lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAGXD9OeU9YOf20RoakEfwhJNGNJpb8D11cbT3+xRNB9tph_rfw@mail.gmail.com>
Date:	Wed, 7 Oct 2015 20:29:25 -0700
From:	Prasad Koya <prasad.koya@...il.com>
To:	linux-fsdevel@...r.kernel.org,
	Phillip Lougher <phillip@...gher.demon.co.uk>
Cc:	Alexander Viro <viro@...iv.linux.org.uk>,
	Christoph Hellwig <hch@...radead.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Phillip Lougher <phillip@...ashfs.org.uk>,
	Andreas Gruenbacher <agruenba@...hat.com>
Subject: Re: unsquashfs not preserving file capabilities

Hi

Debugged this with traces enabled. Turns out that unsquashfs *is*
setting xattrs with lsetxattr() but soon after returning from
write_xattr(), it calls chown() and that is removing the xattrs on
file.

Please take a look at this patch below, which calls chown() only if
uid/gid of file is different to what is passed in set_attributes().
I'm not that familiar with this code.

thank you

bash% diff -u /bld/squashfs-tools/unsquashfs.c unsquashfs.c

--- /bld/squashfs-tools/unsquashfs.c    2015-10-07 20:22:22.657129963 -0700

+++ unsquashfs.c        2015-10-07 20:21:06.070143018 -0700

@@ -700,12 +700,21 @@

        }



        if(root_process) {

-               if(chown(pathname, uid, guid) == -1) {

-                       ERROR("set_attributes: failed to change uid and gids "

-                               "on %s, because %s\n", pathname,

-                               strerror(errno));

+               struct stat sbuf;

+               int x = stat(pathname, &sbuf);

+               if (x != 0) {

+                       ERROR("set_attributes: stat(%s) failed. errno %d\n",

+                               pathname, errno);

                        return FALSE;

                }

+               if(uid != sbuf.st_uid || guid != sbuf.st_gid) {

+                       if(chown(pathname, uid, guid) == -1) {

+                               ERROR("set_attributes: failed to change "

+                               "uid and gids on %s, because %s\n", pathname,

+                               strerror(errno));

+                               return FALSE;

+                       }

+               }

        } else

                mode &= ~07000;



bash%

On Wed, Oct 7, 2015 at 7:28 AM, Prasad Koya <prasad.koya@...il.com> wrote:
> Hi
>
> Not sure if there is a mailing list for squashfs-tools.
>
> I'm not seeing xattrs after unsquashing. This is how we are using:
>
> 1. Install all of our RPMs with some root dir (rpm --root xyz)
>
> 2. mksquashfs of xyz. (-comp xz -Xbcj x86).
>
> 3. To update an rpm in image, we first unsquash  the fs made in step 2
> with unsquashfs. Say this is dir xyz2, then do 'rpm --root xyz2 -U
> changed.rpm'
>
> Right after unsquashing in step 3, I don't see capabilities on, say, ping.
>
>
> after first mksquashfs ie., installing all RPMs fresh:
>
> bash% getfattr -n security.capability rootfs/usr/bin/ping
> # file: usr/bin/ping
> security.capability=0sAQAAAgAwAAAAAAAAAAAAAAAAAAA=
>
> bash% getcap rootfs/usr/bin/ping
> usr/bin/ping = cap_net_admin,cap_net_raw+ep
>
>
> after unsquashfs:
>
> bash% getfattr -n security.capability
> /tmp/extracted/unsquashed/usr/bin/ping
> /tmp/extracted/unsquashed/usr/bin/ping: security.capability: No such attribute
>
> bash% getcap /tmp/extracted/unsquashed/usr/bin/ping
> bash%
>
> I explicitly specify '-xattrs' for both mksquashfs and unsquashfs. Is
> this known issue?
>
> thank you.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists