[Bug 1708665] Re: prerotate.sh fails due to no shell for www-data user
Andreas Hasenack
andreas at canonical.com
Fri Jan 5 17:50:14 UTC 2018
** Description changed:
[Impact]
+ The logrotate script that is responsible for updating awstats statistics does not run because the www-data user that it runs as does not have a valid shell.
- * An explanation of the effects of the bug on users and
-
- * justification for backporting the fix to the stable release.
-
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ This update adjusts the su command line to specify the same shell as the
+ script shebang line.
[Test Case]
+ To test, run the script:
- * detailed instructions how to reproduce the bug
+ Version with the bug:
+ $ sudo /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
+ No directory, logging in with HOME=/
+ This account is currently not available.
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package fixes
- the problem.
+ Fixed version:
+ $ sudo /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
+ No directory, logging in with HOME=/
+ Error while processing /etc/awstats/awstats.conf
+ Error: SiteDomain parameter not defined in your config/domain file. You must edit it for using this version of AWStats.
+ Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be wrong.
+ Check config file, permissions and AWStats documentation (in 'docs' directory).
+
+ Note the "fixed" version actually runs the script and complains about
+ something else, unrelated to this bug. The admin must complete the
+ installation of awstats before using it, but this test is enough to
+ verify the fix.
+
+ If you want to get a full run, you have to follow the instructions in the README.Debian file. Basically, at a minimum:
+ - edit /etc/awstats/awstats.conf and give SiteDomain a value
+ - change group ownership of /var/log/apache2 and /var/log/apache2/* to www-data (that's one solution). README.Debian has other ideas, and I would add using ACLs if your filesystem of choice supports them: "setfacl -m g:www-data:rx /var/log/apache2" and "setfacl -m g:www-data:r /var/log/apache2/*"
[Regression Potential]
+ Code that wasn't running before because of this bug will now run. If the user didn't complete the awstats configuration he/she will get more verbose cron emails.
- * discussion of how regressions are most likely to manifest as a result
- of this change.
-
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
-
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
[Other Info]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
- * and address these questions in advance
+ Users who have already worked around the issue by manually editing the logrotate file and adding "-s /bin/sh" or something similar will get a dpkg prompt when upgrading to this version:
+
+ Configuration file '/etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh'
+ ==> Modified (by you or by a script) since installation.
+ ==> Package distributor has shipped an updated version.
+ What would you like to do about it ? Your options are:
+ Y or I : install the package maintainer's version
+ N or O : keep your currently-installed version
+ D : show the differences between the versions
+ Z : start a shell to examine the situation
+ The default action is to keep your current version.
+
=== Original description ===
This was found in Ubuntu 16.04. I have not tested other versions.
The /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh script does
not run by default, because the 'www-data' user does not have a valid
shell by default.
root at www:~# bash -x /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
+ UPDATE_SCRIPT=/usr/share/awstats/tools/update.sh
+ '[' -x /usr/share/awstats/tools/update.sh ']'
+ su -l -c /usr/share/awstats/tools/update.sh www-data
This account is currently not available.
We could give www-data a valid shell but my preferred fix is to edit
/etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh and explicitly
specify the shell with '-s /bin/bash':
diff -u ~/prerotate.sh /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
--- /root/prerotate.sh 2017-07-31 17:07:43.749559681 -0500
+++ /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh 2017-07-31 17:07:54.122034426 -0500
@@ -2,5 +2,5 @@
UPDATE_SCRIPT=/usr/share/awstats/tools/update.sh
if [ -x $UPDATE_SCRIPT ]
then
- su -l -c $UPDATE_SCRIPT www-data
+ su -l -c $UPDATE_SCRIPT -s /bin/bash www-data
fi
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/awstats/+git/awstats/+merge/335761
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/awstats/+git/awstats/+merge/335759
** Merge proposal linked:
https://code.launchpad.net/~ahasenack/ubuntu/+source/awstats/+git/awstats/+merge/335760
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1708665
Title:
prerotate.sh fails due to no shell for www-data user
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/awstats/+bug/1708665/+subscriptions
More information about the Ubuntu-server-bugs
mailing list