Hi Dann,
I have CC'ed Wolfgang who takes care of it from customer service perspective.
Within our team, we received some feedback for your patches that I want to
share with you.
Post by dann frazierPost by Philipp KernPost by dann frazierdiff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
--- s390-tools-1.32.0/debian/changelog 2015-10-25 17:12:02.000000000 +0100
+++ s390-tools-1.32.0/debian/changelog 2015-12-08 23:14:52.000000000 +0100
@@ -1,3 +1,9 @@
+s390-tools (1.32.0-2) UNRELEASED; urgency=medium
+
+ * Add dbginfo.sh. (Closes: #807442)
+
+
s390-tools (1.32.0-1) unstable; urgency=medium
* New upstream release
diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
--- s390-tools-1.32.0/debian/s390-tools.install 2014-07-26 23:59:18.000000000 +0200
+++ s390-tools-1.32.0/debian/s390-tools.install 2015-12-08 23:08:30.000000000 +0100
@@ -10,6 +10,10 @@
/sbin/dasdview
/usr/share/man/man8/dasdview.8
+# dbginfo.sh
+/sbin/dbginfo.sh
+/usr/share/man/man1/dbginfo.sh.1
+
# fdasd
/sbin/fdasd
/usr/share/man/man8/fdasd.8
* dbginfo.sh should tell the user that the information in the tarball
is sensitive.
* The resulting tarball should be 0600 by default. (The script needs
to run as root anyway, but placing the result world-readable in
/tmp does not seem smart.)
* Unless this is expected to be in /sbin, given that it's user
invoked and not usually scripted, should this be in /usr/sbin
instead?
Good feedback, thanks Philipp! I've addressed all 3 issues in the
attached updated patch.
diff -Nru s390-tools-1.32.0/debian/changelog s390-tools-1.32.0/debian/changelog
--- s390-tools-1.32.0/debian/changelog 2015-12-13 09:50:48.000000000 -0500
+++ s390-tools-1.32.0/debian/changelog 2016-01-29 12:56:29.000000000 -0500
@@ -1,3 +1,12 @@
+s390-tools (1.32.0-3) UNRELEASED; urgency=medium
+
+ * Add dbginfo.sh. (Closes: #807442, LP: #1539719)
+ - dbginfo.sh-umask.patch: Avoid leaking content to unprivileged users.
+ - dbginfo.sh-warn.patch: Warn users about the sensitivity of the data
+ this tool collects.
+
+
s390-tools (1.32.0-2) unstable; urgency=medium
[ Hendrik Brueckner ]
diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch
--- s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch 1969-12-31 19:00:00.000000000 -0500
+++ s390-tools-1.32.0/debian/patches/dbginfo.sh-umask.patch 2016-01-29 12:21:06.000000000 -0500
@@ -0,0 +1,16 @@
+Description: dbginfo.sh: set umask to prevent local leaks of sensitive data
+Last-Update: 2016-01-29
+
+Index: s390-tools-1.32.0/scripts/dbginfo.sh
+===================================================================
+--- s390-tools-1.32.0.orig/scripts/dbginfo.sh
++++ s390-tools-1.32.0/scripts/dbginfo.sh
+ # The general name of this script
+ readonly SCRIPTNAME="${0##*/}"
+
++umask 0077
This is tricky and probaly leads to changed permissions that might be useful
to detect permissions problem. Wolfgang and team worked on this topic and
a problem fix will be provided with the next s390-tools version. The idea
here is to change the permission of the directory which will be created to
contain all service data.
Post by dann frazier+
+ ########################################
+ # print version info
diff -Nru s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch
--- s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch 1969-12-31 19:00:00.000000000 -0500
+++ s390-tools-1.32.0/debian/patches/dbginfo.sh-warn.patch 2016-01-29 12:32:51.000000000 -0500
@@ -0,0 +1,38 @@
+Description: dbginfo.sh: Sensitivity training
+ Warn users that the archive this tool generates contains sensitive data,
+ and give them an opportunity to exit.
+Last-Update: 2016-01-29
+
+Index: s390-tools-1.32.0/scripts/dbginfo.sh
+===================================================================
+--- s390-tools-1.32.0.orig/scripts/dbginfo.sh
++++ s390-tools-1.32.0/scripts/dbginfo.sh
+ exit 1
+ fi
+
++echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
++echo " Warning: The archive created by this utility will contain sensitive"
++echo " information including, but not limited to:"
++echo " - configuration files"
++echo " - log files"
++echo " - hardware state information"
++echo " - running process state and command line arguments"
++echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
++echo ""
++echo -n " Do you wish to continue? [y/N]> "
++read resp
++case "$resp" in
++ y|Y)
++ ;;
++ *)
++ echo "OK, exiting."
++ exit 0
++esac
The dbginfo.sh must be started as root and typically whoever acts as root
should know what it doesn... if not, well, it should be not root ;-)
Also keep in mind that the dbginfo.sh is called from within other programs
that are non-interactive.
For clarity, what exactly do you understand of "sensitive" data. dbginfo.sh
does not collect file that contains passwords. If think that dbginfo.sh
includes password-sensitive data, feel free to report the problem to us.
Post by dann frazier++
++
+ #######################################
+ # Parsing the command line
+ #
diff -Nru s390-tools-1.32.0/debian/patches/series s390-tools-1.32.0/debian/patches/series
--- s390-tools-1.32.0/debian/patches/series 2015-12-13 09:41:14.000000000 -0500
+++ s390-tools-1.32.0/debian/patches/series 2016-01-29 12:21:21.000000000 -0500
@@ -6,3 +6,5 @@
zipl-optional.patch
disable.patch
sg3-utils.patch
+dbginfo.sh-umask.patch
+dbginfo.sh-warn.patch
diff -Nru s390-tools-1.32.0/debian/s390-tools.install s390-tools-1.32.0/debian/s390-tools.install
--- s390-tools-1.32.0/debian/s390-tools.install 2015-12-13 09:47:24.000000000 -0500
+++ s390-tools-1.32.0/debian/s390-tools.install 2016-01-29 12:40:00.000000000 -0500
@@ -10,6 +10,10 @@
/sbin/dasdview
/usr/share/man/man8/dasdview.8
+# dbginfo.sh
+/sbin/dbginfo.sh /usr/sbin
+/usr/share/man/man1/dbginfo.sh.1
+
# fdasd
/sbin/fdasd
/usr/share/man/man8/fdasd.8
Thanks and kind regards,
Hendrik
--
Hendrik Brueckner
***@linux.vnet.ibm.com | IBM Deutschland Research & Development GmbH
Linux on z Systems Development | Schoenaicher Str. 220, 71032 Boeblingen
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Martina Koederitz
Geschaeftsfuehrung: Dirk Wittkopp
Sitz der Gesellschaft: Boeblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294