prerotate.sh fails due to no shell for www-data user

Bug #1708665 reported by Carl W. Soderstrom on 2017-08-04
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
awstats (Debian)
New
Unknown
awstats (Ubuntu)
Low
Andreas Hasenack
Xenial
Low
Andreas Hasenack
Zesty
Low
Unassigned
Artful
Low
Andreas Hasenack

Bug Description

[Impact]
The logrotate script that is responsible for updating awstats statistics does not run because the www-data user that it runs as does not have a valid shell.

This update adjusts the su command line to specify the same shell as the script shebang line.

[Test Case]
To test, run the script:

Version with the bug:
$ sudo /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
No directory, logging in with HOME=/
This account is currently not available.

Fixed version:
$ sudo /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
No directory, logging in with HOME=/
Error while processing /etc/awstats/awstats.conf
Error: SiteDomain parameter not defined in your config/domain file. You must edit it for using this version of AWStats.
Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).

Note the "fixed" version actually runs the script and complains about something else, unrelated to this bug. The admin must complete the installation of awstats before using it, but this test is enough to verify the fix.

If you want to get a full run, you have to follow the instructions in the README.Debian file. Basically, at a minimum:
- edit /etc/awstats/awstats.conf and give SiteDomain a value
- change group ownership of /var/log/apache2 and /var/log/apache2/* to www-data (that's one solution). README.Debian has other ideas, and I would add using ACLs if your filesystem of choice supports them: "setfacl -m g:www-data:rx /var/log/apache2" and "setfacl -m g:www-data:r /var/log/apache2/*"

[Regression Potential]
Code that wasn't running before because of this bug will now run. If the user didn't complete the awstats configuration he/she will get more verbose cron emails.

[Other Info]
Users who have already worked around the issue by manually editing the logrotate file and adding "-s /bin/sh" or something similar will get a dpkg prompt when upgrading to this version:

Configuration file '/etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ? Your options are:
    Y or I : install the package maintainer's version
    N or O : keep your currently-installed version
      D : show the differences between the versions
      Z : start a shell to examine the situation
 The default action is to keep your current version.

=== Original description ===

This was found in Ubuntu 16.04. I have not tested other versions.

The /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh script does not run by default, because the 'www-data' user does not have a valid shell by default.

root@www:~# bash -x /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
+ UPDATE_SCRIPT=/usr/share/awstats/tools/update.sh
+ '[' -x /usr/share/awstats/tools/update.sh ']'
+ su -l -c /usr/share/awstats/tools/update.sh www-data
This account is currently not available.

We could give www-data a valid shell but my preferred fix is to edit /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh and explicitly specify the shell with '-s /bin/bash':

diff -u ~/prerotate.sh /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
--- /root/prerotate.sh 2017-07-31 17:07:43.749559681 -0500
+++ /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh 2017-07-31 17:07:54.122034426 -0500
@@ -2,5 +2,5 @@
 UPDATE_SCRIPT=/usr/share/awstats/tools/update.sh
 if [ -x $UPDATE_SCRIPT ]
 then
- su -l -c $UPDATE_SCRIPT www-data
+ su -l -c $UPDATE_SCRIPT -s /bin/bash www-data
 fi

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in awstats (Ubuntu):
status: New → Confirmed
Andreas Hasenack (ahasenack) wrote :

I'd suggest /bin/sh, as that is the shell in the shebang line of the script.

Changed in awstats (Ubuntu):
importance: Undecided → Low
tags: added: bitesize server-next
tags: added: bite-size
removed: bitesize
tags: added: bitesize
removed: bite-size
Changed in awstats (Ubuntu):
status: Confirmed → Triaged
Andreas Hasenack (ahasenack) wrote :

This affects xenial and higher.

Changed in awstats (Ubuntu Xenial):
importance: Undecided → Low
Changed in awstats (Ubuntu Zesty):
importance: Undecided → Low
Changed in awstats (Ubuntu Artful):
importance: Undecided → Low
Changed in awstats (Ubuntu Xenial):
status: New → Triaged
Changed in awstats (Ubuntu Zesty):
status: New → Triaged
Changed in awstats (Ubuntu Artful):
status: New → Triaged
Andreas Hasenack (ahasenack) wrote :

There won't be time to SRU this for zesty before its EOL.

Changed in awstats (Ubuntu Zesty):
status: Triaged → Won't Fix
Changed in awstats (Ubuntu Xenial):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in awstats (Ubuntu Artful):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in awstats (Ubuntu Xenial):
status: Triaged → In Progress
Changed in awstats (Ubuntu Artful):
status: Triaged → In Progress
Changed in awstats (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Triaged → In Progress
description: updated
description: updated
Changed in awstats (Debian):
status: Unknown → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package awstats - 7.6+dfsg-1ubuntu2

---------------
awstats (7.6+dfsg-1ubuntu2) bionic; urgency=medium

  [ Christian Ehrhardt ]
  * debian/README.Debian, debian/prerotate.sh: fix logrotate integration due to
    change of www-data to /usr/sbin/nologin (Closes: #858461, LP: #1708665)

 -- Andreas Hasenack <email address hidden> Fri, 15 Dec 2017 18:55:12 -0200

Changed in awstats (Ubuntu):
status: In Progress → Fix Released

Hello Carl, or anyone else affected,

Accepted awstats into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/awstats/7.6+dfsg-1ubuntu0.17.10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in awstats (Ubuntu Artful):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-artful
Changed in awstats (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Brian Murray (brian-murray) wrote :

Hello Carl, or anyone else affected,

Accepted awstats into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/awstats/7.4+dfsg-1ubuntu0.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Andreas Hasenack (ahasenack) wrote :

Verification for xenial:

Confirming the bug in the old version:
 *** 7.4+dfsg-1ubuntu0.2 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages

$ sudo /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
No directory, logging in with HOME=/
This account is currently not available.

Updating:
$ sudo apt install awstats
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 awstats all 7.4+dfsg-1ubuntu0.3 [1,835 kB]
Fetched 1,835 kB in 0s (19.0 MB/s)
(...)
Setting up awstats (7.4+dfsg-1ubuntu0.3) ...
Installing new version of config file /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh ...

Script now runs and complains about the expected things:
$ sudo /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
No directory, logging in with HOME=/
Error while processing /etc/awstats/awstats.conf
Error: SiteDomain parameter not defined in your config/domain file. You must edit it for using this version of AWStats.
Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).

Xenial verification completed.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Andreas Hasenack (ahasenack) wrote :

Verification for artful:

Confirming the bug in the old version:
 *** 7.6+dfsg-1ubuntu0.17.10.1 500
        500 http://br.archive.ubuntu.com/ubuntu artful-updates/main amd64 Packages

ubuntu@artful-awstats:~$ sudo /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
No directory, logging in with HOME=/
This account is currently not available.

Updating:
(...)
Get:1 http://br.archive.ubuntu.com/ubuntu artful-proposed/main amd64 awstats all 7.6+dfsg-1ubuntu0.17.10.2 [1843 kB]
(...)
Setting up awstats (7.6+dfsg-1ubuntu0.17.10.2) ...
Installing new version of config file /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh ...

Script now runs and complains about the expected things:
ubuntu@artful-awstats:~$ sudo /etc/logrotate.d/httpd-prerotate/awstats/prerotate.sh
No directory, logging in with HOME=/
Error while processing /etc/awstats/awstats.conf
Error: SiteDomain parameter not defined in your config/domain file. You must edit it for using this version of AWStats.
Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be wrong.
Check config file, permissions and AWStats documentation (in 'docs' directory).

Artful verification completed.

tags: added: verification-done-artful
removed: verification-needed-artful
Carl W. Soderstrom (redchrome) wrote :

Thanks much for the fix and the verification!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package awstats - 7.6+dfsg-1ubuntu0.17.10.2

---------------
awstats (7.6+dfsg-1ubuntu0.17.10.2) artful; urgency=medium

  [ Christian Ehrhardt ]
  * debian/README.Debian, debian/prerotate.sh: fix logrotate integration due to
    change of www-data to /usr/sbin/nologin (Closes: #858461, LP: #1708665)

 -- Andreas Hasenack <email address hidden> Fri, 15 Dec 2017 18:10:54 -0200

Changed in awstats (Ubuntu Artful):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for awstats has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package awstats - 7.4+dfsg-1ubuntu0.3

---------------
awstats (7.4+dfsg-1ubuntu0.3) xenial; urgency=medium

  [ Christian Ehrhardt ]
  * debian/README.Debian, debian/prerotate.sh: fix logrotate integration due to
    change of www-data to /usr/sbin/nologin (Closes: #858461, LP: #1708665)

 -- Andreas Hasenack <email address hidden> Fri, 15 Dec 2017 17:45:01 -0200

Changed in awstats (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.