Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solaris 11 does not remove the group in Solaris 11.3 #3053

Open
rauldpm opened this issue Jul 22, 2024 · 2 comments
Open

Solaris 11 does not remove the group in Solaris 11.3 #3053

rauldpm opened this issue Jul 22, 2024 · 2 comments
Labels
level/task Subtask issue module/install type/bug Bug issue

Comments

@rauldpm
Copy link
Member

rauldpm commented Jul 22, 2024

Description

The v4.9.0-alpha3 dev documentation states the following note when uninstalling the Solaris 11 package

Note

If you uninstall the Wazuh agent in Solaris 11.4 or later, the Solaris 11 package manager does not remove the group wazuh from the system. Run the groupdel wazuh command to manually remove it.

But when I removed the package in a Solaris 11.3 system, the wazuh group still exists

root@sossp104:~# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           2/2 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/client.keys -> /var/pkg/lost+found/var/ossec/etc/client.keys-20240722T154943Z
  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240722T154943Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240722T154943Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240722T154943Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240722T154943Z
  ar/ossec/queue/rids -> /var/pkg/lost+found/var/ossec/queue/rids-20240722T154943Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240722T154943Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240722T154943Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240722T154943Z
  ar/ossec/etc/shared -> /var/pkg/lost+found/var/ossec/etc/shared-20240722T154943Z
root@sossp104:~# grep wazuh /etc/group 
wazuh::13:
root@sossp104:~# grep wazuh /etc/passwd | wc -l
       0
root@sossp104:~# groupdel wazuh
root@sossp104:~# groupdel ossec
UX: groupdel: ERROR: ossec does not exist.

We need to determine if the package is not removing the group or if we need to change the documentation

Related
@rauldpm rauldpm added level/task Subtask issue type/bug Bug issue labels Jul 22, 2024
@rauldpm rauldpm mentioned this issue Jul 22, 2024
Closed
1 task
@MarcelKemp MarcelKemp self-assigned this Jul 23, 2024
@MarcelKemp
Copy link
Member

Replicated

I was able to replicate the problem on a Solaris 11:

root@solaris11:/export/home/vagrant# pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/etc/ossec.conf -> /var/pkg/lost+found/var/ossec/etc/ossec.conf-20240723T184935Z
  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240723T184935Z
  ar/ossec/queue/syscollector/db -> /var/pkg/lost+found/var/ossec/queue/syscollector/db-20240723T184935Z
  ar/ossec/queue/sockets -> /var/pkg/lost+found/var/ossec/queue/sockets-20240723T184935Z
  ar/ossec/queue/logcollector -> /var/pkg/lost+found/var/ossec/queue/logcollector-20240723T184935Z
  ar/ossec/queue/fim/db -> /var/pkg/lost+found/var/ossec/queue/fim/db-20240723T184935Z
  ar/ossec/queue/alerts -> /var/pkg/lost+found/var/ossec/queue/alerts-20240723T184935Z
root@solaris11:/export/home/vagrant# grep wazuh /etc/group 
wazuh::13:
root@solaris11:/export/home/vagrant# grep wazuh /etc/passwd | wc -l
       0
root@solaris11:/export/home/vagrant# groupdel wazuh
root@solaris11:/export/home/vagrant# groupdel wazuh
UX: groupdel: ERROR: wazuh does not exist.

Possible causes

The problem may be a privilege issue when deleting the wazuh group, as I show in the following outputs, if you are not using an admin user:

vagrant@solaris11:~$ sudo pkg uninstall wazuh-agent
            Packages to remove:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

PHASE                                          ITEMS
Removing old actions                         233/233
Updating package state database                 Done 
Updating package cache                           1/1 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 

The following unexpected or editable files and directories were
salvaged while executing the requested package operation; they
have been moved to the displayed location in the image:

  ar/ossec/ruleset/sca -> /var/pkg/lost+found/var/ossec/ruleset/sca-20240723T190002Z
vagrant@solaris11:~$ grep wazuh /etc/group
wazuh::13:
vagrant@solaris11:~$ groupdel wazuh
UX: groupdel: ERROR: Permission denied.
vagrant@solaris11:~$ sudo groupdel wazuh

In this case, the bug seems to be found from 4.3 with the following PR:

However, this has nothing to do with the Solaris version 11.4 that they indicate. It is therefore not 100% certain that this is the problem.

On the other hand, looking for the reason they indicate a version 11.4 or higher, I have not found any reason for it, as the commit where it was introduced does not contain any relevant information:

Tasks to investigate

  • Reason why Solaris version 11.4 or higher is indicated.
  • See if the problem is due to user permissions.

@MarcelKemp MarcelKemp removed their assignment Jul 24, 2024
@vikman90
Copy link
Member

vikman90 commented Jul 24, 2024
edited
Loading

Thanks, @MarcelKemp.

Let's add this issue to the backlog as a medium-impact bug, since it dates back to previous versions.

@juliamagan juliamagan mentioned this issue Jul 29, 2024
Closed
@fcaffieri fcaffieri mentioned this issue Aug 22, 2024
Closed
1 task
@joaquinsgi joaquinsgi mentioned this issue Sep 2, 2024
Closed
1 task
@pro-akim pro-akim mentioned this issue Sep 23, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
level/task Subtask issue module/install type/bug Bug issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vikman90 @rauldpm @MarcelKemp