Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1531696 - Configuration for /var/run/backuppc is inconsistent
Configuration for /var/run/backuppc is inconsistent
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: BackupPC (Show other bugs)
rawhide
All Linux
unspecified Severity low
: ---
: ---
Assigned To: Richard Shaw
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-05 15:52 EST by Orion Poplawski
Modified: 2018-10-11 14:50 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-01-08 12:01:25 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2018-01-05 15:52:07 EST
Description of problem:

# rpm -V BackupPC
.....U...    /var/run/BackupPC

# ls -ld /var/run/BackupPC
drwxrwxr-x. 2 root backuppc 80 Jan  5 12:10 /var/run/BackupPC/

BackupPC.spec contains:
%dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name}

The user should be consistent.

Version-Release number of selected component (if applicable):
BackupPC-4.1.5-1.fc28
BackupPC-3.3.1-5.el7
Comment 1 Richard Shaw 2018-01-05 16:02:46 EST
Is this causing an issue or just something you noticed?

If the latter, does this need to be updated now, or can it wait until the next release (or other need for rebuild)?
Comment 2 Orion Poplawski 2018-01-05 16:12:27 EST
Not causing any problems, no hurry to fix.
Comment 3 Richard Shaw 2018-01-08 12:01:25 EST
I've committed the fix to master so it will be included in the next build.
Comment 4 srakitnican 2018-10-10 05:08:20 EDT
There seems to be a permissions issue with this change.

> There is a basic problem: when Fedora-28 BackupPC starts, it immediately fails to run. The reason is that the Fedora package creates a /var/log/BackupPC directory which has ownership root:backuppc and access rights drwxr-x--- (0750); BackupPC necessarily fails and abandons as soon as it tries to create its log file on that directory.

https://forums.fedoraforum.org/showthread.php?319564-BackupPC-4-on-Fedora
Comment 5 srakitnican 2018-10-10 05:29:50 EDT
By looking more carefully, seems it is a separate issue.

(In reply to Orion Poplawski from comment #0)
> Description of problem:
> 
> # rpm -V BackupPC
> .....U...    /var/run/BackupPC
> 
> # ls -ld /var/run/BackupPC
> drwxrwxr-x. 2 root backuppc 80 Jan  5 12:10 /var/run/BackupPC/
> 
> BackupPC.spec contains:
> %dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name}


Hmm it seems this is the problem. BackupPC.spec [1] does not specify permissions, thus the permisions are inherited from the defaults.

%dir %attr(-,root,backuppc) %{_localstatedir}/log/%{name} 

Is it possible that the defaults changed from 0775 to 0750?


> The user should be consistent.
> 
> Version-Release number of selected component (if applicable):
> BackupPC-4.1.5-1.fc28
> BackupPC-3.3.1-5.el7

[1] https://src.fedoraproject.org/cgit/rpms/BackupPC.git/tree/BackupPC.spec?h=f28&id=0d10f0c368065e8839fb05b429b0690fe2c7e232#n298
Comment 6 Richard Shaw 2018-10-10 11:42:09 EDT
(In reply to srakitnican from comment #5)
> 
> Is it possible that the defaults changed from 0775 to 0750?

I think you mean the opposite, correct? We need to change from more restrictive, 0750 which does not allow the group to write to the directory to 0775 which does.
Comment 7 Orion Poplawski 2018-10-10 11:43:57 EDT
Why not 0770?
Comment 8 Richard Shaw 2018-10-10 11:48:33 EDT
And, I'm confused, this bug is about /var/run/BackupPC, while you're referencing /var/log/BackupPC. This should be a new bug.
Comment 9 Richard Shaw 2018-10-10 11:52:36 EDT
The other option is to change ownership, I don't think there's any compelling reason root should be the owner, there are several examples in /var/log of the package being the owner and group.
Comment 10 Orion Poplawski 2018-10-10 11:54:35 EDT
As long as root does not need to write to the log - in the current security world having root writing to something that it does not explicitly have access to will trigger an SELinux dac_override error.
Comment 11 Richard Shaw 2018-10-10 11:56:38 EDT
The only thing writing to it is the systemd service which is run under backuppc...
Comment 12 srakitnican 2018-10-10 12:23:14 EDT
(In reply to Richard Shaw from comment #6)
> (In reply to srakitnican from comment #5)
> > 
> > Is it possible that the defaults changed from 0775 to 0750?
> 
> I think you mean the opposite, correct? We need to change from more
> restrictive, 0750 which does not allow the group to write to the directory
> to 0775 which does.

I am trying to find out what happened that it stopped working. But maybe nothing changed except the owner of the log directory after all.

It looks like BackupPC is started from a systemd service by the user/group 'backuppc'. Since the owner of the log directory is now root, the group needs the write permission. I think either 0775 or 0770 should work, but maybe 0770 is better from a security perspective.
Comment 13 srakitnican 2018-10-10 12:23:57 EDT
(In reply to Richard Shaw from comment #8)
> And, I'm confused, this bug is about /var/run/BackupPC, while you're
> referencing /var/log/BackupPC. This should be a new bug.


Well this bug was referenced by the following commit, maybe you made a mistake?
https://src.fedoraproject.org/cgit/rpms/BackupPC.git/commit/?h=f28&id=0d10f0c368065e8839fb05b429b0690fe2c7e232
Comment 14 Richard Shaw 2018-10-10 12:25:41 EDT
Hmm... I'm sure I did that for a reason so I think changing the permission to 0770 would be best.
Comment 15 srakitnican 2018-10-10 12:34:01 EDT
And it seems you didn't change the /var/run/BackupPC owner to root that this bugreport is about despise this bug being closed as NEXTRELEASE. From the current master tree:

https://src.fedoraproject.org/cgit/rpms/BackupPC.git/tree/BackupPC.spec?id=0d452fee1c819d507fec7d2e0a66ff055250eaff#n306
Comment 16 Richard Shaw 2018-10-10 12:38:32 EDT
Yeah, I think I got my wires crossed. /var/run is not actually packaged, it's created when the systemd service starts...
Comment 17 Richard Shaw 2018-10-10 12:44:44 EDT
See if this fixes that log problem, I assumed Fedora 28 x86_64...

https://hobbes1069.fedorapeople.org/BackupPC-4.2.1-2.fc28.1.x86_64.rpm
Comment 18 Richard Shaw 2018-10-10 13:45:44 EDT
(In reply to Orion Poplawski from comment #0)
> Description of problem:
> 
> # rpm -V BackupPC
> .....U...    /var/run/BackupPC
> 
> # ls -ld /var/run/BackupPC
> drwxrwxr-x. 2 root backuppc 80 Jan  5 12:10 /var/run/BackupPC/
> 
> BackupPC.spec contains:
> %dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name}
> 
> The user should be consistent.
> 
> Version-Release number of selected component (if applicable):
> BackupPC-4.1.5-1.fc28
> BackupPC-3.3.1-5.el7

Ok, back to the original bug report... /var/run is a link to /run and it is on tmpfs so the directory I'm packaging has no effect. If we're just looking for consistency I think I should just remove the reference in the spec file entirely.
Comment 19 Richard Shaw 2018-10-10 13:51:33 EDT
Ok, new build. I reverted my change to /var/log because I think that was in error.

https://hobbes1069.fedorapeople.org/BackupPC-4.2.1-2.fc28.2.x86_64.rpm
Comment 20 Richard Shaw 2018-10-10 15:23:03 EDT
Ok, the more I look at it the more it finally makes sense. I didn't setup any of this but inherited it. 

If tmpfiles is being used because /run is on tmpfs then the directory should NOT be packaged, at this time the only one that's the exception is EPEL 6, which I only build on COPR. 

Therefore I pulled the directory into the %else part of the conditional for both creation in %install and in %files.

Fornow I have standardized owner and permissions to align with the tmpfiles config which is 0775 root:backuppc

I don't think this is OPTIMAL but seems to align with most of the other directories in /run on my system.

If this fixes the current issues (existing and created) I'll entertain changes to both in the future.
Comment 21 srakitnican 2018-10-10 15:46:15 EDT
(In reply to Richard Shaw from comment #19)
> Ok, new build. I reverted my change to /var/log because I think that was in
> error.
> 
> https://hobbes1069.fedorapeople.org/BackupPC-4.2.1-2.fc28.2.x86_64.rpm

Seems OK in mock.
<mock-chroot> sh-4.4# ls -ld /var/log/BackupPC/
drwxr-x---. 2 backuppc backuppc 4096 Oct 10 21:44 /var/log/BackupPC/
Comment 22 Richard Shaw 2018-10-11 14:50:35 EDT
I still need to submit the new builds in bodhi but they are done.

Note You need to log in before you can comment on or make changes to this bug.