Bug 1217398

Summary: AUDIT-FIND: find + chown construct in %post
Product: [openSUSE] openSUSE Tumbleweed Reporter: Johannes Segitz <jsegitz>
Component: BasesystemAssignee: openSUSE GNOME <os.gnome.maintainers>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: dimstar, jsegitz, kukuk
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2023-11-22 12:35:47 UTC 
In the spec file
716 if getent passwd avahi > /dev/null; then
717   # Change ownership of /var/lib/avahi-autoipd after upgrade from openSUSE <= 12.3 and SLE <= 11.
718   find %{_localstatedir}/lib/avahi-autoipd -user avahi -exec chown avahi-autoipd:avahi-autoipd {} +                                                                                                                                                                                               719 fi

stumbled over this due to the recent changes. Couple of questions:
1, is this still needed? Based on the comment we might be able to drop it
2, why do we have the find + chown construct? Is there a directory structure below /var/lib/avahi-autoipd

In any case: please add -h to chown please to prevent it from following symlinks.
Comment 1 Dominique Leuenberger 2023-11-22 13:06:49 UTC 
(In reply to Johannes Segitz from comment #0)
> In the spec file
> 716 if getent passwd avahi > /dev/null; then
> 717   # Change ownership of /var/lib/avahi-autoipd after upgrade from
> openSUSE <= 12.3 and SLE <= 11.
> 718   find %{_localstatedir}/lib/avahi-autoipd -user avahi -exec chown
> avahi-autoipd:avahi-autoipd {} +                                            
> 719 fi
> 
> stumbled over this due to the recent changes. Couple of questions:
> 1, is this still needed? Based on the comment we might be able to drop it

Always a good question to know if/when all systems migrated this.


> 2, why do we have the find + chown construct? Is there a directory structure
> below /var/lib/avahi-autoipd

The structure can contain directories and files; 


> In any case: please add -h to chown please to prevent it from following
> symlinks.

https://build.opensuse.org/request/show/1128131
Comment 2 Thorsten Kukuk 2023-11-22 16:04:22 UTC 
(In reply to Dominique Leuenberger from comment #1)

> > 1, is this still needed? Based on the comment we might be able to drop it
> 
> Always a good question to know if/when all systems migrated this.

Upgrades from everything older than SLE12 to post SLE15 are no longer supported.
So support for migrations from SLE <= 11 should be removed.
Every line of code less in %pre/%post install scripts is a big win, especially with transactional-update, image based updates and hermetic /usr.
Comment 3 Johannes Segitz 2023-11-23 07:32:06 UTC 
yes, tricky to say when everyone migrated, but I agree with Thorsten. The comment implies this is for really old systems. I would also prefer to have this fully dropped
Comment 5 Dominique Leuenberger 2023-12-07 17:08:42 UTC 
(In reply to Johannes Segitz from comment #3)
> yes, tricky to say when everyone migrated, but I agree with Thorsten. The
> comment implies this is for really old systems. I would also prefer to have
> this fully dropped

This has been addressed in avahi:

 3+Thu Nov 23 07:48:14 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
 4+
 5+- avahi-autoipd: drop the post script part migrating the user
 6+  owning files in /var/lib/avahi-autoipd: the code was aiding
 7+  migrations from SLE<=11/openSUSE<=12.3, which are no longer in
 8+  scope for upgrades nowadays.
 9+
10+-------------------------------------------------------------------
11+Wed Nov 22 12:55:06 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
12+
13+- avahi-autoipd: guard %post chown with -h, to not follow symlinks
14+  (boo#1217398).
15+