Bug#489690: safe-rm: unsafe handling of dpkg-divert may leave the system without /bin/rm

Package: safe-rm
Version: 0.2-3
Severity: critical

Your usage of dpkg-divert in the maintainer scripts is very dangerous,
because there are several situations where the system may be left without a
functional /bin/rm:

,----[ safe-rm.preinst ]
| if [ install = "$1"  ]; then
|     dpkg-divert --package safe-rm --add --rename --divert /bin/rm.real /bin/rm
|     ln -s /bin/rm.real /usr/bin/rm
| fi
`----

Using dpkg-divert --rename on a file that is crucial for the system is
fundamentally wrong.  If the system crashes between the two commands, it
will likely become unbootable.  And if unpacking safe-rm fails (think of
a full root filesystem), the situation is not much better if /usr is on
a separate filesystem.  Moreover, the script is not idempotent -- if
/usr/bin/rm already exists, the ln command and thus the script will
fail.

,----[ safe-rm.postrm ]
| if [ remove = "$1" ]; then
|     dpkg-divert --package safe-rm --remove --rename --divert /bin/rm.real /bin/rm
| fi
`----

Here the situation is even more critical, because there is no functional
rm command at all at the time between removing safe-rm's files and the
postrm invocation.  If the system crashes or the user interrupts dpkg
in between, the system is hosed.

Playing such games is not the way to go.  Please have a look at the dash
and insserv packages for how to safely divert an essential file.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.25.10
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



--
To UNSUBSCRIBE, email to debian-bugs-rc-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Re: Sven Joachim 2008-07-07 <87prpqf78l.fsf@...>
> ,----[ safe-rm.preinst ]
> | if [ install = "$1"  ]; then
> |     dpkg-divert --package safe-rm --add --rename --divert /bin/rm.real /bin/rm
> |     ln -s /bin/rm.real /usr/bin/rm
> | fi
> `----

Why does the package use dpkg-divert anyway? The "rm" wrapper could
just be placed in /usr/bin - the default PATH has /usr/bin before
/bin.

The molly-guard package does the same wrapping for reboot/shutdown and
friends, and works like that.

Christoph
--
cb@... | http://www.df7cb.de/

Your message dated Tue, 08 Jul 2008 07:17:10 +0000
with message-id <E1KG7Rm-00075m-Kq@...>
and subject line Bug#489690: fixed in safe-rm 0.2-4
has caused the Debian Bug report #489690,
regarding safe-rm: unsafe handling of dpkg-divert may leave the system without /bin/rm
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@...
immediately.)


--
489690: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489690
Debian Bug Tracking System
Contact owner@... with problems

Package: safe-rm
Version: 0.2-3
Severity: critical

Your usage of dpkg-divert in the maintainer scripts is very dangerous,
because there are several situations where the system may be left without a
functional /bin/rm:

,----[ safe-rm.preinst ]
| if [ install = "$1"  ]; then
|     dpkg-divert --package safe-rm --add --rename --divert /bin/rm.real /bin/rm
|     ln -s /bin/rm.real /usr/bin/rm
| fi
`----

Using dpkg-divert --rename on a file that is crucial for the system is
fundamentally wrong.  If the system crashes between the two commands, it
will likely become unbootable.  And if unpacking safe-rm fails (think of
a full root filesystem), the situation is not much better if /usr is on
a separate filesystem.  Moreover, the script is not idempotent -- if
/usr/bin/rm already exists, the ln command and thus the script will
fail.

,----[ safe-rm.postrm ]
| if [ remove = "$1" ]; then
|     dpkg-divert --package safe-rm --remove --rename --divert /bin/rm.real /bin/rm
| fi
`----

Here the situation is even more critical, because there is no functional
rm command at all at the time between removing safe-rm's files and the
postrm invocation.  If the system crashes or the user interrupts dpkg
in between, the system is hosed.

Playing such games is not the way to go.  Please have a look at the dash
and insserv packages for how to safely divert an essential file.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.25.10
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



Source: safe-rm
Source-Version: 0.2-4

We believe that the bug you reported is fixed in the latest version of
safe-rm, which is due to be installed in the Debian FTP archive:

safe-rm_0.2-4.diff.gz
  to pool/main/s/safe-rm/safe-rm_0.2-4.diff.gz
safe-rm_0.2-4.dsc
  to pool/main/s/safe-rm/safe-rm_0.2-4.dsc
safe-rm_0.2-4_all.deb
  to pool/main/s/safe-rm/safe-rm_0.2-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 489690@...,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francois Marier <francois@...> (supplier of updated safe-rm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@...)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 07 Jul 2008 21:00:52 +1200
Source: safe-rm
Binary: safe-rm
Architecture: source all
Version: 0.2-4
Distribution: unstable
Urgency: high
Maintainer: Francois Marier <francois@...>
Changed-By: Francois Marier <francois@...>
Description:
 safe-rm    - wrapper around the rm command to prevent accidental deletions
Closes: 489690
Changes:
 safe-rm (0.2-4) unstable; urgency=high
 .
   * Move the binary to /usr/bin which removes the need for a diversion
     (closes: #489690). Urgency high because of this critical bug.
Checksums-Sha1:
 0a8b9afa24d5450ef6795a029de453b1c3a47854 1104 safe-rm_0.2-4.dsc
 02f8b82b1e3ffadbd644e4c5f414e6c0f1bbbb51 3850 safe-rm_0.2-4.diff.gz
 14eb166a09d0948b0ed268a2c3103e805b5539ab 8892 safe-rm_0.2-4_all.deb
Checksums-Sha256:
 0cadb04b4ded5a151ba96136273ec8c1996017800108dead2a450a1415c257f1 1104 safe-rm_0.2-4.dsc
 362fc6c825e2efab13ddfa6e9c20e56c8f99de3ce298642c43db0992a67054f0 3850 safe-rm_0.2-4.diff.gz
 83b38c546dd1ff57e935c46da7c1ff620a728650bdce99847e95e27d5fad8e41 8892 safe-rm_0.2-4_all.deb
Files:
 ac335422a158a32e375b42a8cd083601 1104 utils optional safe-rm_0.2-4.dsc
 2fe2d79fe753a7539765733c52008147 3850 utils optional safe-rm_0.2-4.diff.gz
 ee3a9740c5a52704431e490bb48f98df 8892 utils optional safe-rm_0.2-4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhzAKsACgkQScUZKBnQNIblcACeJ6bHXxy4QDXMtNfTjk4WSkTd
6MoAnjYPoZ+zudt3G4xwTEnpMs7cooH1
=CuVU
-----END PGP SIGNATURE-----

On 2008-07-08 09:48 +0200, Debian Bug Tracking System wrote:

> Changes:
>  safe-rm (0.2-4) unstable; urgency=high
>  .
>    * Move the binary to /usr/bin which removes the need for a diversion
>      (closes: #489690). Urgency high because of this critical bug.

Thanks for the fast reaction.  Unfortunately, upgrading from 0.2-3 (or
earlier) has now another problem.  Between unpacking the new version and
running the postinst script no /bin/rm exists, and this situation looks
much more scary to me than the problems I outlined in the original
report.  In mass-upgrades, the time window between unpacking and
configuring a package is potentially very large, several minutes are not
unusual.

Since there's no way to fix this (/bin/rm is shipped in 0.2-3, and dpkg
will clobber it on upgrade, period), to me the only way to protect users
from this danger seems to offer to error out in the preinst.  This could
be done via a debconf question like the one kernel-package creates for
linux-image packages (they warn to overwrite a running kernel).

The only reason not to do this would be the young age and therefore low
popularity of safe-rm.  But even with only two dozen users I bet that
one of them will be hit very badly by this bug.

Cheers,
       Sven



--
To UNSUBSCRIBE, email to debian-bugs-rc-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On 2008-07-08 at 20:47:36, Sven Joachim wrote:
> In mass-upgrades, the time window between unpacking and configuring a
> package is potentially very large, several minutes are not unusual.

Very true.

> This could be done via a debconf question like the one kernel-package
> creates for linux-image packages (they warn to overwrite a running
> kernel).

I have just made a new upload with a debconf question. Thanks for the
suggestion!

Francois



--
To UNSUBSCRIBE, email to debian-bugs-rc-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...