Ubuntu
procps package

10-link-restrictions.conf missing - removed by postinst

Bug #1867537 reported by Tony Travis
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
procps (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

The file "10-link-restrictions.conf" is listed in DEBIAN/conffiles in the binary deb package, and the file is present/installed, but it is removed by the "postinst" script resulting in "debsums" flagging it as a missing config file:

root@beluga:~# lsb_release -d
Description: Ubuntu Focal Fossa (development branch)
root@beluga:~# apt policy procps
procps:
  Installed: 2:3.3.16-1ubuntu2
  Candidate: 2:3.3.16-1ubuntu2
  Version table:
 *** 2:3.3.16-1ubuntu2 500
        500 http://gb.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status
root@beluga:~# debsums -ac procps
debsums: missing file /etc/sysctl.d/10-link-restrictions.conf (from procps package)

This is not an issue in 18.04:

manager@brigante:~$ lsb_release -d
Description: Ubuntu 18.04.4 LTS
manager@brigante:~$ apt policy procps
procps:
  Installed: 2:3.3.12-3ubuntu1.2
  Candidate: 2:3.3.12-3ubuntu1.2
  Version table:
 *** 2:3.3.12-3ubuntu1.2 500
        500 http://it.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2:3.3.12-3ubuntu1.1 500
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
     2:3.3.12-3ubuntu1 500
        500 http://it.archive.ubuntu.com/ubuntu bionic/main amd64 Packages
manager@brigante:~$ debsums -ac procps

Tags: focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in procps (Ubuntu):
status: New → Confirmed
Revision history for this message
fprietog (fprietog) wrote :

Problem persist in Ubuntu 20.04 LTS stable release:

root@fpglinux:/var/cache# lsb_release -d
Description: Ubuntu 20.04 LTS

root@fpglinux:/var/cache# apt policy procps
procps:
  Instalados: 2:3.3.16-1ubuntu2
  Candidato: 2:3.3.16-1ubuntu2
  Tabla de versión:
 *** 2:3.3.16-1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status

root@fpglinux:/var/cache# debsums -ac procps
debsums: missing file /etc/sysctl.d/10-link-restrictions.conf (from procps package)

Brian Murray (brian-murray)
tags: added: focal
Revision history for this message
Peter White (peterwhite23) wrote :

Just found this, because I also noticed the debsums error. A quick look in the changelog finds this:
> procps (2:3.3.16-1ubuntu1) focal; urgency=low
> [...]
> * Dropped changes, no longer needed:
> ...
> - 10-link-restrictions.conf: this is redundant with link-protect.conf
> from Debian.
> * debian/procps.maintscript: handle migration of link-protect.conf from
> /etc to /usr.
>
> -- Steve Langasek <email address hidden> Thu, 13 Feb 2020 22:53:02 -0800

But apparently that file never arrived downstream? Neither find /usr ... nor apt-file search can find it. Having had a look at the contents of said file by opening the .deb archive has me a bit worried:

> # These settings eliminate an entire class of security vulnerability:
> # time-of-check-time-of-use cross-privilege attacks using guessable
> # filenames (generally seen as "/tmp file race" vulnerabilities).

This could very well warrant a bump in severity, given there are security implications.

A simple workaround is to just copy that file manually into /etc/sysctl.d under a different name, so postinst can't find it, should it try to murder it again. :P Of course it won't solve the debsums error but it solves the bigger problem of the file missing entirely.

Revision history for this message
Peter White (peterwhite23) wrote :

Oh, I just found the file. It has a different name than suggested in the changelog:

/usr/lib/sysctl.d/protect-links.conf

And silly me didn't of just checking what sysctl returns for those values set in there. It's all good:
$ sudo sysctl fs.protected_fifos
fs.protected_fifos = 1
$ sudo sysctl fs.protected_hardlinks
fs.protected_hardlinks = 1
$ sudo sysctl fs.protected_regular
fs.protected_regular = 2
$ sudo sysctl fs.protected_symlinks
fs.protected_symlinks = 1

So, from my POV the debsums error, while technically correct, is a non-issue.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.