You are not logged in.
Hi everyone,
The other day I was running the regular 'pacman -Syu' on my server to upgrade to the latest stable (I use the 'extra' and the 'current' repositories) packages. I have some files in /etc 'chattr +i'-ed for added security. Pacman error'd that it could not extract /etc/shadow (cause chattr +i means immutable, even for root, only root can unset it) but it was not a fatal error.
This error occured during the instalation of shadow, which apparantly contains the program 'useradd'. It did not install this binary after it had error'd, which is pretty strange if you ask me (if it cannot install the binaries, that's a fatal error imho). It had removed the old version though.
Now, my question:
Is chattr +i a recommended way of protecting some configuration files, or is there a better way? All the permissions are set correctly (like owner etc). Should pacman handle this in a better way (in other words: explain to the user what went wrong, and that it did not install the binarys?
Am I the only one using chattr +i?
Thanks for any input you might have, I'm interested in your opinion on this.
Greetings, Target
Offline
Firstly, pacman won't overwrite your config files. If you're scared it will, you can always add them to the NoUpgrade line in pacman.conf, which always leaves the existing file.
As for the failure thing, I'd file this as a bug - immutable files were probably never considered...
And yes, as far as I know, you're the only person I've heard of using immutable files.
Offline
Hi phrakture,
Thanks for your input, it's greatly appreciated! I'm not too affraid of pacman specifically, but I just don't want other people to be able to mess with those files, EVEN if the permissions on it could be changed. chattr +i ensures that *ONLY* the root user can modify the file, whatever the permissions.
As for pacman, I will file a bugreport on that, see what the dev's think about this.
Oh and yes, I will add those files to pacman.conf, that's a good idea. Does it then extract the files as .pacnew or does it not extract them at all? (Since sometimes there's a new config format so you *NEED* a new config file, you just need the old one for reference while configuring the new one :-P)
Greetings, Target
Offline
Oh and yes, I will add those files to pacman.conf, that's a good idea. Does it then extract the files as .pacnew or does it not extract them at all? (Since sometimes there's a new config format so you *NEED* a new config file, you just need the old one for reference while configuring the new one :-P)
Well, my understanding is that with "NoUpgrade" all the config file logic is just skipped and the file is extraced as a .pacnew regardless. This may even "fix" your problem, as it won't even try to touch the immutable files.
NOTE: "fix" is a funny word here. I've actually never seen code check for the immutable bit, but it should still fail on write. pacman should still "rollback" or something if it fails to write a file. It sounds like fairly complex logic, with backing up and things like that that pacman currently doesn't do, and it may have to wait until pacman 3.0. For now, if the NoUpgrade thing works, then I'd suggest that as a workaround.
Offline