/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qubes-rpc expected file modes? #2428

Closed
jpouellet opened this Issue Nov 11, 2016 · 2 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@jpouellet @marmarek
@jpouellet
Contributor

jpouellet commented Nov 11, 2016

Qubes OS version (e.g., R3.1):

R3.2, possibly others

Affected TemplateVMs (e.g., fedora-23, if applicable):

Everything with qrexec-rpc services (including dom0)

Expected behavior:

From the (current qrexec3 docs)[https://github.com/QubesOS/qubes-doc/blob/cce10079b322f8e898cb2b4e23b48c4886aac4d9/services/qrexec3.md]:

In the target VM, the /etc/qubes-rpc/RPC_ACTION_NAME must exist, containing the file name of the program that will be invoked, or being that program itself - in which case it must have executable permission set (chmod +x).

Actual behavior:

The claim that the file must be executable is false:

[root@misc]/etc/qubes-rpc# ls -l qubes.OpenURL  
-rwxr-xr-x 1 root root 192 Oct  3 07:16 qubes.OpenURL
[root@misc]/etc/qubes-rpc# head qubes.OpenURL
#!/bin/sh
...
[root@misc]/etc/qubes-rpc# chmod -x qubes.OpenURL
[root@misc]/etc/qubes-rpc# ls -l qubes.OpenURL  
-rw-r--r-- 1 root root 192 Oct  3 07:16 qubes.OpenURL

[user@other]$ echo 'https://qubes-os.org/' | /usr/lib/qubes/qrexec-client-vm misc qubes.OpenURL

still works.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Nov 11, 2016

Member

This instruction is how to create new services. There is legacy feature of files without executable bit set, which are executed through /bin/sh, even when no #!/bin/sh is present.
Member

marmarek commented Nov 11, 2016

This instruction is how to create new services. There is legacy feature of files without executable bit set, which are executed through /bin/sh, even when no #!/bin/sh is present.
@jpouellet

This comment has been minimized.

Show comment
Hide comment
@jpouellet

jpouellet Nov 11, 2016

Contributor

Ah, makes sense. I was expecting that the "containing the file name of the program that will be invoked" case would fail in this case, but piping the whole thing through sh makes sense as a reasonable way to implement that behavior.

Thanks for clarifying :)
Contributor

jpouellet commented Nov 11, 2016

Ah, makes sense. I was expecting that the "containing the file name of the program that will be invoked" case would fail in this case, but piping the whole thing through sh makes sense as a reasonable way to implement that behavior.

Thanks for clarifying :)

@jpouellet jpouellet closed this Nov 11, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment