Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bacula: 5.2.13 -> 9.2.1 #37365

Merged
merged 1 commit into from Nov 10, 2018
Merged

bacula: 5.2.13 -> 9.2.1 #37365

merged 1 commit into from Nov 10, 2018

Conversation

proteansec
Copy link
Contributor

Motivation for this change

Update bacula from the older version (2013) to the newest version (2018).

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@dotlambda
Copy link
Member

@GrahamcOfBorg build bacula

/cc @domenkozar @lovek323

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: bacula

Partial log (click to expand)

/nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6/etc/update_bacula_tables: interpreter directive changed from "/bin/sh" to "/nix/store/q1g0rl8zfmz7r371fp5p42p4acmv297d-bash-4.4-p19/bin/sh"
/nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6/etc/make_bacula_tables: interpreter directive changed from "/bin/sh" to "/nix/store/q1g0rl8zfmz7r371fp5p42p4acmv297d-bash-4.4-p19/bin/sh"
/nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6/etc/grant_bacula_privileges: interpreter directive changed from "/bin/sh" to "/nix/store/q1g0rl8zfmz7r371fp5p42p4acmv297d-bash-4.4-p19/bin/sh"
/nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6/etc/drop_bacula_tables: interpreter directive changed from "/bin/sh" to "/nix/store/q1g0rl8zfmz7r371fp5p42p4acmv297d-bash-4.4-p19/bin/sh"
/nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6/etc/drop_bacula_database: interpreter directive changed from "/bin/sh" to "/nix/store/q1g0rl8zfmz7r371fp5p42p4acmv297d-bash-4.4-p19/bin/sh"
/nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6/etc/make_catalog_backup: interpreter directive changed from "/bin/sh" to "/nix/store/q1g0rl8zfmz7r371fp5p42p4acmv297d-bash-4.4-p19/bin/sh"
/nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6/etc/delete_catalog_backup: interpreter directive changed from "/bin/sh" to "/nix/store/q1g0rl8zfmz7r371fp5p42p4acmv297d-bash-4.4-p19/bin/sh"
checking for references to /build in /nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6...
moving /nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6/sbin/* to /nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6/bin
/nix/store/h9d9kyl8b4bm7ciaylpm5k868isb1i6m-bacula-9.0.6

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: bacula

Partial log (click to expand)

/nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6/etc/bacula-ctl-dir: interpreter directive changed from " /bin/sh" to "/nix/store/3gg2p6n4kv2f0lsxd41f5iz1ivkbzyzr-bash-4.4-p19/bin/sh"
/nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6/etc/tapealert: interpreter directive changed from "/bin/sh" to "/nix/store/3gg2p6n4kv2f0lsxd41f5iz1ivkbzyzr-bash-4.4-p19/bin/sh"
/nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6/etc/bacula_config: interpreter directive changed from "/bin/sh" to "/nix/store/3gg2p6n4kv2f0lsxd41f5iz1ivkbzyzr-bash-4.4-p19/bin/sh"
/nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6/etc/bacula: interpreter directive changed from " /bin/sh" to "/nix/store/3gg2p6n4kv2f0lsxd41f5iz1ivkbzyzr-bash-4.4-p19/bin/sh"
/nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6/etc/bconsole: interpreter directive changed from "/bin/sh" to "/nix/store/3gg2p6n4kv2f0lsxd41f5iz1ivkbzyzr-bash-4.4-p19/bin/sh"
/nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6/sbin/btraceback: interpreter directive changed from "/bin/sh" to "/nix/store/3gg2p6n4kv2f0lsxd41f5iz1ivkbzyzr-bash-4.4-p19/bin/sh"
/nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6/sbin/bacula: interpreter directive changed from " /bin/sh" to "/nix/store/3gg2p6n4kv2f0lsxd41f5iz1ivkbzyzr-bash-4.4-p19/bin/sh"
checking for references to /build in /nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6...
moving /nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6/sbin/* to /nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6/bin
/nix/store/liq62x216lhz0xzdaq9x59k1mcqv9f2r-bacula-9.0.6

@proteansec
Copy link
Contributor Author

proteansec commented Mar 19, 2018
edited

It would be better to modify the directory paths to the following in order to store logs in /var/log/bacula and keep working directory in /var/lib/bacula instead of nix store.

  configureFlags = [
    "--with-sqlite3=${sqlite.dev}"
    "--with-postgresql=${postgresql}"
    "--with-logdir=/var/log/bacula"
    "--with-working-dir=/var/lib/bacula"
  ];

However, this will fail with the following issue due to the Makefile wanting to create a directory itself, which obviously doesn't have permission to do so.

./autoconf/mkinstalldirs
./autoconf/mkinstalldirs /var/log/bacula
mkdir -p -- /var/log/bacula
mkdir: cannot create directory '/var/log/bacula': Permission denied
make: *** [Makefile:208: installdirs] Error 1

Any ideas how to be able to create a directory inside /var/log/?

@dotlambda
Copy link
Member

That's against Nix's principles. You'll have to set the logdir at runtime or patch the Makefile so that the directory isn't created.

@Ekleog
Copy link
Member

Ekleog commented Oct 30, 2018

(triage) @proteansec, does the service run correctly with this PR applied, if it is given the right flags at runtime?

@proteansec
Copy link
Contributor Author

proteansec commented Nov 1, 2018
edited

The package is now built using the proper parameters and I've also modified the service nix package with LogsDirectory/StateDirectory in order for the /var/log/bacula and /var/lib/bacula to be properly created by systemd.

The program builds just fine, but didn't actually test the service with the new LogsDirectory/StateDirectory settings, since I would need to rebuild my system out of my local nixpkgs, which is quite cumbersome and something that I don't currently have time for.

@proteansec proteansec changed the title bacula: 5.2.13 -> 9.0.6 bacula: 5.2.13 -> 9.1.1 Nov 1, 2018
@proteansec proteansec changed the title bacula: 5.2.13 -> 9.1.1 bacula: 5.2.13 -> 9.2.1 Nov 1, 2018
@Ekleog
Copy link
Member

Ekleog commented Nov 2, 2018

OK thanks! Given the ancien-ness of the current version of bacula I think this could get merged without testing… Ideally there'd be a NixOS test that validates that bacula appears to work correctly, but… :/

Actually upon further investigation current version is vulnerable to CVSS3 9.5 (!) CVE-2017-15367, so I think this should even be backported ASAP.

@Ekleog
Copy link
Member

Ekleog commented Nov 2, 2018

Actually I withdraw my assertion this fixes CVE-2017-15367: the nixpkgs bacula package doesn't include bacula-web, and therefore is not vulnerable.

Backporting is thus likely a bad idea, given it'd be a big major version bump.

@infinisil infinisil merged commit 38b2520 into NixOS:master Nov 10, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 1-10 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@proteansec @dotlambda @GrahamcOfBorg @Ekleog @infinisil