Skip to content

handling suid/world-writable content #845

Closed
@cgwalters

Description

@cgwalters

While working on ostreedev/ostree#908, I realized that flatpak's system helper could write root-owned suid binaries.

Breaking #837 out into an issue, since I think we need to do more design.

A basic problem here is we have 2 separate cases to handle:

  • Flatpak default of /var/lib/flatpak/repo (currently bare-user)
  • Endless OS case of /ostree/repo (i.e. bare)

/var case

In the original PR I was thinking of the /var/flatpak case. For that, we have two sub-options:

  • Land fixups for bare-user to suppress all this
  • Convert to bare-user-only

Either way, I think we're going to need some sort of "repository format change" mechanism. Doing a local pull between bare-user and bare-user-only unfortunately will require duplicating all of the content right now...but, possibly we could teach ostree that it's fine to hardlink file content between them, and just delete all the user.ostreemeta xattrs after?

System case

Something like OSTREE_REPO_PULL_FLAGS_BAREUSERONLY_PERMS to ostree_repo_pull()? We'd error out on finding world-writable/setuid files. Also, we add a bareuser_perms flag to ostree_repo_checkout() which does the same thing as ostreedev/ostree#914 but for the bare case?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions