Bug 3284 - msec tries to enforce owners/perms for files that don't exist (causing errors when user also doesn't exist)
Summary: msec tries to enforce owners/perms for files that don't exist (causing errors...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL: https://github.com/eugeni/msec
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2011-11-07 20:10 CET by David Walser
Modified: 2012-01-12 11:35 CET (History)
5 users (show)

See Also:
Source RPM: msec-0.80.10-2.4.mga1
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2011-11-07 20:10:20 CET 
If you have msec set to enforce perms (like in secure mode), it looks like it
doesn't check whether the files/directories actually exist before trying to
chmod/chown them.  One of the defaults (for secure) to enforce is ownership
svn.svn for /var/lib/svn.  When the subversion-server isn't installed, that
directory doesn't exist, nor does the user and group svn.  This causes errors
in the logs (and daily mail report).  msec should check that things exist
before it tries to chmod/chown them.

This is a duplicate of Mandriva Bug 63875 https://qa.mandriva.com/show_bug.cgi?id=63875 and it has been at least partially fixed there, although this should really get fixed upstream by Eugeni (new upstream URL given in URL field).
Comment 1 Manuel Hiebel 2011-11-07 23:53:13 CET 
(also add the real maintainer of msec)

CC: (none) => dmorganec

Comment 2 David Walser 2011-12-30 02:35:20 CET 
A fix for this issue was done for Mandriva 2011.  It would be nice to get the fix into Mageia 1 (and Cauldron).

http://lists.mandriva.com/security-announce/2011-11/msg00024.php
Manuel Hiebel 2011-12-30 14:20:19 CET

Keywords: (none) => PATCH

David Walser 2012-01-07 22:05:04 CET

Assignee: ennael1 => dmorganec

Comment 4 D Morgan 2012-01-08 01:53:11 CET 
pushed in the BS

Assignee: dmorganec => qa-bugs

Comment 5 Dave Hodgins 2012-01-08 04:53:43 CET 
On the i586 updates testing mirrors, the msec and msec-gui packages are not
signed.

CC: (none) => davidwhodgins

Comment 6 Thomas Backlund 2012-01-08 05:09:17 CET 
(In reply to comment #5)
> On the i586 updates testing mirrors, the msec and msec-gui packages are not
> signed.

misc, I think your puppet rework has broken package signing :/

CC: (none) => misc, tmb

Comment 7 Thomas Backlund 2012-01-08 07:03:15 CET 
Ok, found and fixed the problem.

I submitted a 	msec-0.80.10-2.7.mga1 to updates_testing that should be properly signed.
Comment 8 David Walser 2012-01-09 16:13:49 CET 
Confirmed msec runs and doesn't give the errors about svn on i586.

Note to QA: we are testing the same update candidate from Bug 2808
Comment 9 claire robinson 2012-01-09 17:39:15 CET 
x86_64

There are still some lingering problems with msec. Should these be looked at as part of the update?

It produces errors related to missing sectool configuration (bug 2808)
ERROR: Unable to load configuration file /etc/security/msec/perm.audit_weekly.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.audit_weekly.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.netbook.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.netbook.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.audit_daily.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.audit_daily.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.secure.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.secure.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.webserver.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.webserver.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.fileserver.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.fileserver.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.standard.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.standard.sectool'

It also gives an INFO warning of a missing file if no exceptions exist.

INFO: loading exceptions file /etc/security/msec/exceptions: No such file or directory


The Monthly or Manual checks don't run properly when run manually and show as never having been run in the GUI.

The GUI doesn't update the last run time after a check is run until it is closed and restarted.


These are not regressions but this has caused controversy in the past.


Confirmed /var/lib/svn is not permission checked when selecting Secure level.

Testing complete x86_64
Comment 10 David Walser 2012-01-09 18:10:34 CET 
Claire, when/where do you see those errors related to missing sectool configuration?  I've never seen those errors.
Comment 11 claire robinson 2012-01-09 18:15:10 CET 
Here is the full terminal output, started with $ mcc.

 "/usr/sbin/drakbackup" is not executable [Backups] at /usr/sbin/drakconf.real line 822.
"/usr/sbin/drakvirt" is not executable [Virtualization] at /usr/sbin/drakconf.real line 822.
"/usr/sbin/tomoyo-gui" is not executable [Tomoyo Policy] at /usr/sbin/drakconf.real line 822.
INFO: Starting gui..
ERROR: Unable to load configuration file /etc/security/msec/perm.audit_weekly.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.audit_weekly.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.netbook.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.netbook.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.audit_daily.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.audit_daily.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.secure.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.secure.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.webserver.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.webserver.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.fileserver.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.fileserver.sectool'
ERROR: Unable to load configuration file /etc/security/msec/perm.standard.sectool: [Errno 2] No such file or directory: '/etc/security/msec/perm.standard.sectool'
INFO: loading exceptions file /etc/security/msec/exceptions: No such file or directory
INFO: No exceptions loaded
INFO: Detected base msec level 'standard'


It repeats whenever the msec gui is started.
Comment 12 David Walser 2012-01-09 18:24:28 CET 
Thanks for the clarification Claire.  At least those errors won't be seen in logs or the mail report, so they aren't a big deal.  I suppose they will be fixed when Bug 2808 is.  Could you please add a comment about that to Bug 2808?
Comment 13 David Walser 2012-01-09 18:24:52 CET 
Update validated

Suggested advisory:
========================
Updated msec packages fix a bug:

When msec is configured to enforce permissions (by default, in secure mode), it
checks for non-existent user svn on directory /var/lib/svn, which also doesn't
exist if subversion-server is not installed.  This causes error messages to be
output by msec's cron job, which appear in log files and the mail report.  This
update disables the permissions check on /var/lib/svn in the default
configuration.

References:
https://bugs.mageia.org/show_bug.cgi?id=3284
========================

Source RPM:     msec-0.80.10-2.7.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thank you!

Keywords: PATCH => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 14 Thomas Backlund 2012-01-12 11:35:52 CET 
update pushed

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.