Description of problem: # rpm -V BackupPC .....U... /var/run/BackupPC # ls -ld /var/run/BackupPC drwxrwxr-x. 2 root backuppc 80 Jan 5 12:10 /var/run/BackupPC/ BackupPC.spec contains: %dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name} The user should be consistent. Version-Release number of selected component (if applicable): BackupPC-4.1.5-1.fc28 BackupPC-3.3.1-5.el7
Is this causing an issue or just something you noticed? If the latter, does this need to be updated now, or can it wait until the next release (or other need for rebuild)?
Not causing any problems, no hurry to fix.
I've committed the fix to master so it will be included in the next build.
There seems to be a permissions issue with this change. > There is a basic problem: when Fedora-28 BackupPC starts, it immediately fails to run. The reason is that the Fedora package creates a /var/log/BackupPC directory which has ownership root:backuppc and access rights drwxr-x--- (0750); BackupPC necessarily fails and abandons as soon as it tries to create its log file on that directory. https://forums.fedoraforum.org/showthread.php?319564-BackupPC-4-on-Fedora
By looking more carefully, seems it is a separate issue. (In reply to Orion Poplawski from comment #0) > Description of problem: > > # rpm -V BackupPC > .....U... /var/run/BackupPC > > # ls -ld /var/run/BackupPC > drwxrwxr-x. 2 root backuppc 80 Jan 5 12:10 /var/run/BackupPC/ > > BackupPC.spec contains: > %dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name} Hmm it seems this is the problem. BackupPC.spec [1] does not specify permissions, thus the permisions are inherited from the defaults. %dir %attr(-,root,backuppc) %{_localstatedir}/log/%{name} Is it possible that the defaults changed from 0775 to 0750? > The user should be consistent. > > Version-Release number of selected component (if applicable): > BackupPC-4.1.5-1.fc28 > BackupPC-3.3.1-5.el7 [1] https://src.fedoraproject.org/cgit/rpms/BackupPC.git/tree/BackupPC.spec?h=f28&id=0d10f0c368065e8839fb05b429b0690fe2c7e232#n298
(In reply to srakitnican from comment #5) > > Is it possible that the defaults changed from 0775 to 0750? I think you mean the opposite, correct? We need to change from more restrictive, 0750 which does not allow the group to write to the directory to 0775 which does.
Why not 0770?
And, I'm confused, this bug is about /var/run/BackupPC, while you're referencing /var/log/BackupPC. This should be a new bug.
The other option is to change ownership, I don't think there's any compelling reason root should be the owner, there are several examples in /var/log of the package being the owner and group.
As long as root does not need to write to the log - in the current security world having root writing to something that it does not explicitly have access to will trigger an SELinux dac_override error.
The only thing writing to it is the systemd service which is run under backuppc...
(In reply to Richard Shaw from comment #6) > (In reply to srakitnican from comment #5) > > > > Is it possible that the defaults changed from 0775 to 0750? > > I think you mean the opposite, correct? We need to change from more > restrictive, 0750 which does not allow the group to write to the directory > to 0775 which does. I am trying to find out what happened that it stopped working. But maybe nothing changed except the owner of the log directory after all. It looks like BackupPC is started from a systemd service by the user/group 'backuppc'. Since the owner of the log directory is now root, the group needs the write permission. I think either 0775 or 0770 should work, but maybe 0770 is better from a security perspective.
(In reply to Richard Shaw from comment #8) > And, I'm confused, this bug is about /var/run/BackupPC, while you're > referencing /var/log/BackupPC. This should be a new bug. Well this bug was referenced by the following commit, maybe you made a mistake? https://src.fedoraproject.org/cgit/rpms/BackupPC.git/commit/?h=f28&id=0d10f0c368065e8839fb05b429b0690fe2c7e232
Hmm... I'm sure I did that for a reason so I think changing the permission to 0770 would be best.
And it seems you didn't change the /var/run/BackupPC owner to root that this bugreport is about despise this bug being closed as NEXTRELEASE. From the current master tree: https://src.fedoraproject.org/cgit/rpms/BackupPC.git/tree/BackupPC.spec?id=0d452fee1c819d507fec7d2e0a66ff055250eaff#n306
Yeah, I think I got my wires crossed. /var/run is not actually packaged, it's created when the systemd service starts...
See if this fixes that log problem, I assumed Fedora 28 x86_64... https://hobbes1069.fedorapeople.org/BackupPC-4.2.1-2.fc28.1.x86_64.rpm
(In reply to Orion Poplawski from comment #0) > Description of problem: > > # rpm -V BackupPC > .....U... /var/run/BackupPC > > # ls -ld /var/run/BackupPC > drwxrwxr-x. 2 root backuppc 80 Jan 5 12:10 /var/run/BackupPC/ > > BackupPC.spec contains: > %dir %attr(0775,backuppc,backuppc) %{_localstatedir}/run/%{name} > > The user should be consistent. > > Version-Release number of selected component (if applicable): > BackupPC-4.1.5-1.fc28 > BackupPC-3.3.1-5.el7 Ok, back to the original bug report... /var/run is a link to /run and it is on tmpfs so the directory I'm packaging has no effect. If we're just looking for consistency I think I should just remove the reference in the spec file entirely.
Ok, new build. I reverted my change to /var/log because I think that was in error. https://hobbes1069.fedorapeople.org/BackupPC-4.2.1-2.fc28.2.x86_64.rpm
Ok, the more I look at it the more it finally makes sense. I didn't setup any of this but inherited it. If tmpfiles is being used because /run is on tmpfs then the directory should NOT be packaged, at this time the only one that's the exception is EPEL 6, which I only build on COPR. Therefore I pulled the directory into the %else part of the conditional for both creation in %install and in %files. Fornow I have standardized owner and permissions to align with the tmpfiles config which is 0775 root:backuppc I don't think this is OPTIMAL but seems to align with most of the other directories in /run on my system. If this fixes the current issues (existing and created) I'll entertain changes to both in the future.
(In reply to Richard Shaw from comment #19) > Ok, new build. I reverted my change to /var/log because I think that was in > error. > > https://hobbes1069.fedorapeople.org/BackupPC-4.2.1-2.fc28.2.x86_64.rpm Seems OK in mock. <mock-chroot> sh-4.4# ls -ld /var/log/BackupPC/ drwxr-x---. 2 backuppc backuppc 4096 Oct 10 21:44 /var/log/BackupPC/
I still need to submit the new builds in bodhi but they are done.