Your message dated Sun, 24 Jul 2022 18:31:15 +0100
with message-id <Yt2B470oMu7LMKrP@???>
and subject line Fixed in Debian's openrc 0.45.2-1
has caused the Devuan bug report #692,
regarding openrc: command_user flag in openrc-run does not function properly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@???
immediately.)
--
692:
https://bugs.devuan.org/cgi/bugreport.cgi?bug=692
Devuan Bug Tracking System
Contact owner@??? with problems
Package: openrc
Version: 0.42-2.1
Severity: grave
Tags: newcomer security
Justification: user security hole
Dear Maintainer,
openrc-run's command_user flag does not function properly. If both a
user and group are specified, an error is returned:
"start-stop-daemon: user '$user:$group' not found", even if that user
and group exist. If only the user is specified, the script will run,
but as root, rather than as the user specified (which is the intended
behavior); the username specified is then passed to the command run as
an argument (not intended behavior).
I was able to make this option work as intended by editing
/lib/rc/sh/start-stop-daemon.sh, and changing --user in line 58 to
--chuid. I have not submitted a PR because in upstream, --chuid is
being deprecated in favor of --user, which does the same thing and
therefore there is no issue. On Devuan, however, these flags
apparently do different things, which causes this problem. I don't
understand very well Devuan's package's differences from upstream or
why this difference exists, but I assume there may be another solution
which does not rely on using an option deprecated in mainstream, which
maintainers may prefer to implement.
Best.
-- System Information:
Distributor ID: Devuan
Description: Devuan GNU/Linux 4 (chimaera)
Release: 4
Codename: chimaera
Architecture: x86_64
Kernel: Linux 5.10.0-11-amd64 (SMP w/1 CPU thread)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: OpenRC (via /run/openrc), PID 1: init
Versions of packages openrc depends on:
ii insserv 1.21.0-1.1
ii libaudit1 1:3.0-2
ii libc6 2.31-13+deb11u3
ii libeinfo1 0.42-2.1
ii libpam0g 1.4.0-9+deb11u1
ii librc1 0.42-2.1
ii libselinux1 3.1-3
openrc recommends no packages.
Versions of packages openrc suggests:
pn policycoreutils <none>
ii sysvinit-core 2.96-7+devuan2
-- no debconf information
Source: openrc
Source-Version: 0.45.2-1
Done: Mark Hindley <leepen@???>
We believe that the bug you reported is fixed in the latest version of
openrc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1015765@???,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mark Hindley <leepen@???> (supplier of updated openrc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@???)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 24 Jul 2022 15:32:06 +0100
Source: openrc
Architecture: source
Version: 0.45.2-1
Distribution: unstable
Urgency: medium
Maintainer: OpenRC Debian Maintainers <openrc@???>
Changed-By: Mark Hindley <leepen@???>
Closes: 973245 1015765
Changes:
openrc (0.45.2-1) unstable; urgency=medium
.
* d/watch: update to version 4 and fix path.
* New upstream version 0.45.2
- includes fix for CVE-2018-21269 (Closes: #973245).
* d/control:
- add myself to uploaders.
- bump debhelper compat to 13.
- add Build-Depends meson, pkg-config.
- bump Standards Version to 4.6.1 (no changes).
* debian/patches:
- remove obsolete d/p/0001-no-rpath.patch.
- delete patches applied upstream.
- convert to meson
- refresh.
* d/rules:
- convert to meson
- override libexecdir to keep existing non-multiarch path.
- cleanup and remove cruft.
* Simplify d/rules and multiarch handling with dh-exec.
* Install bash and zsh completions.
* d/not-installed: add uninstalled files.
* .gitignore backup files.
* d/openrc.lintian-overrides:
- update changed tag name.
- update to pointed format.
- remove unused override.
* sh/start-stop-daemon.sh: use src:dpkg s-s-d compatible --chuid
(Closes: #1015765).
Checksums-Sha1:
960a37fa530d1e6eea59a7fc3e22a7956e415450 2283 openrc_0.45.2-1.dsc
f61b8f40e9b2bd94a09a2ddd834d42c76a45b2d4 192020 openrc_0.45.2.orig.tar.xz
64a6daac79f69a67b41646d156f83a9bf37c2c03 24820 openrc_0.45.2-1.debian.tar.xz
04f4357d0257c144d67a68f1d5aa25695204d4f3 9205 openrc_0.45.2-1_amd64.buildinfo
Checksums-Sha256:
d3463a04d868c3c6c7416c2186b4676713bc7e11a64a1cbb4363ed525aa9a761 2283 openrc_0.45.2-1.dsc
2a47fbf6ef2d252bbee1232e7626f8cc445eaeeeabb49ced1e7b0d598dafeb66 192020 openrc_0.45.2.orig.tar.xz
ae0aaeb164e701fcfe4f3228aecd09aefd032cd51653149a1cbb9d9e20f606d2 24820 openrc_0.45.2-1.debian.tar.xz
88b33ee6075f3cc5089ac0ad782ec020cf8173303f6fef82bfe6c68b56e7e7fd 9205 openrc_0.45.2-1_amd64.buildinfo
Files:
9707f0f464c446b72050ffaff3c94b9d 2283 admin optional openrc_0.45.2-1.dsc
66c00b46950bf954d3e47b68999aa44a 192020 admin optional openrc_0.45.2.orig.tar.xz
0bacb081ef0275873328d96e0eea79bc 24820 admin optional openrc_0.45.2-1.debian.tar.xz
acca86f8c757dacde74107ca2da3f53b 9205 admin optional openrc_0.45.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEUGwVpCsK9aCoVCPu0opFvzKH1kkFAmLdczEACgkQ0opFvzKH
1kljixAAoSSfckl/l3mP3JcClslCUAW9lbQbFHlLW+6pJaRy/ro4mV7G62MBeEpU
fDMTZ8kwduibkbVjDetz3/hbIyUEN/dHXDH3apkAVs4OBXWEXhE9jY5VWAEKd+w6
mu2K1U/oQ0CO/GESKXSqJwAwoCaNtxJj3F5L8NfcfG4W40gpU5oUHZkZwddOPatf
BuCnrlJjq4MdP1YHgWSLQRrrFQDe6KHlF0H/IVaD9AaXw6A//k3ZD6+KZ7Okh3OK
8EvKDli9SNp4g9AAPT1OsDXmlEVJ4nBeLTB3IQRdhgoDyIt64Kkq30wv2+a4rI48
QaObwFbZNshUsX5WeF5MiBSOKL1hREzk9Nsh2W0Zhdtfk1qfR0tfKd1/VcU/P8LR
f10TYMQ0yYV645OmYT448j0Eh7Bnw0Ss1XIWWWqJa6Fq4dr988qGzRt2fD7S/2ax
haWIJTGvWKZXQfvXFkTdZKqyrEqJwY4BO4LrQo9oqLggE/Bl8ciHqrubGZmmo0Fn
NO5fgf782PALE5QK9RTyGfTAWHVrzY4pZHgaSp2HAhr3ny+RDLQJ6QudHZNAIWiL
KjbhSThG/ag0l5V2dcXgoHU2Miph6yuTouhEi9x0J27sKmXVCK1wI43LvxWnvQK+
3DZAOhOJGDef/cXXLlJK0zPKCUVUaKeOVYlTi3GvNU96EXvI+m4=
=VWC4
-----END PGP SIGNATURE-----