >$TMP +for dir in `mount | grep -vE ' type (proc|iso9660|msdos) |^/dev/fd| on /mnt' | cut -d ' ' -f 3`; do + /usr/bin/find $dir -xdev \( -type f -perm +06000 -o -type b -o -type c \) -ls ; +done | sort >$TMP if ! cmp -s $LOG/setuid.today $TMP >/dev/null then -- ...difference of opinion is advantageious in religion. The several sects perform the office of a common censor morum over each other. Is uniformity attainable? Millions of innocent men, women, and children, since the introduction of Christianity, have been burnt, tortured, fined, imprisoned; yet we have not advanced one inch towards uniformity. Thomas Jefferson, "Notes on Virginia" Manoj Srivastava Project Pilgrim, Department of Computer Science Phone: (413) 545-3918 A143B Lederle Graduate Research Center Fax: (413) 545-1249 University of Massachusetts, Amherst, MA 01003 email:srivasta@pilgrim.umass.edu http://www.pilgrim.umass.edu/~srivasta/ ----------------------------------------------------------------------- Acknowledgement sent to srivasta@pilgrim.umass.edu (Manoj Srivastava) : New bug report received and forwarded. Full text available. ----------------------------------------------------------------------- Report forwarded to debian-devel@pixar.com : Bug#1766 ; Package cron . Full text available. ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov