lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGXD9OeU9YOf20RoakEfwhJNGNJpb8D11cbT3+xRNB9tph_rfw@mail.gmail.com> Date: Wed, 7 Oct 2015 20:29:25 -0700 From: Prasad Koya <prasad.koya@...il.com> To: linux-fsdevel@...r.kernel.org, Phillip Lougher <phillip@...gher.demon.co.uk> Cc: Alexander Viro <viro@...iv.linux.org.uk>, Christoph Hellwig <hch@...radead.org>, LKML <linux-kernel@...r.kernel.org>, Phillip Lougher <phillip@...ashfs.org.uk>, Andreas Gruenbacher <agruenba@...hat.com> Subject: Re: unsquashfs not preserving file capabilities Hi Debugged this with traces enabled. Turns out that unsquashfs *is* setting xattrs with lsetxattr() but soon after returning from write_xattr(), it calls chown() and that is removing the xattrs on file. Please take a look at this patch below, which calls chown() only if uid/gid of file is different to what is passed in set_attributes(). I'm not that familiar with this code. thank you bash% diff -u /bld/squashfs-tools/unsquashfs.c unsquashfs.c --- /bld/squashfs-tools/unsquashfs.c 2015-10-07 20:22:22.657129963 -0700 +++ unsquashfs.c 2015-10-07 20:21:06.070143018 -0700 @@ -700,12 +700,21 @@ } if(root_process) { - if(chown(pathname, uid, guid) == -1) { - ERROR("set_attributes: failed to change uid and gids " - "on %s, because %s\n", pathname, - strerror(errno)); + struct stat sbuf; + int x = stat(pathname, &sbuf); + if (x != 0) { + ERROR("set_attributes: stat(%s) failed. errno %d\n", + pathname, errno); return FALSE; } + if(uid != sbuf.st_uid || guid != sbuf.st_gid) { + if(chown(pathname, uid, guid) == -1) { + ERROR("set_attributes: failed to change " + "uid and gids on %s, because %s\n", pathname, + strerror(errno)); + return FALSE; + } + } } else mode &= ~07000; bash% On Wed, Oct 7, 2015 at 7:28 AM, Prasad Koya <prasad.koya@...il.com> wrote: > Hi > > Not sure if there is a mailing list for squashfs-tools. > > I'm not seeing xattrs after unsquashing. This is how we are using: > > 1. Install all of our RPMs with some root dir (rpm --root xyz) > > 2. mksquashfs of xyz. (-comp xz -Xbcj x86). > > 3. To update an rpm in image, we first unsquash the fs made in step 2 > with unsquashfs. Say this is dir xyz2, then do 'rpm --root xyz2 -U > changed.rpm' > > Right after unsquashing in step 3, I don't see capabilities on, say, ping. > > > after first mksquashfs ie., installing all RPMs fresh: > > bash% getfattr -n security.capability rootfs/usr/bin/ping > # file: usr/bin/ping > security.capability=0sAQAAAgAwAAAAAAAAAAAAAAAAAAA= > > bash% getcap rootfs/usr/bin/ping > usr/bin/ping = cap_net_admin,cap_net_raw+ep > > > after unsquashfs: > > bash% getfattr -n security.capability > /tmp/extracted/unsquashed/usr/bin/ping > /tmp/extracted/unsquashed/usr/bin/ping: security.capability: No such attribute > > bash% getcap /tmp/extracted/unsquashed/usr/bin/ping > bash% > > I explicitly specify '-xattrs' for both mksquashfs and unsquashfs. Is > this known issue? > > thank you. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists