Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect modes on files after change #168

Open
VorpalBlade opened this issue Jul 25, 2023 · 0 comments
Open

Incorrect modes on files after change #168

VorpalBlade opened this issue Jul 25, 2023 · 0 comments
Labels
bug

Comments

@VorpalBlade
Copy link

General description of the problem:

When I file with restricted modes (such as sudoers, shadow, etc) is changed, it ends up word readable. I have to run aconfmgr a second time to get it to detect the incorrect modes and correct it.

Steps to reproduce the problem:

  1. Use something like this to modify the sudoers file:
f="$(GetPackageOriginalFile sudo /etc/sudoers)"
sed -i 's/^# \(%wheel ALL=(ALL:ALL) ALL\)$/\1/g' "$f"
  1. Make sure that this is correctly applied to the system
  2. Change the above sed expression to generate a different line, or add an additional change to the file.
  3. Run aconfmgr --skip-checksums -c . apply --paranoid
  4. Notice how aconfmgr now made the file world readable.
  5. Rerun aconfmgr to get it to fix the mode

Configuration:

f="$(GetPackageOriginalFile sudo /etc/sudoers)"
sed -i 's/^# \(%wheel ALL=(ALL:ALL) ALL\)$/\1/g' "$f"
# Then change the above line to get it to do something different.

Expected result:

The file mode should always be restricted from the package.

Actual result:

The file mode ends up as the default world readable whenever aconfmgr applies a change to the file contents, be it from a change in the config or a change in the source package file (i.e. after an upgrade when pacnew hasn't yet been merged and aconfmgr is executed to update the config instead).

Log:

# On the first run of aconfmgr:

[...]
::: Rescanning...
:::: Examining files...
::::: Loading data...
:::::: Done.
::::: Comparing file data...
[...]
::::: Only in system: /etc/sudoers.pacnew
::::: Changed: /etc/bluetooth/main.conf
::::: Changed: /etc/sudoers
[...]
::::: Done (3 only in system, 2 changed, 5 only in config).
[...]
:: Configuring files...
::: Overwriting 2 changed files.
:::: Proceed? [Y/n/d] d
:::: Overwriting the following changed files:
* /etc/bluetooth/main.conf
* /etc/sudoers
:::: Proceed? [Y/n/d] y
[...]
:::: Overwriting /etc/sudoers...
::::: Proceed? [Y/n/d] d
--- /etc/sudoers	2022-10-08 14:39:46.762892723  0200
    /tmp/aconfmgr-arvid/output/files//etc/sudoers	2023-07-25 10:27:49.169560010  0200
@@ -59,6  59,10 @@
 ## Uncomment to use a hard-coded PATH instead of the user's to find commands
 # Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 ##
 ## Uncomment to restore the historic behavior where a command is run in
 ## the user's own terminal.
 # Defaults !use_pty
 ##
 ## Uncomment to send mail if the user does not enter the correct password.
 # Defaults mail_badpass
 ##
::::: Proceed? [Y/n/d] y
:::: Done.
[...]

# Rerun aconfmgr and get:

::: Configuring file properties...
:::: Comparing file properties...
::::: Done.
:::: Found 0 new, 0 changed, and 1 extra files properties.
::::: Proceed? [Y/n/d] d
::::: Clearing the following file properties:
:::::: Setting mode of /etc/sudoers to 440 (default value)
::::: Proceed? [Y/n/d] y
::::: Setting mode of /etc/sudoers to 440 (default value)
::::: Done.
:::: Done.
::: Done.

Additional context:

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@VorpalBlade