Date: Mon, 4 Dec 2017 11:52:53 -0800 (PST) From: "Rodney W. Grimes" <freebsd-rwg@pdx.rh.CN85.dnsmgr.net> To: Kris Moore <kris@ixsystems.com> Cc: freebsd-pkgbase@freebsd.org Subject: Re: Recent issue with pkg base missing setuid Message-ID: <201712041952.vB4Jqrkk047671@pdx.rh.CN85.dnsmgr.net> In-Reply-To: <b101f855-ec99-d837-35c1-a1282ed4206d@ixsystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On 12/04/2017 13:47, Rodney W. Grimes wrote: > >> On 12/04/2017 11:37, Brad Davis wrote: > >>> On Mon, Dec 4, 2017, at 09:25 AM, Kris Moore wrote: > >>>> Anybody else noticed a recent regression (say past month or so) where > >>>> pkg base of latest HEAD is now failing to throw setuid on some files? We > >>>> saw it at first because /sbin/shutdown lost its setuid bit, so users > >>>> can't shutdown the box. I rolled back pkg to 1.10.1 which was working, > >>>> and that didn't seem to make a difference. Now I suspect something in > >>>> HEAD itself changed, but for the life of me can't find where. > >>> Hey Kris, > >>> > >>> Can you look at the plist file and see if it is correctly flagging the > >>> file there? > >>> > >>> > >>> Regards, > >>> Brad Davis > >>> _______________________________________________ > >>> freebsd-pkgbase@freebsd.org mailing list > >>> https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase > >>> To unsubscribe, send any mail to "freebsd-pkgbase-unsubscribe@freebsd.org" > >> Here's what I have in the plist: > >> > >> @(root,operator,04554,) /sbin/shutdown > >> > >> I'll note that ping/ping6 also have similar, and they install setuid > >> properly: > >> > >> @(root,wheel,04555,) /sbin/ping > >> @(root,wheel,04555,) /sbin/ping6 > >> > >> Here's what I have in the pkg tarball: > >> > >> # tar tvf FreeBSD-runtime-12.0.s20171204170123.txz | grep shutdown > >> hr-sr-xr-- 0 root operator 0 Dec 4 17:05 /sbin/shutdown link to > >> /sbin/poweroff > >> > >> # tar tvf FreeBSD-runtime-12.0.s20171204170123.txz | grep poweroff > >> -r-xr-xr-- 0 root wheel 15440 Dec 4 17:05 /sbin/poweroff > >> hr-sr-xr-- 0 root operator 0 Dec 4 17:05 /sbin/shutdown link to > >> /sbin/poweroff > >> > >> > >> And installing it again sure enough gives version without setuid: > >> > >> # pkg-static add -f FreeBSD-runtime-12.0.s20171204170123.txz > >> Installing FreeBSD-runtime-12.0.s20171204170123... > >> package FreeBSD-runtime is already installed, forced install > >> Extracting FreeBSD-runtime-12.0.s20171204170123: 100% > >> > >> [root@chimera] > >> /usr/obj/usr/src/repo/FreeBSD:12:amd64/12.0.s20171204170123# ls -al > >> /sbin/shutdown > >> -r-xr-xr-- 2 root wheel 15440 Dec 4 17:05 /sbin/shutdown > > Can you show us ls -ail for /sbin/shutdown and /sbin/poweroff? > > > > > [root@chimera] /usr/src# ls -ail /sbin/shutdown > 245898 -r-xr-xr-- 2 root wheel 15440 Dec 4 17:05 /sbin/shutdown > [root@chimera] /usr/src# ls -ail /sbin/poweroff > 245898 -r-xr-xr-- 2 root wheel 15440 Dec 4 17:05 /sbin/poweroff As I expected, same inode, exact same owns/modes, but neither file got the chown/chmod that pkg should of done after it put the files in place. My guess is something is amiss in pkg that perhaps always expected the the named file in @ to come first in the tar ball? Does it track duplicate inodes/hardlinks? Is it "rolling its own" tar extractor? Or does it now recognize that a hardlink is a valid @ file name to operate on? -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201712041952.vB4Jqrkk047671>