NetBSD Problem Report #49031
From dholland@macaran.localdomain Fri Jul 25 00:55:00 2014
Return-Path: <dholland@macaran.localdomain>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 558BBA745B
for <gnats-bugs@gnats.NetBSD.org>; Fri, 25 Jul 2014 00:55:00 +0000 (UTC)
Message-Id: <20140725005511.ADF3F6E25B@macaran.localdomain>
Date: Thu, 24 Jul 2014 20:55:11 -0400 (EDT)
From: dholland@eecs.harvard.edu
Reply-To: dholland@eecs.harvard.edu
To: gnats-bugs@NetBSD.org
Subject: /etc/security tries to track /var/log/authlog
X-Send-Pr-Version: 3.95
>Number: 49031
>Category: bin
>Synopsis: /etc/security tries to track /var/log/authlog
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Jul 25 00:55:00 +0000 2014
>Last-Modified: Tue Aug 05 15:20:00 +0000 2014
>Originator: David A. Holland
>Release: NetBSD 6.99.47 (20140723)
>Organization:
>Environment:
System: NetBSD amberdon 6.99.47 NetBSD 6.99.47 (AMBERDON) #14: Wed Jul 23 02:12:28 EDT 2014 root@amberdon:/usr/src/sys/arch/amd64/compile/AMBERDON amd64
Architecture: x86_64
Machine: amd64
>Description:
After updating a couple days ago, /etc/security decided it needed to
start tracking /var/log/authlog, and now every night (well, one so far
but it will continue until stopped) I get this spam in the daily
insecurity output:
======
/var/log/authlog diffs (OLD < > NEW)
======
[changes omitted]
Routine chatter that needs to be ignored is bad for security
monitoring; also, as this will frequently be the difference between
getting output from /etc/security and not getting any, it's
particularly irritating.
This needs to be fixed before -7 goes out.
Also, while accumulating copies of authlog in /var/backups might have
some merit, it shouldn't be done by default and has the potential to
consume a lot of disk space over time.
>How-To-Repeat:
Nothing special.
>Fix:
I dunno. I'm not sure what happened; it appears that the file got
added to the list of things tracked because it's in etc/mtree/special;
but it's been there for a long time. The trigger for the behavior
appears to have been adding "nodiff" to the mtree entry, in -r1.147,
but on the face of it, it seems like there must be a bug in
/etc/security for this to prompt tracking the file.
There's also a question of whether and how to clean up the leftover
/var/backups/log/authlog.current{,\,v} arising from this bug.
>Audit-Trail:
From: Masao Uebayashi <uebayasi@gmail.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/49031: /etc/security tries to track /var/log/authlog
Date: Fri, 25 Jul 2014 15:41:21 +0900
Good catch.
I'll revert "tags=nodiff" lines that were appended to "tags=exclude";
two lines, ./etc/spwd.db and ./var/log/authlog.
I should have verified /etc/security's logic more. Now I read it;
what it does is:
do backup
list files
excluding files with "tags=exclude"
backup files
send diffs
do backup without diff
list files
with "tags=nodiff"
backup files
I'll consider how to clean up ,v files.
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/49031 CVS commit: src/etc/mtree
Date: Tue, 5 Aug 2014 07:34:52 +0000
Module Name: src
Committed By: dholland
Date: Tue Aug 5 07:34:52 UTC 2014
Modified Files:
src/etc/mtree: special
Log Message:
Remove "tags=nodiff" from /var/log/authlog as suggested by uebayasi@;
part of PR 49031.
To generate a diff of this commit:
cvs rdiff -u -r1.147 -r1.148 src/etc/mtree/special
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
From: Alan Barrett <apb@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: PR/49031 CVS commit: src/etc/mtree
Date: Tue, 5 Aug 2014 11:54:58 +0200
--xXmbgvnjoT4axfJE
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Disposition: inline
On Tue, 05 Aug 2014, David A. Holland wrote:
> Log Message:
> Remove "tags=nodiff" from /var/log/authlog as suggested by uebayasi@;
> part of PR 49031.
>
> To generate a diff of this commit:
> cvs rdiff -u -r1.147 -r1.148 src/etc/mtree/special
I think that there were two underlying problems, and this commit
works around one of them.
The problems, as I see them, are:
1. Tags in mtree files should be comma-separated, like
"tags=exclude,nodiff". /etc/mtree/special contains several
lines with "tags=exclude tags=nodiff", and mtree(8) interprets
that like "tags=nodiff", ignoring the attempt to set the "exclude"
tag.
2. /etc/security does not expect any files to have both "exclude" and
"nodiff" tags, and is missing logic to handle that case.
I attach a patch that I think will address both these problems.
--apb (Alan Barrett)
--xXmbgvnjoT4axfJE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pr49031.diff"
Index: etc/security
===================================================================
RCS file: /cvsroot/src/etc/security,v
retrieving revision 1.115
diff -d -p -u -r1.115 security
--- etc/security 6 Nov 2013 19:37:05 -0000 1.115
+++ etc/security 5 Aug 2014 09:45:12 -0000
@@ -967,8 +967,13 @@ fi
# List of files that get backed up and checked for any modifications.
# Any changes cause the files to rotate.
#
+# Tags in mtree file $SPECIALSPEC modify the behaviour here:
+# tags=exclude - no backup, no diff.
+# tags=nodiff - do backup, do not diff.
+# tags=exclude,nodiff - no backup, no diff (same as tags=exclude)
+#
if checkyesno check_changelist ; then
- mtree -D -k type -f $SPECIALSPEC -E exclude |
+ mtree -D -k type -f $SPECIALSPEC -E exclude,nodiff |
sed '/^type=file/!d ; s/type=file \.//' | unvis > $CHANGEFILES
(
@@ -1017,7 +1022,7 @@ fi
# differences and we don't want to do that for these files
#
echo $MP > $TMP1 # always add /etc/master.passwd
-mtree -D -k type -f $SPECIALSPEC -I nodiff |
+mtree -D -k type -f $SPECIALSPEC -I nodiff -E exclude |
sed '/^type=file/!d ; s/type=file \.//' | unvis >> $TMP1
grep -v '^$' $TMP1 | sort -u > $TMP2
Index: etc/mtree/special
===================================================================
RCS file: /cvsroot/src/etc/mtree/special,v
retrieving revision 1.147
diff -d -p -u -r1.147 special
--- etc/mtree/special 19 May 2014 05:43:35 -0000 1.147
+++ etc/mtree/special 5 Aug 2014 09:45:12 -0000
@@ -8,9 +8,12 @@
#
# /etc/security checks:
# - All of these are checked if $check_mtree is enabled.
-# - Files with "nodiff" tags are highlighted if they change.
+# - Files without "exclude" tags are backed up in /var/backups.
+# - Files with "exclude" tags are not backed up.
# - Files without "nodiff" or "exclude" tags are displayed
# with diff(1)s if $check_changelist is enabled.
+# - Files with "nodiff" tags are highlighted if they change, but
+# diffs are not generated.
#
/set uname=root gname=wheel
@@ -306,14 +309,14 @@
./etc/shells type=file mode=0644
./etc/shosts.equiv type=file mode=0600 optional tags=nodiff
./etc/skel type=dir mode=0755 optional
-./etc/spwd.db type=file mode=0600 tags=exclude tags=nodiff
+./etc/spwd.db type=file mode=0600 tags=exclude,nodiff
./etc/ssh type=dir mode=0755 optional
./etc/ssh/ssh_config type=file mode=0644 optional
./etc/ssh/ssh_host_dsa_key type=file mode=0600 optional tags=nodiff
./etc/ssh/ssh_host_dsa_key.pub type=file mode=0644 optional
./etc/ssh/ssh_host_ecdsa_key type=file mode=0600 optional tags=nodiff
./etc/ssh/ssh_host_ecdsa_key.pub type=file mode=0644 optional
-./etc/ssh/ssh_host_key type=file mode=0600 optional tags=nodiff tags=nodiff
+./etc/ssh/ssh_host_key type=file mode=0600 optional tags=nodiff
./etc/ssh/ssh_host_key.pub type=file mode=0644 optional
./etc/ssh/ssh_host_rsa_key type=file mode=0600 optional tags=nodiff
./etc/ssh/ssh_host_rsa_key.pub type=file mode=0644 optional
@@ -407,7 +410,7 @@
./var/cron/tabs/root type=file mode=0600 tags=nodiff
./var/db type=dir mode=0755
./var/log type=dir mode=0755
-./var/log/authlog type=file mode=0600 optional tags=exclude tags=nodiff
+./var/log/authlog type=file mode=0600 optional tags=exclude,nodiff
./var/log/lastlog type=file mode=0664 gname=utmp tags=exclude
./var/log/lastlogx type=file mode=0664 gname=utmp tags=exclude
./var/log/wtmp type=file mode=0664 gname=utmp tags=exclude
--xXmbgvnjoT4axfJE--
From: Masao Uebayashi <uebayasi@gmail.com>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: PR/49031 CVS commit: src/etc/mtree
Date: Wed, 6 Aug 2014 00:16:48 +0900
Thanks for working on this. The diff reads OK to me.
(Hopefully, in the future, those complex commands are refactored into
shell functions.)
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.