Allow tmpfiles to create files in a root under an unprivileged directory #11820
Conversation
|
looks OK, but could you add a unit test for the changes to chase_symlinks() for this? The behaviour on that looks right to me, but I'd really like to see some testing applied to tha, since it's not obvious to see. |
|
I've added some tests, which I think pass correctly. The failed CI checks appear to have had the same errors on other PRs. I've also added an |
martinpitt
added
the
ci-fails/needs-rework 🔥
|
This seems to add an extra |
|
FTR, that "somewhere" is |
|
@martinpitt I looked at the CI results for the last merged PR, which was merged with the same error: #11827 Looking at the change in the PR, it seems to be the likely cause. |
|
Indeed #11829 has the same error, sorry for the wrong blame. Removing label again. |
martinpitt
removed
the
ci-fails/needs-rework 🔥
|
looks good, but one typecast nitpick. please fix, will merge then. |
poettering
added
the
reviewed/needs-rework 🔨
When chase_symlinks is given a root path, it is assumed that all processed symlinks are restricted under that path. It should not be necessary to verify components of that prefix path since they are not relevant to the symlinks. This change skips unsafe UID transitions in this root prefix, i.e. it now ignores when an unprivileged user's directory contains a root-owned directory above the symlink root.
This informs chase_symlinks that symlinks should be treated as if the path given by --root= is the root of their file system. With the parent commit, this allows tmpfiles to create files as the root user under a prefix that may be owned by an unprivileged user. In particular, this fixes the case where tmpfiles generates initial files in a staging root directory for packaging under a directory owned by the unprivileged packager user (e.g. in Gentoo).
This verifies the fix for the issue described in: #11820
This verifies the fix for the issue described in: #11820
|
hmm, please always add a comment when you push a new version onto an existing PR. for some reasons github doesn't notify us about that in many cases, so we never notice... |
poettering
removed
the
reviewed/needs-rework 🔨
This verifies the fix for the issue described in: systemd/systemd#11820
I hit a problem with building packages that run tmpfiles to generate the initial package contents in Gentoo, where parent directories are created but not the files themselves. The issue started for copying files at 16ba55a, creating directories at 4c39d89, etc. It turns out to be due to symlink safety checks that prevent running in a root-owned directory under a directory owned by an unprivileged user, which happens to be the case here:
/var/tmp/portage/$PACKAGE= user-owned working directory for packaging/var/tmp/portage/$PACKAGE/image= root-owned staging directory with final installed file permissionsThis also happens if you try to set up a new disk image manually in a non-root-owned directory. Here is a minimal reproducer of this:
Note it prints an error and creates the parents
/a/bbut not the full/a/b/c.Here are some changes that attempt to work around it. The only change necessary for the problems I encountered is in
path_open_parent_safe, but I've adjustedchase_symlinkselsewhere in tmpfiles so it has consistent behavior. I'm not very familiar with this code, so if this solution turns out to be unusable, I can close the PR and open an issue instead.