Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(bundler): In .deb packages, set uid=0 for all files #7980

Merged
merged 1 commit into from
Oct 16, 2023

Conversation

olivierlemasle
Copy link
Contributor

@olivierlemasle olivierlemasle commented Oct 7, 2023

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Docs
  • New Binding issue #___
  • Code style update
  • Refactor
  • Build-related changes
  • Other, please describe:

Does this PR introduce a breaking change?

  • Yes, and the changes were approved in issue #___
  • No

Checklist

  • When resolving issues, they are referenced in the PR's title (e.g fix: remove a typo, closes #___, #___)
  • A change file is added if any packages will require a version bump due to this PR per the instructions in the readme.
  • I have added a convincing reason for adding this feature, if necessary

Other information

This solves one of the issues reported in #7074:

lintian (the Debian package linter) reported these errors:

E: tauri-app: control-file-has-bad-owner 1000/1000 != root/root (or 0/0) [md5sums]
...
E: tauri-app: wrong-file-owner-uid-or-gid 1000/1000 [usr/]
E: tauri-app: wrong-file-owner-uid-or-gid 1000/1000 [usr/bin/]
E: tauri-app: wrong-file-owner-uid-or-gid 1000/1000 [usr/bin/tauri-app]
...

The Debian package file contains two archive files (control.tar.gz and data.tar.gz) which are created with file metadata copied from the build filesystem: mode, time, uid, gid, etc.

That caused the package to use the uid of the build user (typically an unprivileged user with uid 1000) instead of the root user as required.

With this commit, the metadata are still copied, except for uid and gid, which are overridden and set to 0 (=root).

@FabianLars
Copy link
Member

Thanks for the PR! Since we didn't merge 1.x back into dev yet (should happen once the 1.5 release calmed down a bit) i think this should target the 1.x branch instead so 1.x users get the fix faster.

In Debian packages, set `root` the owner of control files and package
files (uid=0, gid=0).
@olivierlemasle
Copy link
Contributor Author

Thanks @FabianLars, I've rebased the PR to target branch 1.x.

Copy link
Member

@FabianLars FabianLars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@lucasfernog lucasfernog added the security: needs audit This issue/PR needs a security audit label Oct 11, 2023
@tweidinger tweidinger added security: reviewed This issue/PR has been review by wg-security and removed security: needs audit This issue/PR needs a security audit labels Oct 16, 2023
@tweidinger
Copy link
Contributor

Thanks for this security relevant improvement 👍

@lucasfernog lucasfernog merged commit 113bcd7 into tauri-apps:1.x Oct 16, 2023
1 check passed
@olivierlemasle olivierlemasle deleted the fix-dev branch October 16, 2023 11:47
amr-crabnebula added a commit to crabnebula-dev/cargo-packager that referenced this pull request Oct 18, 2023
Port of tauri-apps/tauri#7980

Co-authored-by: Olivier Lemasle <o.lemasle@gmail.com>
amr-crabnebula added a commit to crabnebula-dev/cargo-packager that referenced this pull request Oct 18, 2023
Port of tauri-apps/tauri#7980

Co-authored-by: Olivier Lemasle <o.lemasle@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security: reviewed This issue/PR has been review by wg-security
Projects
Status: 🔎 In audit
Development

Successfully merging this pull request may close these issues.

4 participants