Bug 45823 – univention-server-$role packages strictly depend on too many services

Bug 45823 - univention-server-$role packages strictly depend on too many services


Summary:	univention-server-$role packages strictly depend on too many services

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	General
Version:	UCS 5.0
Hardware:	Other All

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-12-05 20:51 CET by Michael Grandjean
Modified:	2021-02-15 16:54 CET (History)
CC List:	5 users (show)

See Also:	39259 chrony 48672
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Grandjean

2017-12-05 20:51:53 CET

A lot of our univention-* packages do have reverse dependencies that go up to univention-server-$role. Because of this, it is not possible to cleanly uninstall some packages without also uninstalling almost all univention-* packages.

Example: A customer wanted to uninstall nfs-kernel-server and nfs-common because of security regulations (no NFS allowed). But:

univention-server-master depends on
 -> univention-role-server-common depends on
   -> univention-nfs-server depends on
     -> nfs-kernel-server

This way, uninstalling nfs-kernel-server will also uninstall univention-server-master, which will break the server.

This is not about NFS, the same is true for e.g. "heimdal-servers", "nagios-nrpe-server" and "openbsd-inetd".
We should consider changing the dependencies so uninstalling those (optional) components would become possible.

Comment 1 Dirk Ahrnke

2020-07-08 20:27:45 CEST

As this problem should not be just treated as a simple feature request I am changing the bug report as a security problem.
There is a recommendation from BSI BUND to close openly accessible Portmapper services (https://www.bsi.bund.de/EN/Topics/IT-Crisis-Management/CERT-Bund/CERT-Reports/HOWTOs/Open-Portmapper-Services/open-Portmapper-services_node.html)

It is currently not possible to follow the advise above without eliminating essential UCS-services.
It it also not adviseable to rely on a packet-filter to filter those ports because it may not work or can be dsiabled by accident.

Installing NFS by default may have been necessary in the past. It is hard to believe that every UCS-role will need it nowadays.

Comment 2 Arvid Requate

2020-07-14 19:20:49 CEST

Bugs tagged as "Security Issue" should have CVSS scores.
I've marked it as Bug group "Security" instead.

For cifs Bug #39259 shows how we can do this. I guess
we can use the same (Recommends instead of Depends) here.

Comment 3 Stephan Hendl 2020-07-15 07:17:31 CEST

Same thing here Bug 47939 I guess.

Comment 4 Philipp Hahn

2020-07-15 07:41:32 CEST

(In reply to Arvid Requate from comment #2)
> For cifs Bug #39259 shows how we can do this. I guess
> we can use the same (Recommends instead of Depends) here.

Our mechanism to calculate "maintained" currently only follows "Depends", so make sure to add "Recommends" to the "trigger list" to keep them maintained - or even the "DVD task list" to also keep them on the DVD to still get them installed by default.