On Thu, Jul 14, 2022 at 04:20:18PM -0400, Matt Barry wrote:
> On Thu, 2022-07-14 at 13:05 -0700, Josh Triplett wrote:
> > The use case below, and any other tools that create files and know to
> > set their permissions appropriately but don't expect unusual
> > ownership
> > by default:
> > > > In particular, it is common to build various kinds of filesystem,
> > > > container, or disk images, and to do so within your home
> > > > directory.
> > > > Users writing tools and scripts to build such images need to make
> > > > sure
> > > > to create files with an appropriate mode, but such scripts often
> > > > assume
> > > > (reasonably) that if they're running as root:root and they create
> > > > a
> > > > file, that file will be owned by root:root. Attempting to build
> > > > filesystems, containers, disk images, or similar in an
> > > > unexpectedly
> > > > setgid directory will produce unexpected results (leaving aside
> > > > that the
> > > > directory mode itself will be surprising).
>
> Could you be just slightly more specific about a use case that fails?
> Given how many times this has come up over the years, I'm trying to get
> a sense of what the *actual* issues are (as opposed to what they used
> to be).
>
> Enough instruction that I can reproduce a specific problem(s) would be
> great.
Sure. Here's a sample of the kind of script I regularly encounter,
producing incorrect results in a setgid directory. The script expects to
produce files owned by root:root, but the files and directories get the
wrong group, and the setgid bit gets propagated to the constructed
filesystem image.
/tmp/testdir$ ls -ld
drwxr-sr-x 2 josh josh 4096 Jul 16 13:40 .
/tmp/testdir$ ls -l
total 4
-rwxr-xr-x 1 josh josh 354 Jul 16 13:40 make-filesystem.sh
/tmp/testdir$ cat make-filesystem.sh
#!/bin/bash
if [ "$(id -u)" -ne 0 ]; then
echo Run as root >&2
exit 1
fi
umask 022
mkdir fsroot fsroot/bin fsroot/etc fsroot/srv
mkdir -m 0700 fsroot/srv/workdir
echo 'nameserver 169.254.169.253' > fsroot/etc/resolv.conf
printf '#!/bin/sh\necho example binary\n' > fsroot/bin/example
chmod a+x fsroot/bin/example
mke2fs -d fsroot root.img 16M
/tmp/testdir$ sudo ./make-filesystem.sh
mke2fs 1.46.5 (30-Dec-2021)
Creating regular file root.img
Creating filesystem with 16384 1k blocks and 4096 inodes
Filesystem UUID: ec2c8666-96d9-4bce-b964-4c32ed098638
Superblock backups stored on blocks:
8193
Allocating group tables: done
Writing inode tables: done
Copying files into the device: done
Writing superblocks and filesystem accounting information: done
/tmp/testdir$ ls -l
total 1196
drwxr-sr-x 5 root josh 4096 Jul 16 13:41 fsroot
-rwxr-xr-x 1 josh josh 354 Jul 16 13:40 make-filesystem.sh
-rw-r--r-- 1 root josh 16777216 Jul 16 13:41 root.img
/tmp/testdir$ mkdir /tmp/testmount
/tmp/testdir$ sudo mount -o loop root.img /tmp/testmount
/tmp/testdir$ sudo ls -lR /tmp/testmount/
/tmp/testmount/:
total 15
drwxr-sr-x 2 root josh 1024 Jul 16 13:41 bin
drwxr-sr-x 2 root josh 1024 Jul 16 13:41 etc
drwx------ 2 root root 12288 Jul 16 13:41 lost+found
drwxr-sr-x 3 root josh 1024 Jul 16 13:41 srv
/tmp/testmount/bin:
total 1
-rwxr-xr-x 1 root josh 30 Jul 16 13:41 example
/tmp/testmount/etc:
total 1
-rw-r--r-- 1 root josh 27 Jul 16 13:41 resolv.conf
/tmp/testmount/lost+found:
total 0
/tmp/testmount/srv:
total 1
drwx--S--- 2 root josh 1024 Jul 16 13:41 workdir
/tmp/testmount/srv/workdir:
total 0
