1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Re: Setting permissions on new users in postinst

    From Peter Pentchev@21:1/5 to Brian May on Thu Feb 29 01:30:02 2024
    On Thu, Feb 29, 2024 at 11:12:27AM +1100, Brian May wrote:
    See bug #1064349.

    I think the problem (correct me if I am wrong!) is that the postinst - debian/amavisd-new.postinst - does (simplified):

    === cut ===
    #DEBHELPER#

    case "$1" in
    configure)
    # configure file permissions to use new amavis user
    ...
    esac
    === cut ===


    This means that #DEBHELPER# expands to the code that creates the
    users and starts the daemons.

    === cut ===
    [snip the expanded code added by debhelper]

    [ similar for other services that are disabled by default ]
    === cut ===

    I think we have a race condition, the daemon tries to start before we
    setup the file permissions correctly. Both on sysvinit and systemd, but
    seems we can get away with this more with systemd. Probably because of
    the extra checks in the initd script that systemd version doesn't have.

    But I can't move the #DEBHELPER# to the bottom, because then the setting
    the file permissions would fail because we haven't added the user yet.

    How do I fix this?

    I haven't tested that, but my first attempt would be to add --no-start to
    the invocation of dh_installsystemd in your rules file (you may need to
    add an override_dh_installsystemd target to do that), and then your
    postinst script would look something like that:

    #DEBHELPER#

    setup file permissions

    deb-systemd-invoke start unit1 unit2...

    Hope that helps!

    G'luck,
    Peter

    --
    Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com
    PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
    Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmXfz1UACgkQZR7vsCUn 3xOqXBAAzH60NmQjWORicaxSCVqPdFvdn1xZZHio0yho9PcYmbrf+wR1ZdJhKlkv 4us8AUOSuw/RREIHgYa+rWsL0UPiQDtC2rWfwNvWCBwZImOfvgy/oPNpslrMFnem Jd/PISECsWG2unLfVPdpflO+/b9R1rVrpJEm+ECnwuYIwxegI7NI9dkJ//6r9cKc ACnvhvd5Nibl+4NprZ6NNLW0a24v66p9vWzW6zCvOU2mcooMPeKOMRsAMtFX4Bbz rnmJu3Iee+LqakGGafrV9kX5T+rMXp0ibTM45/E4jrJYTj6inIYfgNxzLvomrh+V MiLxGW7g8o0qGCGQXoI8lGl7ER7PAqicr6Tws1cr4AIoNOxMdrAWZYSd8Pr7PqNt ClMGXMpa1E6RcWRIAy06G0eUZVrvSra994LdobJAtVSPifcOwEWF8lWNrQjIbx0d 0OEK2G4ySUSH+eeWAqfGNMO7ksjOZw5g8ojuX3ikHWlTe4pI6BqztaheSXkNkRwI f5voKrKR7T6zv3USnyLgr40sO1snT4vSTRErc6NdghSirZRVB7m56d+4zJ/S7b1q 2SKV/Dp2HHcgK9kFCT6g4hXbCo0ihqYnf1QhP60zwBtSHB6qYdHcrqYG8JBa+/yf BhhJOkojG04onaLOsoWnLM+33hhVExR1HwP+VmKhVTNCqzfHCkY=
    =gWA9
    -
  • From Brian May@21:1/5 to All on Thu Feb 29 01:30:01 2024
    See bug #1064349.

    I think the problem (correct me if I am wrong!) is that the postinst - debian/amavisd-new.postinst - does (simplified):

    === cut ===
    #DEBHELPER#

    case "$1" in
    configure)
    # configure file permissions to use new amavis user
    ...
    esac
    === cut ===


    This means that #DEBHELPER# expands to the code that creates the
    users and starts the daemons.

    === cut ===
    # Automatically added by dh_installsysusers/13.14.1
    if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
    systemd-sysusers ${DPKG_ROOT:+--root="$DPKG_ROOT"} amavisd-new.conf
    fi
    # End automatically added section
    # Automatically added by dh_installsystemd/13.14.1
    if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
    # The following line should be removed in trixie or trixie+1
    deb-systemd-helper unmask 'amavis.service' >/dev/null || true

    # was-enabled defaults to true, so new installations run enable.
    if deb-systemd-helper --quiet was-enabled 'amavis.service'; then
    # Enables the unit on first installation, creates new
    # symlinks on upgrades if the unit file has changed.
    deb-systemd-helper enable 'amavis.service' >/dev/null || true
    else
    # Update the statefile to add new symlinks (if any), which need to be
    # cleaned up on purge. Also remove old symlinks.
    deb-systemd-helper update-state 'amavis.service' >/dev/null || true
    fi
    fi
    # End automatically added section
    # Automatically added by dh_installsystemd/13.14.1
    if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
    if [ -d /run/systemd/system ]; then
    systemctl --system daemon-reload >/dev/null || true
    if [ -n "$2" ]; then
    _dh_action=restart
    else
    _dh_action=start
    fi
    deb-systemd-invoke $_dh_action 'amavis.service' >/dev/null || true
    fi
    fi
    # End automatically added section

    [ similar for other services that are disabled by default ]
    === cut ===

    I think we have a race condition, the daemon tries to start before we
    setup the file permissions correctly. Both on sysvinit and systemd, but
    seems we can get away with this more with systemd. Probably because of
    the extra checks in the initd script that systemd version doesn't have.

    But I can't move the #DEBHELPER# to the bottom, because then the setting
    the file permissions would fail because we haven't added the user yet.

    How do I fix this?

    (Please CC responses to me, thanks)
    --
    Brian May @ Linux Penguins

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)