From owner-freebsd-current Thu Aug 1 9:57:50 2002 Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9BDD37B400; Thu, 1 Aug 2002 09:57:43 -0700 (PDT) Received: from rabbit.netstyle.com.ua (rabbit.netstyle.com.ua [193.193.194.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5E3BF43E3B; Thu, 1 Aug 2002 09:57:41 -0700 (PDT) (envelope-from sobomax@FreeBSD.org) Received: from vega.vega.com (root@[195.5.51.243]) by rabbit.netstyle.com.ua (8.12.5/8.12.5) with ESMTP id g71GvNHO010153; Thu, 1 Aug 2002 19:57:30 +0300 (EEST) (envelope-from sobomax@FreeBSD.org) Received: from FreeBSD.org (big_brother.vega.com [192.168.1.1]) by vega.vega.com (8.12.5/8.11.3) with ESMTP id g71GvFTt005544; Thu, 1 Aug 2002 19:57:15 +0300 (EEST) (envelope-from sobomax@FreeBSD.org) Message-ID: <3D496884.EEB93078@FreeBSD.org> Date: Thu, 01 Aug 2002 19:57:40 +0300 From: Maxim Sobolev Organization: Vega International Capital X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U) X-Accept-Language: en,uk,ru MIME-Version: 1.0 To: Bruce Evans , current@FreeBSD.org, obrien@FreeBSD.org Subject: Re: pkg_add broken by POLA breakage in tar References: <20020801203312.V1911-100000@gamplex.bde.org> <3D495A26.4627C170@FreeBSD.org> <3D495C93.C7198139@FreeBSD.org> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Maxim Sobolev wrote: > > Maxim Sobolev wrote: > > > > Bruce Evans wrote: > > > > > > Revs.1.2-1.3 of tar/src/extract.c break pkg_add (not to mention probably > > > thousands of user scripts that are no more careful than pkg_add) in > > > -current and RELENG_4: > > > > Are you sure? My own investigation at the time of the commit showed > > that old tar shipped with FreeBSD, was adjusting permissions of > > extracting files when running as uid 0 according to current umask > > settings, so that IMO 1.2-1.3 actually restored POLA, not broke it. OK, further investigation shows that the problem is likely that unlike the old one, the new tar doesn't preserve suid/sgid bits on extraction, and it is what probably needs to be fixed instead. > > Need evidence? Here it is: > > # cvs co -D "10 months ago" src/gnu/usr.bin/tar > [...] > # cd src/gnu/usr.bin/tar > # make > [...] > # mkdir foo > # touch foo/bar > # chmod 777 foo > # chmod 777 foo/bar > # ./tar cvf foo.tar foo > foo/ > foo/bar > # rm -rf foo > # ./tar xvf foo.tar > foo/ > foo/bar > root@notebook# ls -l | grep foo > drwxr-xr-x 2 root wheel 512 1 âþú 19:01 foo/ > -rw-r--r-- 1 root wheel 10240 1 âþú 19:01 foo.tar > root@notebook# ls -l foo > total 0 > -rwxr-xr-x 1 root wheel 0 1 âþú 19:01 bar* > # umask > 0022 > # > > -Maxim > > > > > -Maxim > > > > > > > > % RCS file: /home/ncvs/src/contrib/tar/src/extract.c,v > > > % Working file: extract.c > > > % head: 1.4 > > > % branch: > > > % locks: strict > > > % access list: > > > % symbolic names: > > > % RELENG_4: 1.4.0.2 > > > ^^^^^^^^ > > > % TAR_v1_13_25: 1.1.1.1 > > > % FSF: 1.1.1 > > > % keyword substitution: kv > > > % total revisions: 6; selected revisions: 6 > > > % description: > > > % ... > > > % ---------------------------- > > > % revision 1.3 > > > % date: 2002/06/07 06:02:35; author: sobomax; state: Exp; lines: +1 -1 > > > % Disabling automatic --same-owner option when running as uid 0 along with > > > % the --same-permissions was an overkill, so put it back. This is consistent > > > % with what our old tar did. > > > % > > > % Suggested by: dillon > > > % ---------------------------- > > > % revision 1.2 > > > % date: 2002/06/07 00:03:23; author: sobomax; state: Exp; lines: +4 -0 > > > % IMO it was a quite ugly idea that if we are running as uid 0 then we can > > > % safely ignore current umask(2) and assume that permissions should be set > > > % right like in the archive. Not only it violates POLA, but introduces > > > ^^^^^^^^^^^^^ > > > % huge potential security vulnerability, particularly for ports, where > > > % many popular archives come with 777 files and dirs. > > > % ---------------------------- > > > > > > Actually, it is the change violates POLA, and breaks everything that > > > depends on the historical and still documented behaviour. (The man > > > page even says that (almost) all permissions are restored even in the > > > !root case (it says this indirectly by saying that all attributes are > > > restored if possible and not mentioning the umask or root). The info > > > page is better.) > > > > > > This bug showed up as breakage in mutt. mutt uses a setgid utility > > > named mutt_dotlock to lock /var/mail/*, so it fails to download mail > > > if mutt_dotlock's setgid bit is lost on extraction. It is probably > > > another bug that mutt_dotlock attempts to create a temporary file in > > > /var/mail instead of using flock(). > > > > > > "Fixes": > > > > > > (1) Change pkg_add and thousands of user scripts to use tar -p. This > > > may reopen security holes closed by respecting the umask. > > > > > > %%% > > > Index: extract.c > > > =================================================================== > > > RCS file: /home/ncvs/src/usr.sbin/pkg_install/add/extract.c,v > > > retrieving revision 1.33 > > > diff -u -2 -r1.33 extract.c > > > --- extract.c 11 May 2002 04:17:54 -0000 1.33 > > > +++ extract.c 1 Aug 2002 10:26:10 -0000 > > > @@ -33,5 +33,5 @@ > > > #define PUSHOUT(todir) /* push out string */ \ > > > if (where_count > (int)sizeof(STARTSTRING)-1) { \ > > > - strcat(where_args, "|tar --unlink -xf - -C "); \ > > > + strcat(where_args, "|tar --unlink -pxf - -C "); \ > > > strcat(where_args, todir); \ > > > if (system(where_args)) { \ > > > %%% > > > > > > (2) Restore standard gnu tar behaviour by backing out extract.c revs 1.2-1.3. > > > > > > %%% > > > Index: extract.c > > > =================================================================== > > > RCS file: /home/ncvs/src/contrib/tar/src/extract.c,v > > > retrieving revision 1.4 > > > diff -u -2 -r1.4 extract.c > > > --- extract.c 3 Jul 2002 12:44:31 -0000 1.4 > > > +++ extract.c 1 Aug 2002 10:44:34 -0000 > > > @@ -113,7 +113,5 @@ > > > { > > > we_are_root = geteuid () == 0; > > > -#ifndef __FreeBSD__ > > > same_permissions_option += we_are_root; > > > -#endif > > > same_owner_option += we_are_root; > > > xalloc_fail_func = extract_finish; > > > %%% > > > > > > Bruce > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-current" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-current" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message