On Mon, Dec 04, 2017 at 06:59:56PM +0000, Glen Barber wrote: > On Mon, Dec 04, 2017 at 10:46:56AM -0800, Rodney W. Grimes wrote: > > > On Mon, Dec 04, 2017 at 12:46:37PM -0500, Kris Moore wrote: > > > > On 12/04/2017 11:37, Brad Davis wrote: > > > > > On Mon, Dec 4, 2017, at 09:25 AM, Kris Moore wrote: > > > > >> Anybody else noticed a recent regression (say past month or so) where > > > > >> pkg base of latest HEAD is now failing to throw setuid on some > > > > >> files? We > > > > >> saw it at first because /sbin/shutdown lost its setuid bit, so users > > > > >> can't shutdown the box. I rolled back pkg to 1.10.1 which was > > > > >> working, > > > > >> and that didn't seem to make a difference. Now I suspect something in > > > > >> HEAD itself changed, but for the life of me can't find where. > > > > > Hey Kris, > > > > > > > > > > Can you look at the plist file and see if it is correctly flagging the > > > > > file there? > > > > > > > > > > > > > > > Regards, > > > > > Brad Davis > > > > > _______________________________________________ > > > > > freebsd-pkgbase@freebsd.org mailing list > > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-pkgbase > > > > > To unsubscribe, send any mail to > > > > > "freebsd-pkgbase-unsubscr...@freebsd.org" > > > > > > > > Here's what I have in the plist: > > > > > > > > @(root,operator,04554,) /sbin/shutdown > > > > > > > > I'll note that ping/ping6 also have similar, and they install setuid > > > > properly: > > > > > > > > @(root,wheel,04555,) /sbin/ping > > > > @(root,wheel,04555,) /sbin/ping6 > > > > > > > > Here's what I have in the pkg tarball: > > > > > > > > # tar tvf FreeBSD-runtime-12.0.s20171204170123.txz | grep shutdown > > > > hr-sr-xr-- 0 root operator 0 Dec 4 17:05 /sbin/shutdown link to > > > > /sbin/poweroff > > > > > > > > # tar tvf FreeBSD-runtime-12.0.s20171204170123.txz | grep poweroff > > > > -r-xr-xr-- 0 root wheel 15440 Dec 4 17:05 /sbin/poweroff > > > > hr-sr-xr-- 0 root operator 0 Dec 4 17:05 /sbin/shutdown link to > > > > /sbin/poweroff > > > > > > > > > > > > And installing it again sure enough gives version without setuid: > > > > > > > > # pkg-static add -f FreeBSD-runtime-12.0.s20171204170123.txz > > > > Installing FreeBSD-runtime-12.0.s20171204170123... > > > > package FreeBSD-runtime is already installed, forced install > > > > Extracting FreeBSD-runtime-12.0.s20171204170123: 100% > > > > > > > > [root@chimera] > > > > /usr/obj/usr/src/repo/FreeBSD:12:amd64/12.0.s20171204170123# ls -al > > > > /sbin/shutdown > > > > -r-xr-xr-- 2 root wheel 15440 Dec 4 17:05 /sbin/shutdown > > > > > > > > > > I think this is the problem. I believe /sbin/poweroff should be a hard > > > link to /sbin/shutdown. Meaning, the links are reversed, so the setuid > > > bit is lost because poweroff is not installed with the setuid bit. > > > > > > The only thing I can think of so far is r325859, which sorts the METALOG > > > to ensure metadata reproducibility. > > > > > > Glen > > > > > > > I do not believe that order is at issue here at all, or it shouldnt be, > > once the files are hardlinked any chown/chmod effects the one inode > > used by both files. > > > > It does appear to be the problem, because the files are packaged > alphabetically now. In a repository from September, I see: > > % tar tvf FreeBSD-runtime-12.0*.txz | grep -E '/sbin/(poweroff|shutdown)' > -r-sr-xr-- 0 root operator 15864 Sep 27 15:40 /sbin/shutdown > hr-xr-xr-- 0 root wheel 0 Sep 27 15:40 /sbin/poweroff link to > /sbin/shutdown > > In a more recent repository, I see: > > % tar tvf FreeBSD-runtime-12.0*.txz | grep -E '/sbin/(poweroff|shutdown)' > -r-xr-xr-- 0 root wheel 15864 Nov 15 15:28 /sbin/poweroff > hr-sr-xr-- 0 root operator 0 Nov 15 15:28 /sbin/shutdown link to > /sbin/poweroff >
So this is the issue, somewhere in the way libarchive is handling the hardlinks. You can see here the setuid is only set on the hardlink not on the regfile (the opposite of the previous one) meaning somewhow libarchive seems to be inconsistent. pkg does not set attributes (rights + ownerhsip) to any thing libarchive tells it to be a hardlink because it is supposed to be done on the regular file... Don't know how I can fix/workaround that. Bapt
signature.asc
Description: PGP signature
