[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Trisuel AIDE Package Upgrade Snag And Rant
From: |
Bob Proulx |
Subject: |
Trisuel AIDE Package Upgrade Snag And Rant |
Date: |
Sat, 29 Oct 2022 13:39:34 -0600 |
The recent Trisquel 10 to 11 upgrade caught a small snag for the AIDE
package upgrade. This might be considered a daily rant.
AIDE -- Advanced Intrusion Detection Environment.
It is useful to notify in the case of changes to system files. This
is one of the standard packages which does this. Just one cog in the
machine.
I upgraded frontend2 to the latest Trisuel 11 release candidate (equiv
to Ubuntu 22.04) and hit another one of those times when you can't
believe that it is completely broken and hasn't been fixed. These
packages of aide and aide-common should be passthrough packages from
Ubuntu into Trisquel so probably broken in Ubuntu too but don't know
as I didn't verify it there.
This is the Trisquel 10 equiv Ubuntu 20.04 version of the file.
root@frontend1:~# ll /etc/aide/aide.conf.d/31_aide_smokeping
-rwxr-xr-x 1 root root 476 Dec 16 2013
/etc/aide/aide.conf.d/31_aide_smokeping
root@frontend1:~# cat /etc/aide/aide.conf.d/31_aide_smokeping
#!/bin/bash
if [ -d "/var/lib/smokeping" ]; then
find /var/lib/smokeping -type f -name '*.rrd' | \
sed 's/^\(.*\)/\1$ VarFile/'
fi
if [ -d "/var/www/smokeping" ]; then
find /var/www/smokeping -type f -name '*.png' | \
sed 's/^\(.*\)/\1$ VarFile/'
find /var/www/smokeping -type f -name '*.maxhight' | \
sed 's/^\(.*\)/\1$ VarFile/'
fi
cat <<EOF
/@@{RUN}/smokeping/smokeping\.pid$ VarFile
/@@{RUN}/smokeping$ VarDirInode
!/tmp/speedy\.6\.21\.F$
EOF
Okay. It's executable. It's a bash script. It works. Because it is
executable it is invoked and the output is included in the built up
configuration file. That's the way the previous version worked.
Let's upgrade to the current version.
Here is the next version in Trisquel 11 equiv Ubuntu 22.04 version.
root@frontend2:~# ll /etc/aide/aide.conf.d/31_aide_smokeping
-rwxr-xr-x 1 root root 523 Oct 25 18:53
/etc/aide/aide.conf.d/31_aide_smokeping
root@frontend2:~# cat /etc/aide/aide.conf.d/31_aide_smokeping
@@define VLS var/lib/smokeping
@@define VCS var/cache/smokeping
/@@{VLS}/Local/LocalMachine\\.rrd$ f VarFile
/@@{VLS}/__sortercache$ d VarDir
/@@{VLS}/__sortercache/data\\.FPing6?\\.storable$ f VarFile
/@@{VLS}/[a-z-]+(/[-a-z0-9_]+)?/[-a-z0-9_]+(_[0-9a-f_]+)?\\.rrd$ f VarFile
/@@{VCS}/images/([-[:alnum:]_]+/)+[-[:alnum:]_]+(_(last_(108000?|31104000|864000?)|mini)\\.png|\\.maxheight)$
f VarFile
/@@{VCS}/images/__navcache$ d VarDir
!/@@{VCS}/images/__navcache/[[:digit:]]{13,15}_[[:digit:]]{10}_[[:digit:]]{10}\\.png$
f
What? Huh? What? Needless to say this breaks everything, unable to
create a config file, death and destruction, dogs and cats living
together, AIDE is completely broken.
root@frontend2:~# aideinit
Running aide --init...
ERROR: /etc/aide/aide.conf.d/31_aide_smokeping: stderr> ERROR:
/etc/aide/aide.conf.d/31_aide_smokeping: execl failed: Exec format error
ERROR: /etc/aide/aide.conf.d/31_aide_smokeping: execution failed (exit
status: 1)
AIDE --init return code 20
I look in the aide-common.postinst script and find this snippet.
# in aide 0.17.2-1, the smokeping snippet has been made static
# instead of being a executable snippet. Remove x bits on an unchanged
# file
if [ "$(sha256sum /etc/aide/aide.conf.d/31_aide_smokeping)" =
"99f11d04cf33318cef28cb71c252ee0f7b5c37e91893e813973ee120f301a5a7
/etc/aide/aide.conf.d/31_aide_smokeping" ]; then
chmod 0644 /etc/aide/aide.conf.d/31_aide_smokeping
fi
root@frontend1:~# dpkg -l |grep aide
ii aide 0.16.1-1ubuntu0.1 amd64 AIDE - static binary
ii aide-common 0.16.1-1ubuntu0.1 all AIDE - Common files
root@frontend2:~# dpkg -l |grep aide
ii aide 0.17.4-1 amd64 AIDE - dynamic binary
ii aide-common 0.17.4-1 all AIDE - Common files
I abbreviated this above slightly.
root@frontend2:~# sha256sum /etc/aide/aide.conf.d/31_aide_smokeping
38da62161e480becd5eac8373058bbe25f78a2cfe46e116aebe44cf1060393f5
/etc/aide/aide.conf.d/31_aide_smokeping
root@frontend1:~# sha256sum /etc/aide/aide.conf.d/31_aide_smokeping
cdd755947d2847e96290b675f95fd2b67f13a5e861f49c0d4e6bbc3bf6d18923
/etc/aide/aide.conf.d/31_aide_smokeping
It was 0.16.1-1ubuntu0.1 in the previous version. So they are
assuming that this will match that particular signature. But it
doesn't. That's the bug. Fix it manually.
root@frontend2:~# chmod a-x /etc/aide/aide.conf.d/31_aide_smokeping
I look at a Debian system and it has the right file hash.
root@despair:~# sha256sum /etc/aide/aide.conf.d/31_aide_smokeping
99f11d04cf33318cef28cb71c252ee0f7b5c37e91893e813973ee120f301a5a7
/etc/aide/aide.conf.d/31_aide_smokeping
despair: ii aide 0.17.3-4+deb11u1 i386 AIDE - static binary
despair: ii aide-common 0.17.3-4+deb11u1 all AIDE - Common files
So the problem is that Ubuntu took the Debian package directly. Which
is usually okay. Except that the OS releases have different release
points containing different versions from Ubuntu. Effectly Ubuntu,
and therefore Trisquel, skipped the Debian release containing the file
with exactly that file content hash signature. And as we all know it
is not supported to skip releases! This is one example of why.
I don't want to bury this in the noise. I'll say it again to
emphasize. Trisquel skips a release point. And skipping release
points is not supported. Trisquel should have forked for a different
hash signature in the postinst script. Or even better improved the
postinst script.
Instead of the rigid file checksum signature they could have looked to
see if it was the previous shell script or not.
root@frontend1:~# sed 1q /etc/aide/aide.conf.d/31_aide_smokeping
#!/bin/bash
root@frontend2:~# sed 1q /etc/aide/aide.conf.d/31_aide_smokeping
@@define VLS var/lib/smokeping
And then base the action upon it being a script or not. Because any
change will break the hash signature. This snag was hit with pristine
copies of the file. It was NOT modified locally. There is the
possible issue that someone might want the file to be broken, might
have modified the file, and might argue that as a local change the
postinst script should not change the file mode in the more flexible
method I describe. I only know one person that pedantic who routinely
argues this point and I think the greater good out weighs.
The postinst author simply created a rigid system, rigid systems are
fragile, and it broke due to lacking flexibility. This is an example
of why rigid systems are bad and more flexible systems are better.
The crazy thing is that it is still broken? Ubuntu upgrades are
always like moving from one unfinished house into another unfinished
house.
This has been, A Daily Rant!
Bob
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Trisuel AIDE Package Upgrade Snag And Rant,
Bob Proulx <=