Debian Bug report logs - #807442
please include dbginfo.sh

version graph

Package: s390-tools; Maintainer for s390-tools is Debian S/390 Team <debian-s390@lists.debian.org>; Source for s390-tools is src:s390-tools (PTS, buildd, popcon).

Reported by: dann frazier <dannf@debian.org>

Date: Tue, 8 Dec 2015 22:15:06 UTC

Severity: normal

Tags: patch

Found in version s390-tools/1.32.0-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Tue, 08 Dec 2015 22:15:10 GMT) (full text, mbox, link).


Acknowledgement sent to dann frazier <dannf@debian.org>:
New Bug report received and forwarded. Copy sent to Debian S/390 Team <debian-s390@lists.debian.org>. (Tue, 08 Dec 2015 22:15:10 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>
To: submit@bugs.debian.org
Subject: please include dbginfo.sh
Date: Tue, 8 Dec 2015 15:14:31 -0700
Package: s390-tools
Version: 1.32.0-1
Severity: normal
Tags: patch

The source package provides a dbginfo.sh tool that is not currently
included in the binary package.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Tue, 08 Dec 2015 22:21:04 GMT) (full text, mbox, link).


Acknowledgement sent to dann frazier <dannf@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian S/390 Team <debian-s390@lists.debian.org>. (Tue, 08 Dec 2015 22:21:04 GMT) (full text, mbox, link).


Message #10 received at 807442@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>
To: 807442@bugs.debian.org
Subject: patch
Date: Tue, 8 Dec 2015 15:17:49 -0700
[Message part 1 (text/plain, inline)]
Attached.
[add-dbginfo.sh.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Wed, 09 Dec 2015 08:09:03 GMT) (full text, mbox, link).


Acknowledgement sent to Hendrik Brueckner <brueckner@linux.vnet.ibm.com>:
Extra info received and forwarded to list. Copy sent to Debian S/390 Team <debian-s390@lists.debian.org>. (Wed, 09 Dec 2015 08:09:03 GMT) (full text, mbox, link).


Message #15 received at 807442@bugs.debian.org (full text, mbox, reply):

From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
To: dann frazier <dannf@debian.org>, 807442@bugs.debian.org
Subject: Re: Bug#807442: patch
Date: Wed, 9 Dec 2015 09:05:14 +0100
Hi Dann,

On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote:
> Attached.

> diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
> --- s390-tools-1.32.0/debian/changelog	2015-10-25 17:12:02.000000000 +0100
> +++ s390-tools-1.32.0/debian/changelog	2015-12-08 23:14:52.000000000 +0100
> @@ -1,3 +1,9 @@
> +s390-tools (1.32.0-2) UNRELEASED; urgency=medium
> +
> +  * Add dbginfo.sh. (Closes: #807442)
> +
> + -- dann frazier <dannf@debian.org>  Tue, 08 Dec 2015 22:33:52 +0100
> +
>  s390-tools (1.32.0-1) unstable; urgency=medium
> 
>    * New upstream release
> diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
> --- s390-tools-1.32.0/debian/s390-tools.install	2014-07-26 23:59:18.000000000 +0200
> +++ s390-tools-1.32.0/debian/s390-tools.install	2015-12-08 23:08:30.000000000 +0100
> @@ -10,6 +10,10 @@
>  /sbin/dasdview
>  /usr/share/man/man8/dasdview.8
> 
> +# dbginfo.sh
> +/sbin/dbginfo.sh
> +/usr/share/man/man1/dbginfo.sh.1
> +
>  # fdasd
>  /sbin/fdasd
>  /usr/share/man/man8/fdasd.8

Thanks for submitting this patch and the lsluns patch as well.  I am about to
open another bug to include the device-mapper helper for zipl and chreipl as
well.  They are required for booting from device-mapper devices, for example,
LVM, multipath.

Thanks and kind regards,
  Hendrik

-- 
Hendrik Brueckner
brueckner@linux.vnet.ibm.com      | IBM Deutschland Research & Development GmbH
Linux on z Systems Development    | Schoenaicher Str. 220, 71032 Boeblingen


IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martina Koederitz
Geschaeftsfuehrung: Dirk Wittkopp
Sitz der Gesellschaft: Boeblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294




Information forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Sun, 13 Dec 2015 15:06:08 GMT) (full text, mbox, link).


Message #18 received at 807442@bugs.debian.org (full text, mbox, reply):

From: Philipp Kern <pkern@debian.org>
To: dann frazier <dannf@debian.org>, 807442@bugs.debian.org
Cc: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Subject: Re: Bug#807442: patch
Date: Sun, 13 Dec 2015 15:50:01 +0100
[Message part 1 (text/plain, inline)]
On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote:
> diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
> --- s390-tools-1.32.0/debian/changelog	2015-10-25 17:12:02.000000000 +0100
> +++ s390-tools-1.32.0/debian/changelog	2015-12-08 23:14:52.000000000 +0100
> @@ -1,3 +1,9 @@
> +s390-tools (1.32.0-2) UNRELEASED; urgency=medium
> +
> +  * Add dbginfo.sh. (Closes: #807442)
> +
> + -- dann frazier <dannf@debian.org>  Tue, 08 Dec 2015 22:33:52 +0100
> +
>  s390-tools (1.32.0-1) unstable; urgency=medium
>  
>    * New upstream release
> diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
> --- s390-tools-1.32.0/debian/s390-tools.install	2014-07-26 23:59:18.000000000 +0200
> +++ s390-tools-1.32.0/debian/s390-tools.install	2015-12-08 23:08:30.000000000 +0100
> @@ -10,6 +10,10 @@
>  /sbin/dasdview
>  /usr/share/man/man8/dasdview.8
>  
> +# dbginfo.sh
> +/sbin/dbginfo.sh
> +/usr/share/man/man1/dbginfo.sh.1
> +
>  # fdasd
>  /sbin/fdasd
>  /usr/share/man/man8/fdasd.8

Three comments:

 * dbginfo.sh should tell the user that the information in the tarball
   is sensitive.
 * The resulting tarball should be 0600 by default. (The script needs
   to run as root anyway, but placing the result world-readable in
   /tmp does not seem smart.)
 * Unless this is expected to be in /sbin, given that it's user
   invoked and not usually scripted, should this be in /usr/sbin
   instead?

Kind regards and thanks
Philipp Kern
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Mon, 14 Dec 2015 08:30:05 GMT) (full text, mbox, link).


Acknowledgement sent to Hendrik Brueckner <brueckner@linux.vnet.ibm.com>:
Extra info received and forwarded to list. Copy sent to Debian S/390 Team <debian-s390@lists.debian.org>. (Mon, 14 Dec 2015 08:30:06 GMT) (full text, mbox, link).


Message #23 received at 807442@bugs.debian.org (full text, mbox, reply):

From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
To: Philipp Kern <pkern@debian.org>
Cc: dann frazier <dannf@debian.org>, 807442@bugs.debian.org, Hendrik Brueckner <brueckner@linux.vnet.ibm.com>, Michael Holzheu <holzheu@linux.vnet.ibm.com>, taphorn@de.ibm.com
Subject: Re: Bug#807442: patch
Date: Mon, 14 Dec 2015 09:28:08 +0100
[Message part 1 (text/plain, inline)]
Hi Philipp,

On Sun, Dec 13, 2015 at 03:50:01PM +0100, Philipp Kern wrote:
> On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote:
> > diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
> > --- s390-tools-1.32.0/debian/changelog	2015-10-25 17:12:02.000000000 +0100
> > +++ s390-tools-1.32.0/debian/changelog	2015-12-08 23:14:52.000000000 +0100
> > @@ -1,3 +1,9 @@
> > +s390-tools (1.32.0-2) UNRELEASED; urgency=medium
> > +
> > +  * Add dbginfo.sh. (Closes: #807442)
> > +
> > + -- dann frazier <dannf@debian.org>  Tue, 08 Dec 2015 22:33:52 +0100
> > +
> >  s390-tools (1.32.0-1) unstable; urgency=medium
> >  
> >    * New upstream release
> > diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
> > --- s390-tools-1.32.0/debian/s390-tools.install	2014-07-26 23:59:18.000000000 +0200
> > +++ s390-tools-1.32.0/debian/s390-tools.install	2015-12-08 23:08:30.000000000 +0100
> > @@ -10,6 +10,10 @@
> >  /sbin/dasdview
> >  /usr/share/man/man8/dasdview.8
> >  
> > +# dbginfo.sh
> > +/sbin/dbginfo.sh
> > +/usr/share/man/man1/dbginfo.sh.1
> > +
> >  # fdasd
> >  /sbin/fdasd
> >  /usr/share/man/man8/fdasd.8
> 
> Three comments:
> 
>  * dbginfo.sh should tell the user that the information in the tarball
>    is sensitive.
>  * The resulting tarball should be 0600 by default. (The script needs
>    to run as root anyway, but placing the result world-readable in
>    /tmp does not seem smart.)

Thanks for the feedback.  I think that sounds good.  I put the s390-tools
owners for their feedback on CC.

>  * Unless this is expected to be in /sbin, given that it's user
>    invoked and not usually scripted, should this be in /usr/sbin
>    instead?
> 

Kind regards,
  Hendrik
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Mon, 14 Dec 2015 10:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to Hendrik Brueckner <brueckner@linux.vnet.ibm.com>:
Extra info received and forwarded to list. Copy sent to Debian S/390 Team <debian-s390@lists.debian.org>. (Mon, 14 Dec 2015 10:33:03 GMT) (full text, mbox, link).


Message #28 received at 807442@bugs.debian.org (full text, mbox, reply):

From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
To: Philipp Kern <pkern@debian.org>
Cc: dann frazier <dannf@debian.org>, 807442@bugs.debian.org, Hendrik Brueckner <brueckner@linux.vnet.ibm.com>, Michael Holzheu <holzheu@linux.vnet.ibm.com>, taphorn@de.ibm.com
Subject: Re: Bug#807442: patch
Date: Mon, 14 Dec 2015 11:31:26 +0100
[Message part 1 (text/plain, inline)]
On Mon, Dec 14, 2015 at 09:28:08AM +0100, Hendrik Brueckner wrote:
> On Sun, Dec 13, 2015 at 03:50:01PM +0100, Philipp Kern wrote:
> > On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote:
> > > --- s390-tools-1.32.0/debian/s390-tools.install	2014-07-26 23:59:18.000000000 +0200
> > > +++ s390-tools-1.32.0/debian/s390-tools.install	2015-12-08 23:08:30.000000000 +0100
> > > @@ -10,6 +10,10 @@
> > >  /sbin/dasdview
> > >  /usr/share/man/man8/dasdview.8
> > >  
> > > +# dbginfo.sh
> > > +/sbin/dbginfo.sh
> > > +/usr/share/man/man1/dbginfo.sh.1
> > > +
> >
> >  * Unless this is expected to be in /sbin, given that it's user
> >    invoked and not usually scripted, should this be in /usr/sbin
> >    instead?

I am not sure what you exactly mean with "user" invoked.
Anyhow, /sbin/ makes sense because the intention of the dbginfo.sh
script is to collect system and debugging information.  So it is
important to have it available early (even before /usr becomes
mounted).

I would also go further and would suggest to included it in the
s390-tools udeb package to be available in the debian installer
too.  But I would have to check if it runs in the debian installer
environment.  I could also imagine to integrate it into the
installation-report module.

Thanks and kind regards,
  Hendrik
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Fri, 29 Jan 2016 23:18:04 GMT) (full text, mbox, link).


Acknowledgement sent to dann frazier <dannf@dannf.org>:
Extra info received and forwarded to list. Copy sent to Debian S/390 Team <debian-s390@lists.debian.org>. (Fri, 29 Jan 2016 23:18:04 GMT) (full text, mbox, link).


Message #33 received at 807442@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@dannf.org>
To: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Cc: Philipp Kern <pkern@debian.org>, 807442@bugs.debian.org, Michael Holzheu <holzheu@linux.vnet.ibm.com>, taphorn@de.ibm.com
Subject: Re: Bug#807442: patch
Date: Fri, 29 Jan 2016 16:16:19 -0700
On Mon, Dec 14, 2015 at 11:31:26AM +0100, Hendrik Brueckner wrote:
> On Mon, Dec 14, 2015 at 09:28:08AM +0100, Hendrik Brueckner wrote:
> > On Sun, Dec 13, 2015 at 03:50:01PM +0100, Philipp Kern wrote:
> > > On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote:
> > > > --- s390-tools-1.32.0/debian/s390-tools.install	2014-07-26 23:59:18.000000000 +0200
> > > > +++ s390-tools-1.32.0/debian/s390-tools.install	2015-12-08 23:08:30.000000000 +0100
> > > > @@ -10,6 +10,10 @@
> > > >  /sbin/dasdview
> > > >  /usr/share/man/man8/dasdview.8
> > > >  
> > > > +# dbginfo.sh
> > > > +/sbin/dbginfo.sh
> > > > +/usr/share/man/man1/dbginfo.sh.1
> > > > +
> > >
> > >  * Unless this is expected to be in /sbin, given that it's user
> > >    invoked and not usually scripted, should this be in /usr/sbin
> > >    instead?
> 
> I am not sure what you exactly mean with "user" invoked.

I believe that note means that this utility appears to be something
that a user would execute in an interactive terminal vs. e.g. a script
in early boot.

> Anyhow, /sbin/ makes sense because the intention of the dbginfo.sh
> script is to collect system and debugging information.  So it is
> important to have it available early (even before /usr becomes
> mounted).

While this maybe a theoretical use case, I don't think the script has
been designed to run in this environment. As one example, it
calls "/usr/bin/id" to check if it is running as root. It also uses the
"find" command in a number of places which, at least on Debian
systems, is installed in /usr/bin.

> I would also go further and would suggest to included it in the
> s390-tools udeb package to be available in the debian installer
> too.  But I would have to check if it runs in the debian installer
> environment.  I could also imagine to integrate it into the
> installation-report module.

I'd suggest opening separate bugs for those.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Fri, 29 Jan 2016 23:18:15 GMT) (full text, mbox, link).


Acknowledgement sent to dann frazier <dannf@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian S/390 Team <debian-s390@lists.debian.org>. (Fri, 29 Jan 2016 23:18:15 GMT) (full text, mbox, link).


Message #38 received at 807442@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>
To: Philipp Kern <pkern@debian.org>
Cc: 807442@bugs.debian.org, Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Subject: Re: Bug#807442: patch
Date: Fri, 29 Jan 2016 16:17:32 -0700
[Message part 1 (text/plain, inline)]
On Sun, Dec 13, 2015 at 03:50:01PM +0100, Philipp Kern wrote:
> On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote:
> > diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
> > --- s390-tools-1.32.0/debian/changelog	2015-10-25 17:12:02.000000000 +0100
> > +++ s390-tools-1.32.0/debian/changelog	2015-12-08 23:14:52.000000000 +0100
> > @@ -1,3 +1,9 @@
> > +s390-tools (1.32.0-2) UNRELEASED; urgency=medium
> > +
> > +  * Add dbginfo.sh. (Closes: #807442)
> > +
> > + -- dann frazier <dannf@debian.org>  Tue, 08 Dec 2015 22:33:52 +0100
> > +
> >  s390-tools (1.32.0-1) unstable; urgency=medium
> >  
> >    * New upstream release
> > diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
> > --- s390-tools-1.32.0/debian/s390-tools.install	2014-07-26 23:59:18.000000000 +0200
> > +++ s390-tools-1.32.0/debian/s390-tools.install	2015-12-08 23:08:30.000000000 +0100
> > @@ -10,6 +10,10 @@
> >  /sbin/dasdview
> >  /usr/share/man/man8/dasdview.8
> >  
> > +# dbginfo.sh
> > +/sbin/dbginfo.sh
> > +/usr/share/man/man1/dbginfo.sh.1
> > +
> >  # fdasd
> >  /sbin/fdasd
> >  /usr/share/man/man8/fdasd.8
> 
> Three comments:
> 
>  * dbginfo.sh should tell the user that the information in the tarball
>    is sensitive.
>  * The resulting tarball should be 0600 by default. (The script needs
>    to run as root anyway, but placing the result world-readable in
>    /tmp does not seem smart.)
>  * Unless this is expected to be in /sbin, given that it's user
>    invoked and not usually scripted, should this be in /usr/sbin
>    instead?

Good feedback, thanks Philipp! I've addressed all 3 issues in the
attached updated patch.
[add-dbginfo.sh-2.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Thu, 04 Feb 2016 08:39:10 GMT) (full text, mbox, link).


Acknowledgement sent to Hendrik Brueckner <brueckner@linux.vnet.ibm.com>:
Extra info received and forwarded to list. Copy sent to Debian S/390 Team <debian-s390@lists.debian.org>. (Thu, 04 Feb 2016 08:39:10 GMT) (full text, mbox, link).


Message #43 received at 807442@bugs.debian.org (full text, mbox, reply):

From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
To: dann frazier <dannf@debian.org>, 807442@bugs.debian.org
Cc: Philipp Kern <pkern@debian.org>, Hendrik Brueckner <brueckner@linux.vnet.ibm.com>, Wolfgang Taphorn <taphorn@de.ibm.com>
Subject: Re: Bug#807442: patch
Date: Thu, 4 Feb 2016 09:35:13 +0100
Hi Dann,

I have CC'ed Wolfgang who takes care of it from customer service perspective.
Within our team, we received some feedback for your patches that I want to
share with you.

On Fri, Jan 29, 2016 at 04:17:32PM -0700, dann frazier wrote:
> On Sun, Dec 13, 2015 at 03:50:01PM +0100, Philipp Kern wrote:
> > On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote:
> > > diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
> > > --- s390-tools-1.32.0/debian/changelog	2015-10-25 17:12:02.000000000 +0100
> > > +++ s390-tools-1.32.0/debian/changelog	2015-12-08 23:14:52.000000000 +0100
> > > @@ -1,3 +1,9 @@
> > > +s390-tools (1.32.0-2) UNRELEASED; urgency=medium
> > > +
> > > +  * Add dbginfo.sh. (Closes: #807442)
> > > +
> > > + -- dann frazier <dannf@debian.org>  Tue, 08 Dec 2015 22:33:52 +0100
> > > +
> > >  s390-tools (1.32.0-1) unstable; urgency=medium
> > >  
> > >    * New upstream release
> > > diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
> > > --- s390-tools-1.32.0/debian/s390-tools.install	2014-07-26 23:59:18.000000000 +0200
> > > +++ s390-tools-1.32.0/debian/s390-tools.install	2015-12-08 23:08:30.000000000 +0100
> > > @@ -10,6 +10,10 @@
> > >  /sbin/dasdview
> > >  /usr/share/man/man8/dasdview.8
> > >  
> > > +# dbginfo.sh
> > > +/sbin/dbginfo.sh
> > > +/usr/share/man/man1/dbginfo.sh.1
> > > +
> > >  # fdasd
> > >  /sbin/fdasd
> > >  /usr/share/man/man8/fdasd.8
> > 
> > Three comments:
> > 
> >  * dbginfo.sh should tell the user that the information in the tarball
> >    is sensitive.
> >  * The resulting tarball should be 0600 by default. (The script needs
> >    to run as root anyway, but placing the result world-readable in
> >    /tmp does not seem smart.)
> >  * Unless this is expected to be in /sbin, given that it's user
> >    invoked and not usually scripted, should this be in /usr/sbin
> >    instead?
> 
> Good feedback, thanks Philipp! I've addressed all 3 issues in the
> attached updated patch.

> diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
> --- s390-tools-1.32.0/debian/changelog	2015-12-13 09:50:48.000000000 -0500
> +++ s390-tools-1.32.0/debian/changelog	2016-01-29 12:56:29.000000000 -0500
> @@ -1,3 +1,12 @@
> +s390-tools (1.32.0-3) UNRELEASED; urgency=medium
> +
> +  * Add dbginfo.sh. (Closes: #807442, LP: #1539719)
> +    - dbginfo.sh-umask.patch: Avoid leaking content to unprivileged users.
> +    - dbginfo.sh-warn.patch: Warn users about the sensitivity of the data
> +      this tool collects.
> +
> + -- dann frazier <dannf@debian.org>  Fri, 29 Jan 2016 12:49:16 -0500
> +
>  s390-tools (1.32.0-2) unstable; urgency=medium
> 
>    [ Hendrik Brueckner ]
> diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch
> --- s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch	1969-12-31 19:00:00.000000000 -0500
> +++ s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch	2016-01-29 12:21:06.000000000 -0500
> @@ -0,0 +1,16 @@
> +Description: dbginfo.sh: set umask to prevent local leaks of sensitive data
> +Author: dann frazier <dannf@debian.org>
> +Last-Update: 2016-01-29
> +
> +Index: s390-tools-1.32.0/scripts/dbginfo.sh
> +===================================================================
> +--- s390-tools-1.32.0.orig/scripts/dbginfo.sh
> ++++ s390-tools-1.32.0/scripts/dbginfo.sh
> +@@ -12,6 +12,7 @@ export LC_ALL
> + # The general name of this script
> + readonly SCRIPTNAME="${0##*/}"
> + 
> ++umask 0077

This is tricky and probaly leads to changed permissions that might be useful
to detect permissions problem.  Wolfgang and team worked on this topic and
a problem fix will be provided with the next s390-tools version.  The idea
here is to change the permission of the directory which will be created to
contain all service data.

> + 
> + ########################################
> + # print version info
> diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch
> --- s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch	1969-12-31 19:00:00.000000000 -0500
> +++ s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch	2016-01-29 12:32:51.000000000 -0500
> @@ -0,0 +1,38 @@
> +Description: dbginfo.sh: Sensitivity training
> + Warn users that the archive this tool generates contains sensitive data,
> + and give them an opportunity to exit.
> +Author: dann frazier <dannf@debian.org>
> +Last-Update: 2016-01-29
> +
> +Index: s390-tools-1.32.0/scripts/dbginfo.sh
> +===================================================================
> +--- s390-tools-1.32.0.orig/scripts/dbginfo.sh
> ++++ s390-tools-1.32.0/scripts/dbginfo.sh
> +@@ -71,6 +71,27 @@ if test "$(/usr/bin/id -u 2>/dev/null)"
> +     exit 1
> + fi
> + 
> ++echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
> ++echo " Warning: The archive created by this utility will contain sensitive"
> ++echo " information including, but not limited to:"
> ++echo "  - configuration files"
> ++echo "  - log files"
> ++echo "  - hardware state information"
> ++echo "  - running process state and command line arguments"
> ++echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
> ++echo ""
> ++echo -n " Do you wish to continue? [y/N]> "
> ++read resp
> ++case "$resp" in
> ++    y|Y)
> ++	:
> ++	;;
> ++    *)
> ++	echo "OK, exiting."
> ++	exit 0
> ++esac

The dbginfo.sh must be started as root and typically whoever acts as root
should know what it doesn... if not, well, it should be not root ;-)

Also keep in mind that the dbginfo.sh is called from within other programs
that are non-interactive.

For clarity, what exactly do you understand of "sensitive" data.  dbginfo.sh
does not collect file that contains passwords.  If think that dbginfo.sh
includes password-sensitive data, feel free to report the problem to us.


> ++		
> ++
> + #######################################
> + # Parsing the command line
> + #
> diff -Nru s390-tools-1.32.0/debian/patches/series s390-tools-1.32.0/debian/patches/series
> --- s390-tools-1.32.0/debian/patches/series	2015-12-13 09:41:14.000000000 -0500
> +++ s390-tools-1.32.0/debian/patches/series	2016-01-29 12:21:21.000000000 -0500
> @@ -6,3 +6,5 @@
>  zipl-optional.patch
>  disable.patch
>  sg3-utils.patch
> +dbginfo.sh-umask.patch
> +dbginfo.sh-warn.patch
> diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
> --- s390-tools-1.32.0/debian/s390-tools.install	2015-12-13 09:47:24.000000000 -0500
> +++ s390-tools-1.32.0/debian/s390-tools.install	2016-01-29 12:40:00.000000000 -0500
> @@ -10,6 +10,10 @@
>  /sbin/dasdview
>  /usr/share/man/man8/dasdview.8
> 
> +# dbginfo.sh
> +/sbin/dbginfo.sh /usr/sbin
> +/usr/share/man/man1/dbginfo.sh.1
> +
>  # fdasd
>  /sbin/fdasd
>  /usr/share/man/man8/fdasd.8

Thanks and kind regards,
  Hendrik

-- 
Hendrik Brueckner
brueckner@linux.vnet.ibm.com      | IBM Deutschland Research & Development GmbH
Linux on z Systems Development    | Schoenaicher Str. 220, 71032 Boeblingen


IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martina Koederitz
Geschaeftsfuehrung: Dirk Wittkopp
Sitz der Gesellschaft: Boeblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294




Information forwarded to debian-bugs-dist@lists.debian.org, Debian S/390 Team <debian-s390@lists.debian.org>:
Bug#807442; Package s390-tools. (Thu, 04 Feb 2016 20:33:03 GMT) (full text, mbox, link).


Acknowledgement sent to dann frazier <dannf@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian S/390 Team <debian-s390@lists.debian.org>. (Thu, 04 Feb 2016 20:33:03 GMT) (full text, mbox, link).


Message #48 received at 807442@bugs.debian.org (full text, mbox, reply):

From: dann frazier <dannf@debian.org>
To: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Cc: 807442@bugs.debian.org, Philipp Kern <pkern@debian.org>, Wolfgang Taphorn <taphorn@de.ibm.com>
Subject: Re: Bug#807442: patch
Date: Thu, 4 Feb 2016 13:31:25 -0700
On Thu, Feb 04, 2016 at 09:35:13AM +0100, Hendrik Brueckner wrote:
> Hi Dann,
> 
> I have CC'ed Wolfgang who takes care of it from customer service perspective.
> Within our team, we received some feedback for your patches that I want to
> share with you.
> 
> On Fri, Jan 29, 2016 at 04:17:32PM -0700, dann frazier wrote:
> > On Sun, Dec 13, 2015 at 03:50:01PM +0100, Philipp Kern wrote:
> > > On Tue, Dec 08, 2015 at 03:17:49PM -0700, dann frazier wrote:
> > > > diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
> > > > --- s390-tools-1.32.0/debian/changelog	2015-10-25 17:12:02.000000000 +0100
> > > > +++ s390-tools-1.32.0/debian/changelog	2015-12-08 23:14:52.000000000 +0100
> > > > @@ -1,3 +1,9 @@
> > > > +s390-tools (1.32.0-2) UNRELEASED; urgency=medium
> > > > +
> > > > +  * Add dbginfo.sh. (Closes: #807442)
> > > > +
> > > > + -- dann frazier <dannf@debian.org>  Tue, 08 Dec 2015 22:33:52 +0100
> > > > +
> > > >  s390-tools (1.32.0-1) unstable; urgency=medium
> > > >  
> > > >    * New upstream release
> > > > diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
> > > > --- s390-tools-1.32.0/debian/s390-tools.install	2014-07-26 23:59:18.000000000 +0200
> > > > +++ s390-tools-1.32.0/debian/s390-tools.install	2015-12-08 23:08:30.000000000 +0100
> > > > @@ -10,6 +10,10 @@
> > > >  /sbin/dasdview
> > > >  /usr/share/man/man8/dasdview.8
> > > >  
> > > > +# dbginfo.sh
> > > > +/sbin/dbginfo.sh
> > > > +/usr/share/man/man1/dbginfo.sh.1
> > > > +
> > > >  # fdasd
> > > >  /sbin/fdasd
> > > >  /usr/share/man/man8/fdasd.8
> > > 
> > > Three comments:
> > > 
> > >  * dbginfo.sh should tell the user that the information in the tarball
> > >    is sensitive.
> > >  * The resulting tarball should be 0600 by default. (The script needs
> > >    to run as root anyway, but placing the result world-readable in
> > >    /tmp does not seem smart.)
> > >  * Unless this is expected to be in /sbin, given that it's user
> > >    invoked and not usually scripted, should this be in /usr/sbin
> > >    instead?
> > 
> > Good feedback, thanks Philipp! I've addressed all 3 issues in the
> > attached updated patch.
> 
> > diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
> > --- s390-tools-1.32.0/debian/changelog	2015-12-13 09:50:48.000000000 -0500
> > +++ s390-tools-1.32.0/debian/changelog	2016-01-29 12:56:29.000000000 -0500
> > @@ -1,3 +1,12 @@
> > +s390-tools (1.32.0-3) UNRELEASED; urgency=medium
> > +
> > +  * Add dbginfo.sh. (Closes: #807442, LP: #1539719)
> > +    - dbginfo.sh-umask.patch: Avoid leaking content to unprivileged users.
> > +    - dbginfo.sh-warn.patch: Warn users about the sensitivity of the data
> > +      this tool collects.
> > +
> > + -- dann frazier <dannf@debian.org>  Fri, 29 Jan 2016 12:49:16 -0500
> > +
> >  s390-tools (1.32.0-2) unstable; urgency=medium
> > 
> >    [ Hendrik Brueckner ]
> > diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch
> > --- s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch	1969-12-31 19:00:00.000000000 -0500
> > +++ s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch	2016-01-29 12:21:06.000000000 -0500
> > @@ -0,0 +1,16 @@
> > +Description: dbginfo.sh: set umask to prevent local leaks of sensitive data
> > +Author: dann frazier <dannf@debian.org>
> > +Last-Update: 2016-01-29
> > +
> > +Index: s390-tools-1.32.0/scripts/dbginfo.sh
> > +===================================================================
> > +--- s390-tools-1.32.0.orig/scripts/dbginfo.sh
> > ++++ s390-tools-1.32.0/scripts/dbginfo.sh
> > +@@ -12,6 +12,7 @@ export LC_ALL
> > + # The general name of this script
> > + readonly SCRIPTNAME="${0##*/}"
> > + 
> > ++umask 0077
> 
> This is tricky and probaly leads to changed permissions that might be useful
> to detect permissions problem.  Wolfgang and team worked on this topic and
> a problem fix will be provided with the next s390-tools version.  The idea
> here is to change the permission of the directory which will be created to
> contain all service data.

OK.

> > + 
> > + ########################################
> > + # print version info
> > diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch
> > --- s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch	1969-12-31 19:00:00.000000000 -0500
> > +++ s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch	2016-01-29 12:32:51.000000000 -0500
> > @@ -0,0 +1,38 @@
> > +Description: dbginfo.sh: Sensitivity training
> > + Warn users that the archive this tool generates contains sensitive data,
> > + and give them an opportunity to exit.
> > +Author: dann frazier <dannf@debian.org>
> > +Last-Update: 2016-01-29
> > +
> > +Index: s390-tools-1.32.0/scripts/dbginfo.sh
> > +===================================================================
> > +--- s390-tools-1.32.0.orig/scripts/dbginfo.sh
> > ++++ s390-tools-1.32.0/scripts/dbginfo.sh
> > +@@ -71,6 +71,27 @@ if test "$(/usr/bin/id -u 2>/dev/null)"
> > +     exit 1
> > + fi
> > + 
> > ++echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
> > ++echo " Warning: The archive created by this utility will contain sensitive"
> > ++echo " information including, but not limited to:"
> > ++echo "  - configuration files"
> > ++echo "  - log files"
> > ++echo "  - hardware state information"
> > ++echo "  - running process state and command line arguments"
> > ++echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
> > ++echo ""
> > ++echo -n " Do you wish to continue? [y/N]> "
> > ++read resp
> > ++case "$resp" in
> > ++    y|Y)
> > ++	:
> > ++	;;
> > ++    *)
> > ++	echo "OK, exiting."
> > ++	exit 0
> > ++esac
> 
> The dbginfo.sh must be started as root and typically whoever acts as root
> should know what it doesn... if not, well, it should be not root ;-)

Hi Henrik,
 I don't know that we can expect every user with root privileges to
know what /this/ tool does. Certainly they could inspect the tarball
before distributing it - but it is quite a bit of data for someone who
maybe urgently trying to get a fix for their system. I personally
don't see the harm in a "hey buddy, watch what you do with this"
message - it may make someone rethink e.g. putting it on a public
webserver vs. finding a secure transport mechanism to their support
org.

> Also keep in mind that the dbginfo.sh is called from within other programs
> that are non-interactive.

Yeah - my thought there was that we could add a commandline argument
to tell it to run in non-interactive mode. I omitted that in
this patch because I didn't want to introduce an argument that may
later conflict (or differ) with something upstream.

But, on further thought, I can see why adding such a facility would
be a problem for existing users. If they already have this scripted,
an update shouldn't start making those scripts go interactive.

Perhaps we could just emit a warning at the very end of the output?

> For clarity, what exactly do you understand of "sensitive" data.  dbginfo.sh
> does not collect file that contains passwords.  If think that dbginfo.sh
> includes password-sensitive data, feel free to report the problem to us.

What a user considers sensitive will vary from user to user. I won't
argue that dbginfo.sh should stop collecting anything that maybe
perceived as sensitive - that would only limit its value as a debug
tool.

But, since you asked, some examples of things that *I* would consider
sensitive (but certainly useful for debug) are:

  - firewall configuration/iptables (oh, look at that open port!)
  - SW versions (oh, they're running a kernel w/ a known vulnerability!)
  - Network config (oh, that's the DNS server to target for MITM!)
  - The list of running processes (oh - CorpFoo uses BlahDB!)

  -dann

> 
> > ++		
> > ++
> > + #######################################
> > + # Parsing the command line
> > + #
> > diff -Nru s390-tools-1.32.0/debian/patches/series s390-tools-1.32.0/debian/patches/series
> > --- s390-tools-1.32.0/debian/patches/series	2015-12-13 09:41:14.000000000 -0500
> > +++ s390-tools-1.32.0/debian/patches/series	2016-01-29 12:21:21.000000000 -0500
> > @@ -6,3 +6,5 @@
> >  zipl-optional.patch
> >  disable.patch
> >  sg3-utils.patch
> > +dbginfo.sh-umask.patch
> > +dbginfo.sh-warn.patch
> > diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
> > --- s390-tools-1.32.0/debian/s390-tools.install	2015-12-13 09:47:24.000000000 -0500
> > +++ s390-tools-1.32.0/debian/s390-tools.install	2016-01-29 12:40:00.000000000 -0500
> > @@ -10,6 +10,10 @@
> >  /sbin/dasdview
> >  /usr/share/man/man8/dasdview.8
> > 
> > +# dbginfo.sh
> > +/sbin/dbginfo.sh /usr/sbin
> > +/usr/share/man/man1/dbginfo.sh.1
> > +
> >  # fdasd
> >  /sbin/fdasd
> >  /usr/share/man/man8/fdasd.8
> 
> Thanks and kind regards,
>   Hendrik
> 



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Aug 8 01:43:09 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.