Main Inclusion Report for sourcepackage

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/s/sysstat; available for all supported architectures.

2. Rationale:

   • https://wiki.ubuntu.com/ServerPackageReview

3. Security:

   • CVE entries: 4 entries. none of them seem to affect the version in hardy.

   • Secunia history: same story as CVE db.

   • Any binaries running as root or suid/sgid ? Any daemons ?
     • Yes one daemon running as root to collect data.
   • Network activity: does it open any port ? Does it handle incoming network data ?
     • no open ports. daemon run locally.

   • High level source code review performed by JamieStrandboge

     • sa1
       • /bin/sh script
       • called via /etc/cron.d/sysstat and /etc/init.d/sysstat
       • wrapper for sadc and does file manipulation in /var/log/sysstat properly
     • sa2
       • /bin/sh
       • called via /etc/cron.daily/sysstat
       • wrapper for sar.sysstat and does file manipulation properly (oddly, it does a cd to /usr/bin, then does 'rm' and 'find ... -exec' ..., but the paths to 'rm' and 'find' are absolute paths in /var/log/sysstat)
     • sadc
       • ELF binary
       • called via sa1 and sar.sysstat (and therefore sa2)
       • vulnerable to TOCTOU via access() in open_ofile(). High-level review shows this should not be an issue in practice, as checked files when run from cron and initscript are all in /var/log/sysstat, which is owned by root. Should only be a problem if run by root and output file is somewhere writable be normal users (eg /tmp)
       • spot-checked memory and string functions and it performs them properly
       • reads the following files (which can't be manipulated by users):
         1. /proc/stat
         2. /proc/loadavg
         3. /proc/meminfo
         4. /proc/vmstat
         5. /proc/tty/driver/serial (requires root)
         6. /proc/interrupts
         7. /proc/sys/fs/dentry-state
         8. /proc/sys/fs/file-nr
         9. /proc/sys/fs/inode-state
         10. /proc/net/dev
         11. /proc/net/sockstat
         12. /proc/net/rpc/nfs
         13. /proc/net/rpc/nfsd
         14. /proc/diskstats
         15. /proc/partitions
         16. /proc/uptime
       • it would be nice if sadc could be run as non-root, as it needs it for only one file (/proc/tty/driver/serial)
     • sar.sysstat
       • ELF binary
       • called via sa2
       • spot-checked memory and string functions and it performs them properly
       • found slight problem with call to execvp function, but will report upstream and upload

4. Quality assurance:

   • In what situations does the package not work out of the box without configuration ?
     • none
   • Does the package ask any debconf questions higher than priority 'medium' ?

     • Yes, only when upgrading from < 8.0.0

   • Debian bugs: nothing scary.

   • Maintenance in Debian is vigorous

   • http://pagesperso-orange.fr/sebastien.godard/ is vigorous

   • Hardware: Does this package deal with hardware and if so how exotic is it ?
     • no

5. Standards compliance:

   • FHS, Debian Policy

     • Yeps.

   • Debian library packaging guide standards compliance ?

     • no libs
   • Packaging system (debhelper/cdbs/dbs) ? Patch system ? Any packaging oddities ?
     • none.

6. Dependencies:

   • B-D are all in main.
   • Depends for isag binary are not but it could easily stay in universe. The stuff for the core is all in main.

Reviewers

MIR bug: https://bugs.launchpad.net/bugs/183469

The author of this report should put their name here; reviewers will add comments etc. too

FabioMassimoDiNitto JamieStrandboge