Bug 1175471

Summary: Buid check ... testing for modified permissions ... is breaking build
Product: [openSUSE] openSUSE.org Reporter: Dr. Werner Fink <werner>
Component: BuildServiceAssignee: E-mail List <screening-team-bugs>
Status: RESOLVED FIXED QA Contact: Adrian Schröter <adrian.schroeter>
Severity: Major    
Priority: P5 - None CC: ro
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dr. Werner Fink 2020-08-19 08:04:42 UTC 
I see curently for syslogd:

[    9s] ... testing for modified permissions
[    9s] --------------------------------------------------------------------
[    9s] package: syslogd
[    9s] /usr/bin/chkstat modified files that are not properly handled!
[    9s] this will break rpm -V, ask ro for details.
[    9s] diff for both runs of rpm -V:
[    9s] +/etc/syslog.conf: should be root:root 0600 (wrong permissions 0644)
[    9s] --------------------------------------------------------------------

but:

werner/syslogd> rpm -qlvp /abuild/oscbuild/openSUSE_Factory/home/abuild/rpmbuild/RPMS/x86_64/syslogd-1.4.1-0.x86_64.rpm 
-rw-------    1 root     root                     1309 Aug 19 10:00 /etc/syslog.conf
drwxr-xr-x    2 root     root                        0 Aug 19 10:00 /run/syslogd
lrwxrwxrwx    1 root     root                       19 Aug 19 10:00 /sbin/syslogd -> ../usr/sbin/syslogd
-rw-r--r--    1 root     root                     1225 Aug 19 10:00 /usr/lib/systemd/system/syslogd.service
-rwxr-xr-x    1 root     root                    49680 Aug 19 10:00 /usr/sbin/syslogd
-rwxr-xr-x    1 root     root                     1206 Aug 19 10:00 /usr/sbin/syslogd-service-prepare
-rw-r--r--    1 root     root                      241 Aug 19 10:00 /usr/share/fillup-templates/sysconfig.syslogd
-rw-r--r--    1 root     root                     4842 Aug 19 10:00 /usr/share/man/man5/syslog.conf.5.gz
-rw-r--r--    1 root     root                     7929 Aug 19 10:00 /usr/share/man/man8/sysklogd.8.gz
-rw-r--r--    1 root     root                       40 Aug 19 10:00 /usr/share/man/man8/syslogd.8.gz
Comment 1 Dr. Werner Fink 2020-08-19 08:08:32 UTC 
In the chroot environment I see, after

 noether:/ # rpm -Uhv /home/abuild/rpmbuild/RPMS/x86_64/syslogd-1.4.1-0.x86_64.rpm --force
 Verifying...                          ################################# [100%]
 Preparing...                          ################################# [100%]
 Updating / installing...
    1:syslogd-1.4.1-0                  ################################# [ 50%]
 Running in chroot, ignoring request: daemon-reload
 Cleaning up / removing...
    2:syslogd-1.4.1-0                  ################################# [100%]
 Running in chroot, ignoring request: daemon-reload
 Running in chroot, ignoring request: try-restart

and

 ll /etc/syslog.conf 
 -rw------- 1 root root 1309 Aug 19 08:00 /etc/syslog.conf

where does this

  /etc/syslog.conf: should be root:root 0600 (wrong permissions 0644)

come from?

  # rpm -V syslogd

shows exactly nothing
Comment 2 Dr. Werner Fink 2020-08-19 08:21:59 UTC 
Also, after

  /usr/bin/chkstat -n --set --system /etc/syslog.conf 

in the build environment the permission is still 0600 ... and

  /usr/bin/chkstat -n --warn --system /etc/syslog.conf

shows nothing not sets an exit status not equal to 0
Comment 3 Dr. Werner Fink 2020-08-19 08:35:48 UTC 
Hmm ... in the spec file I have now

  %config %verify(not mode) %attr(0600,root,root) %{_sysconfdir}/syslog.conf

but still ... after doing

  /usr/bin/chkstat --system --level easy


I see

  rpm -V syslogd 
  /etc/syslog.conf: should be root:root 0600 (wrong permissions 0644)


why does rpm not ignore the mode here?
Comment 4 Ruediger Oertel 2020-08-19 08:37:33 UTC 
# grep -r syslog.conf /etc/permissions*
/etc/permissions.easy:/etc/syslog.conf                                        root:root          644
/etc/permissions.paranoid:/etc/syslog.conf                                        root:root          600
/etc/permissions.secure:/etc/syslog.conf                                        root:root          600

good so far.
the specfile has:
%config %verify(not mode) %attr(0600,root,root) %{_sysconfdir}/syslog.conf

which also looks like "rpm -V syslogd" should be okay for both cases.
looks like the change from bug#1159963 is really bad ... investigating
Comment 5 Ruediger Oertel 2020-08-19 08:40:23 UTC 
argh ... been a bit too clever
%if %{defined verify_permissions}
%verifyscript
%verify_permissions -e %{_sysconfdir}/syslog.conf
%endif

now this does the verify according to /etc/sysconfig/security:PERMISSIONS
I guess I'll just roll back the change in post-build-checks ...
thanks for the report
Comment 6 Ruediger Oertel 2020-08-19 08:45:11 UTC 
Base:System/post-build-checks last change reverted.