New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tmpfiles: chown after chmod removes setuid bit #12354
Comments
Crude workaround is to list your desired changes twice in the file (or wait for a reboot). |
Using tmpfiles to change the suid bit seems pretty strange. What's the real use case here? |
Nullmailer package on Arch: https://git.archlinux.org/svntogit/community.git/tree/trunk/nullmailer.tmpfiles?h=packages/nullmailer It is a simple relay only mailer that has a local queue. The executable must be run as the user owning the spool folder for the queue. |
The use case is distribution packaging for non-root binaries. There are two ways to package a non-root binary: reserve a UID for all of eternity, or use a post-install process via sysusers.d to create the user, then tmpfiles.d to correct the ownership after the user was dynamically allocated. If that binary is also meant to be suid, then the suid bit needs to be reset too. ... Is this a general "why would you ever use suid, ever" question? |
I see. Generally people use tmpfiles.d for stuff that needs to happen on every boot. It would be very strange to change the suid bit on some file on every boot. For stuff that only needs to be done once per package install, package managers usually have their own hooks you can utilize to call arbitrary commands (like chmod/chown). I don't think I have ever seen tmpfiles.d used in quite this way. |
Well, it is already there to create a bunch of directories in /var... and there is already a hook for tmpfiles.d, this means a single unified hook can handle many actions, rather than executing a shellscript for each package. |
Sure, it just didn't occur to me. It seems like it would be fairly simple to re-order the chown before the chmod, but I'm not sure if that introduces any security risks, or would cause any other problems. That probably requires a little bit of thought. |
Since the whole problem is that chown clears the suid bit, it should still clear it when the action is reordered. So no one else should be able to surprisingly run things with suid the-new-user, if the suid it is meant to be cleared anyway. As for read/write permissions, the owner can already do what they want. But if the group permission is being cleared, I guess that would be a problem. Maybe it could always set the permissions twice, once before and once after. Or do better accounting, e.g. detect if the permission bit includes suid and save that in order to perform the operation after the chown. |
Relevant security example: The file is initially owned by Currently we first change the permissions to |
Otherwise chown() will drop SUID/SGID bits again, which users might want to set explicitly. Fixes: systemd#12354
chown() might drop the suid/sgid bit from files. hence let's chmod() after chown(). But also, let's tighten the transition a bit: before issuing chown() let's set the file mask to the minimum of the old and new access bitmask, so that at no point in time additional privs are available on the file with a non-matching ownership. Fixes: systemd#12354
Fix waiting in #12431. ptal |
chown() might drop the suid/sgid bit from files. hence let's chmod() after chown(). But also, let's tighten the transition a bit: before issuing chown() let's set the file mask to the minimum of the old and new access bitmask, so that at no point in time additional privs are available on the file with a non-matching ownership. Fixes: systemd#12354
chown() might drop the suid/sgid bit from files. hence let's chmod() after chown(). But also, let's tighten the transition a bit: before issuing chown() let's set the file mask to the minimum of the old and new access bitmask, so that at no point in time additional privs are available on the file with a non-matching ownership. Fixes: systemd#12354
work around FS#62404 and systemd/systemd#12354
chown() might drop the suid/sgid bit from files. hence let's chmod() after chown(). But also, let's tighten the transition a bit: before issuing chown() let's set the file mask to the minimum of the old and new access bitmask, so that at no point in time additional privs are available on the file with a non-matching ownership. Fixes: systemd#12354
work around FS#62404 and systemd/systemd#12354 git-svn-id: file:///srv/repos/svn-community/svn@452050 9fca08f4-af9d-4005-b8df-a31f2cc04f65
systemd version the issue has been seen with
Used distribution
Expected behaviour you didn't see
Unexpected behaviour you saw
Steps to reproduce the problem
systemd-tmpfiles --create
. The tmpfile now has the correct owner, but no setuid bit.systemd-tmpfiles --create
again. Now also the setuid bit is set.The interesting excerpt from
strace
is:As you can see,
systemd-tmpfiles
first sets the permissions and then changes the owner. But chown implicitly resets the setuid bit.The text was updated successfully, but these errors were encountered: