FS#43646 - [postfix] permissions diffier between package/installed

Attached to Project: Arch Linux
Opened by Gustavo Alvarez (sl1pkn07) - Saturday, 31 January 2015, 20:42 GMT
Last edited by Gaetan Bisson (vesath) - Wednesday, 25 March 2015, 20:36 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

when update/reinstall postfix:

(1/1) reinstalling postfix [---------------------------------------------------------------------------------------] 100%
warning: directory ownership differs on /var/lib/postfix/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/trace/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/saved/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/public/
filesystem: 73:75 package: 0:0
warning: directory ownership differs on /var/spool/postfix/maildrop/
filesystem: 73:75 package: 0:0
warning: directory ownership differs on /var/spool/postfix/private/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/incoming/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/hold/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/flush/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/deferred/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/defer/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/corrupt/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/bounce/
filesystem: 73:0 package: 0:0
warning: directory ownership differs on /var/spool/postfix/active/
filesystem: 73:0 package: 0:0


greetings
This task depends upon

Closed by  Gaetan Bisson (vesath)
Wednesday, 25 March 2015, 20:36 GMT
Reason for closing:  Fixed
Additional comments about closing:  postfix-3.0.0-3 in [extra]
Comment by Gaetan Bisson (vesath) - Saturday, 31 January 2015, 21:26 GMT
Postfix has lots of files and the install scriplet runs an upstream script that takes care of setting all those permissions. So they default to root:root in the package but we set them right using the correct upstream way later. I'm not sure what to do with this pacman warning other than ignore it.
Comment by Martin Schnitkemper (Martin-MS) - Sunday, 01 February 2015, 09:42 GMT
I got the same warnings today, I think they are new since pacman v4.2.0. A "pacman -Qkk postfix" reported also wrong permissions; I run weekly a cron-job to detect changes on filesystem permission and changes on postfix reported every time in the past. So it'S not really new for me.

Since pacman checks always permissions of the local filesystem against the permissions set in the packages, it will report every difference; hence it's not a good idea to change permission after installation since it makes not a difference if an install script did it, or malware.

You cannot set already the right permissions in the package, i.e. UID to 73 and not afterwards by a skript? Then permissions of the filesystem are always correct and pacman would not report a change.

I think just ignore is not a good advice for me; how can I decide in the future if the warning is false or right?
Comment by archbugs (archbugs) - Sunday, 01 February 2015, 23:58 GMT
I would have to agree just ignoring this overall seems like the wrong way to go. There has to be another method to resolve this.

EDIT:
Sure if I had one I would have suggested it.
Comment by Gaetan Bisson (vesath) - Monday, 02 February 2015, 00:15 GMT
Please feel free to complement your posts by contributing suggestions for fixing this.
Comment by Martin Schnitkemper (Martin-MS) - Monday, 02 February 2015, 22:25 GMT
My suggestion as already mentioned above in my first comment is to set the permissions of all files before building the package, that after installation the permissions (i.e. UID=73 and GID=75 instead of UID/GID=0) are already set correctly and not tampered afterwards by a script. Then pacman meet the right permissions and does not complain about a changed permission.
Comment by Gaetan Bisson (vesath) - Monday, 02 February 2015, 22:45 GMT
That would sure be nice but I'd like to do that using the upstream-provided script.
Comment by Patrick Goetz (pgoetz) - Wednesday, 04 February 2015, 16:53 GMT
Currently upstream provides a script which changes the permissions of these directories after they've been installed? That seems like a weird way to do things. Maybe upstream could just deliver the tgz with correct permissions already applied?
Comment by Patrick Goetz (pgoetz) - Wednesday, 04 February 2015, 17:44 GMT

Comment by Patrick Goetz (pgoetz) - Wednesday, 04 February 2015, 17:45 GMT

Comment by Martin Schnitkemper (Martin-MS) - Wednesday, 04 February 2015, 20:52 GMT
I am afraid that the UID/GID of postfix user/group are different on every distribution, so it can't be supplied by the upstream package and must be set individual on every target system
Comment by Patrick Goetz (pgoetz) - Wednesday, 04 February 2015, 21:09 GMT
This is one of those things that would be worth standardizing. I've been trying to do that on my systems, but switching from Ubuntu to Arch meant several system UID/GID's changed.
Comment by Gustavo Alvarez (sl1pkn07) - Tuesday, 10 February 2015, 23:04 GMT
still in the new version 3.0.0-1
Comment by Patrick Goetz (pgoetz) - Wednesday, 11 February 2015, 02:53 GMT
My understanding is there is no way to fix this short of coordinating with upstream, which is at best a long term solution.

What could be done is to include a post or even pre-installation script that lets users know not to worry about these error messages.
Comment by Martin Schnitkemper (Martin-MS) - Wednesday, 11 February 2015, 21:06 GMT
As I already mentioned, a "pacman -Qkk postfix" also report these warnings, so it would not help if the installation script report that the warning can be ignored. And postfix is not the only application with this habit, i.e. cups reports the same warnings after a pacman check of tampered files.

I don't know how many of us use this check, I frequently do it to detect probably altered file permissions by malware; thats the check has been designed for. If this check is offered by pacman, than it should work and I can not detect case by case if the warning is false or true, depending on the package. If it is unreliable like now, then they should better remove this feature from pacman. A warning that has to be ignored has no sense.

Maybe we should report this problem to the pacman development team, too. It's a common problem not limited to postfix and if the application or install script changes file permissions after the installation, pacman will not be tired to issue a warning until we have a proof concept how to deal with it.
Comment by Peter Mattern (krabat) - Wednesday, 18 March 2015, 10:34 GMT
It is safe to set directory ownership in packages themselves as long as all UIDs and GIDs in question are static.
As this applies to package postfix which has user postfix as well as groups postfix and postdrop created statically by .INSTALL the problem could be fixed by modifying PKGBUILD like so
package() {
[...]
chown 73:0 var/lib/postfix
chown 73:0 var/spool/postfix/*
chown 73:75 var/spool/postfix/{maildrop,public}
chown 0:0 var/spool/postfix/pid
}
Usage of upstream script post-install isn't affected by these changes in any way.

All this results from from a discussion that took place recently in the forums, see https://bbs.archlinux.org/viewtopic.php?pid=1498566#p1498566 and following posts.

Btw. those warnings have been temporarily disabled in pacman 4.2.1 until a solution regarding dynamically set UIDs/GIDs is found.
Comment by Gaetan Bisson (vesath) - Thursday, 19 March 2015, 21:01 GMT
Please check postfix-3.0.0-3 from [testing] carefully; it brings significant changes.
Comment by Martin Schnitkemper (Martin-MS) - Sunday, 22 March 2015, 09:15 GMT
I cannot see that these warnings are disabled on pacman-4.2.1, got it recently also with other packages than postfix

| [2015-03-15 09:48] [ALPM] warning: directory permissions differ on /usr/share/doc/p7zip/MANUAL/
| filesystem: 704 package: 755
| [2015-03-15 09:48] [ALPM] warning: directory permissions differ on /usr/share/doc/p7zip/MANUAL/commands/
| filesystem: 704 package: 755
| [2015-03-15 09:48] [ALPM] warning: directory permissions differ on /usr/share/doc/p7zip/MANUAL/switches/
| filesystem: 704 package: 755

Comment by Peter Mattern (krabat) - Sunday, 22 March 2015, 16:32 GMT
The problems discussed in this issue are affecting ownership, the messages you state are about permission bits.

Btw. it seems they correspond to #43911 and make sense.
Comment by Gaetan Bisson (vesath) - Wednesday, 25 March 2015, 00:38 GMT
I will move postfix-3.0.0-3 to [extra] in the next 24 hours if nobody has anything to say about it.

Loading...