| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXD9OeU9YOf20RoakEfwhJNGNJpb8D11cbT3+xRNB9tph_rfw@mail.gmail.com>
Date: Wed, 7 Oct 2015 20:29:25 -0700
From: Prasad Koya <prasad.koya@...il.com>
To: linux-fsdevel@...r.kernel.org,
Phillip Lougher <phillip@...gher.demon.co.uk>
Cc: Alexander Viro <viro@...iv.linux.org.uk>,
Christoph Hellwig <hch@...radead.org>,
LKML <linux-kernel@...r.kernel.org>,
Phillip Lougher <phillip@...ashfs.org.uk>,
Andreas Gruenbacher <agruenba@...hat.com>
Subject: Re: unsquashfs not preserving file capabilities
Hi
Debugged this with traces enabled. Turns out that unsquashfs *is*
setting xattrs with lsetxattr() but soon after returning from
write_xattr(), it calls chown() and that is removing the xattrs on
file.
Please take a look at this patch below, which calls chown() only if
uid/gid of file is different to what is passed in set_attributes().
I'm not that familiar with this code.
thank you
bash% diff -u /bld/squashfs-tools/unsquashfs.c unsquashfs.c
--- /bld/squashfs-tools/unsquashfs.c 2015-10-07 20:22:22.657129963 -0700
+++ unsquashfs.c 2015-10-07 20:21:06.070143018 -0700
@@ -700,12 +700,21 @@
}
if(root_process) {
- if(chown(pathname, uid, guid) == -1) {
- ERROR("set_attributes: failed to change uid and gids "
- "on %s, because %s\n", pathname,
- strerror(errno));
+ struct stat sbuf;
+ int x = stat(pathname, &sbuf);
+ if (x != 0) {
+ ERROR("set_attributes: stat(%s) failed. errno %d\n",
+ pathname, errno);
return FALSE;
}
+ if(uid != sbuf.st_uid || guid != sbuf.st_gid) {
+ if(chown(pathname, uid, guid) == -1) {
+ ERROR("set_attributes: failed to change "
+ "uid and gids on %s, because %s\n", pathname,
+ strerror(errno));
+ return FALSE;
+ }
+ }
} else
mode &= ~07000;
bash%
On Wed, Oct 7, 2015 at 7:28 AM, Prasad Koya <prasad.koya@...il.com> wrote:
> Hi
>
> Not sure if there is a mailing list for squashfs-tools.
>
> I'm not seeing xattrs after unsquashing. This is how we are using:
>
> 1. Install all of our RPMs with some root dir (rpm --root xyz)
>
> 2. mksquashfs of xyz. (-comp xz -Xbcj x86).
>
> 3. To update an rpm in image, we first unsquash the fs made in step 2
> with unsquashfs. Say this is dir xyz2, then do 'rpm --root xyz2 -U
> changed.rpm'
>
> Right after unsquashing in step 3, I don't see capabilities on, say, ping.
>
>
> after first mksquashfs ie., installing all RPMs fresh:
>
> bash% getfattr -n security.capability rootfs/usr/bin/ping
> # file: usr/bin/ping
> security.capability=0sAQAAAgAwAAAAAAAAAAAAAAAAAAA=
>
> bash% getcap rootfs/usr/bin/ping
> usr/bin/ping = cap_net_admin,cap_net_raw+ep
>
>
> after unsquashfs:
>
> bash% getfattr -n security.capability
> /tmp/extracted/unsquashed/usr/bin/ping
> /tmp/extracted/unsquashed/usr/bin/ping: security.capability: No such attribute
>
> bash% getcap /tmp/extracted/unsquashed/usr/bin/ping
> bash%
>
> I explicitly specify '-xattrs' for both mksquashfs and unsquashfs. Is
> this known issue?
>
> thank you.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists