Date: Mon, 4 Dec 2017 18:37:03 +0000 From: Glen Barber <gjb@FreeBSD.org> To: Kris Moore <kris@ixsystems.com> Cc: freebsd-pkgbase@freebsd.org Subject: Re: Recent issue with pkg base missing setuid Message-ID: <20171204183703.GG22326@FreeBSD.org> In-Reply-To: <2d0794a2-4a51-6a9f-a430-4f9657fd14eb@ixsystems.com> References: <ab75a106-3d46-4ca0-10ba-fb4ace4266da@ixsystems.com> <1512405462.2943219.1193522088.5FC897E6@webmail.messagingengine.com> <2d0794a2-4a51-6a9f-a430-4f9657fd14eb@ixsystems.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--kbCYTQG2MZjuOjyn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 04, 2017 at 12:46:37PM -0500, Kris Moore wrote: > On 12/04/2017 11:37, Brad Davis wrote: > > On Mon, Dec 4, 2017, at 09:25 AM, Kris Moore wrote: > >> Anybody else noticed a recent regression (say past month or so) where > >> pkg base of latest HEAD is now failing to throw setuid on some files? = We > >> saw it at first because /sbin/shutdown lost its setuid bit, so users > >> can't shutdown the box. I rolled back pkg to 1.10.1 which was working, > >> and that didn't seem to make a difference. Now I suspect something in > >> HEAD itself changed, but for the life of me can't find where. > > Hey Kris, > > > > Can you look at the plist file and see if it is correctly flagging the > > file there? > > > > > > Regards, > > Brad Davis > > _______________________________________________ > > freebsd-pkgbase@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase > > To unsubscribe, send any mail to "freebsd-pkgbase-unsubscribe@freebsd.o= rg" >=20 > Here's what I have in the plist: >=20 > @(root,operator,04554,) /sbin/shutdown >=20 > I'll note that ping/ping6 also have similar, and they install setuid > properly: >=20 > @(root,wheel,04555,) /sbin/ping > @(root,wheel,04555,) /sbin/ping6 >=20 > Here's what I have in the pkg tarball: >=20 > # tar tvf FreeBSD-runtime-12.0.s20171204170123.txz | grep shutdown > hr-sr-xr-- 0 root operator 0 Dec 4 17:05 /sbin/shutdown link to > /sbin/poweroff >=20 > # tar tvf FreeBSD-runtime-12.0.s20171204170123.txz | grep poweroff > -r-xr-xr-- 0 root wheel 15440 Dec 4 17:05 /sbin/poweroff > hr-sr-xr-- 0 root operator 0 Dec 4 17:05 /sbin/shutdown link to > /sbin/poweroff >=20 >=20 > And installing it again sure enough gives version without setuid: >=20 > # pkg-static add -f FreeBSD-runtime-12.0.s20171204170123.txz > Installing FreeBSD-runtime-12.0.s20171204170123... > package FreeBSD-runtime is already installed, forced install > Extracting FreeBSD-runtime-12.0.s20171204170123: 100% >=20 > [root@chimera] > /usr/obj/usr/src/repo/FreeBSD:12:amd64/12.0.s20171204170123# ls -al > /sbin/shutdown > -r-xr-xr-- 2 root wheel 15440 Dec 4 17:05 /sbin/shutdown >=20 I think this is the problem. I believe /sbin/poweroff should be a hard link to /sbin/shutdown. Meaning, the links are reversed, so the setuid bit is lost because poweroff is not installed with the setuid bit. The only thing I can think of so far is r325859, which sorts the METALOG to ensure metadata reproducibility. Glen --kbCYTQG2MZjuOjyn Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEjRJAPC5sqwhs9k2jAxRYpUeP4pMFAlollcoACgkQAxRYpUeP 4pMZjg/+J49LFU3qXVdraH83rGC/DIrIQidUK24tWw2A/EMsXVsc7tzfTtB9gq4t xMRgcfIK1h+0x/6ruADheNrDif0fOWjFUNAQY/hKrJ6YqysTXFlrK3tbEowYw4uk WDTqmpU6VhJkaq1fVtRdBwcQtj8G7/mk0v+Jk2P6TQ5P+BiOXDJiitWqUDqEiW+m nmhgW7X1ScUCwtBjAwcyz+YQGuC3NDKZwHjQf0wxu9e0dormFu36A/P0gteDa3Nj ejuTBdf7ULSoY0ayWCnfjPCFddg7/73yElUer0088tEWOKvLrOnxopVVBCf7ZXb/ lDH2Ty3onLbS3WIcg/NYyklUL75+yr+SoQff58w3x5v86/gUTbTrH+Iby7u68wCD haGH/KSbAKHpgm/tcl0h0Uh9tr4Xe0mc4okyaCqKhlFSbHijCJB//1b7rVL1F38i 1nFgZ7HqEOYxzcef7rwmO3McrsZs9SRq+PQ0pujilWiyxJUYp3MWw8ERNz8CdjuS llTCkoomkgHsRmOXZ4BDEXWrep2YrVapCKoXmCv36PzOOKfeehuWAfTSwODIhPko 6XMVuYCNdKl5+mZQJU3RsHGg1SVzCyz2aIKUHHhdno+RE7uijRr/LvY2RIn8mDm/ 29inEEqCmEcJ6WGOyjIP5XSNI19tPanhe9GjJL4qQrN+vXyXfSI= =GbOL -----END PGP SIGNATURE----- --kbCYTQG2MZjuOjyn--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171204183703.GG22326>