Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Jan 2019 20:45:40 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 234886] shutdown not installed with setuid bit in pkgbase
Message-ID:  <bug-234886-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234886

            Bug ID: 234886
           Summary: shutdown not installed with setuid bit in pkgbase
           Product: Base System
           Version: 12.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: emaste@freebsd.org
                CC: kmoore@FreeBSD.org

As reported by kmoore in
https://lists.freebsd.org/pipermail/freebsd-pkgbase/2017-December/000350.html:

> Anybody else noticed a recent regression (say past month or so) where
> pkg base of latest HEAD is now failing to throw setuid on some files? We
> saw it at first because /sbin/shutdown lost its setuid bit, so users
> can't shutdown the box.

I investigated and found that it appears to be due to the way install(1)
handles links with -M
(https://lists.freebsd.org/pipermail/freebsd-pkgbase/2017-December/000361.html):

For regular installs we invoke:
    install -l h <prog> <link>
and the link then has the same permissions via the existing inode.

With -M install produces a metalog containing
./<link> type=file mode=0755 size=0
(i.e., permissions not explicitly set) and we end up with two entries
in the metalog referencing two names for the same inode, but with
different permissions.

If we passed in the mode when invoking install for a hardlink we
should have the expected permissions, regardless of sorting:
# install -M METALOG -m4554 -l h <prog> <link>
./<link> type=file mode=04554 size=0

On a positive note there are only a few Makefiles with LINKS as well
as BINOWN, BINMODE, or BINGRP. As far as I can tell:

release/picobsd/tinyware/passwd/Makefile
sbin/shutdown/Makefile
usr.bin/at/Makefile
usr.sbin/authpf/Makefile

And after that email was sent, also stand/efi/loader/Makefile and
stand/i386/loader/Makefile

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-234886-227>