lbu does not store permissions on base directories that are entered with 'lbu include' (#1241) · Issues · alpine / apk-tools

lbu does not store permissions on base directories that are entered with 'lbu include'

Since http://git.alpinelinux.org/cgit/alpine-conf/commit/?id=4e857d18684667e7d9df3a0256e0b6e446284641, lbu provides the included file list from apk audit --backup --quiet --recursive, rather than a shell variable.

However, apk audit --backup --quiet --recursive seems not to list the base directories contained in lbu.list. In my case it only lists the contents of those directories. As a result, lbu does not include the base directory in the apkovl. This causes the boot procedure to apply the apkovl and create the directory with the default owner and umask (root:root mode 755 on this system) whereas the service requires otherwise: (postgresql requires postgres:postgres mode 700).

I suggest that apk audit --backup output the base directories from /etc/apk/protected_paths/lbu.list and not just the contents, so that the user can specify directories that need permissions stored. This will match previous behavior of lbu.

(from redmine: issue id 1241, created on 2012-07-04, closed on 2012-07-17)

Changesets:
- Revision 5aa69984 by Timo Teräs on 2012-07-09T11:59:40Z:

audit: get right protection mask for base directories in the lists

Use the paths' protection mask where available instead of the parent
paths'. ref #1241

Revision ea5b08d1 by Timo Teräs on 2012-07-16T11:44:15Z:

audit: fix protection mask of non-db directories

If a directory has protection mask, but does not exist in db, we
do not handle it right unless we calculate the protection mask by
hand, or create temporary db dir entry for it. For simplicity create
always the db dir entry -- depending on audit type we likely need
to create it anyway. This commit also caches the db dir entry in the
audit tree context to avoid duplicate lookups. ref #1241.

Revision 3882d7fb0dc347b5f9880b48fcd1b47175cc4260 by Natanael Copa on 2012-07-17T07:17:52Z:

main/apk-tools: upgrade to 2.3.2

ref #1241

Revision 1e86290662203830e0c32ef673c230a2e82c8576 by Natanael Copa on 2012-07-17T11:03:00Z:

main/alpine-conf: check permissions when generating apkovl

ref #1241

Revision 451f2026b9908506ff879bb5bae989ea1a699dcc by Natanael Copa on 2012-07-17T13:09:30Z:

main/alpine-conf: check permissions when generating apkovl

ref #1241
(cherry picked from commit 1e86290662203830e0c32ef673c230a2e82c8576)

Revision f38fb0a22170382f18a44eb1520fcdb3b53d5ad0 by Natanael Copa on 2012-07-17T13:10:16Z:

main/apk-tools: upgrade to 2.3.2

fixes #1241
(cherry picked from commit 3882d7fb0dc347b5f9880b48fcd1b47175cc4260)

Since
http://git.alpinelinux.org/cgit/alpine-conf/commit/?id=4e857d18684667e7d9df3a0256e0b6e446284641,
lbu provides the included file list from
`apk audit --backup --quiet --recursive`, rather than a shell variable.

However, `apk audit --backup --quiet --recursive` seems not to list the
base directories contained in lbu.list. In my case it only lists the
contents of those directories. As a result, lbu does not include the
base directory in the apkovl. This causes the boot procedure to apply
the apkovl and create the directory with the default owner and umask
(root:root mode 755 on this system) whereas the service requires
otherwise: (postgresql requires postgres:postgres mode 700).

I suggest that `apk audit --backup` output the base directories from
/etc/apk/protected\_paths/lbu.list and not just the contents, so that
the user can specify directories that need permissions stored. This will
match previous behavior of lbu.

*(from redmine: issue id 1241, created on 2012-07-04, closed on 2012-07-17)*

* Changesets:
  * Revision 5aa69984595c8f63899a39cbeae8c86913bfb2d2 by Timo Teräs on 2012-07-09T11:59:40Z:

```
audit: get right protection mask for base directories in the lists

Use the paths' protection mask where available instead of the parent
paths'. ref #1241
```

* Revision ea5b08d1d574ae90ad6347a4d2f0a69bb656c7af by Timo Teräs on 2012-07-16T11:44:15Z:

```
audit: fix protection mask of non-db directories

If a directory has protection mask, but does not exist in db, we
do not handle it right unless we calculate the protection mask by
hand, or create temporary db dir entry for it. For simplicity create
always the db dir entry -- depending on audit type we likely need
to create it anyway. This commit also caches the db dir entry in the
audit tree context to avoid duplicate lookups. ref #1241.
```

* Revision 3882d7fb0dc347b5f9880b48fcd1b47175cc4260 by Natanael Copa on 2012-07-17T07:17:52Z:

```
main/apk-tools: upgrade to 2.3.2

ref #1241
```

* Revision 1e86290662203830e0c32ef673c230a2e82c8576 by Natanael Copa on 2012-07-17T11:03:00Z:

```
main/alpine-conf: check permissions when generating apkovl

ref #1241
```

* Revision 451f2026b9908506ff879bb5bae989ea1a699dcc by Natanael Copa on 2012-07-17T13:09:30Z:

```
main/alpine-conf: check permissions when generating apkovl

ref #1241
(cherry picked from commit 1e86290662203830e0c32ef673c230a2e82c8576)
```

* Revision f38fb0a22170382f18a44eb1520fcdb3b53d5ad0 by Natanael Copa on 2012-07-17T13:10:16Z:

```
main/apk-tools: upgrade to 2.3.2

fixes #1241
(cherry picked from commit 3882d7fb0dc347b5f9880b48fcd1b47175cc4260)
```