Your message dated Fri, 7 Jun 2019 13:50:35 -0300
with message-id <[email protected]>
and subject line Re: Bug#917223: bug 917223: partial explanation
has caused the Debian Bug report #917223,
regarding wrong rights when running a sequence of multiple commands in SHELL
and EUID/EGID
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
917223: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917223
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ruby
Version: 2.5.3-3
Sample test script:
====
#!/usr/bin/ruby
Process::Sys.setegid 1000
Process::Sys.seteuid 1000
out = `mkdir -p bar`
out = `cd . ; mkdir -p foo`
====
bar is owned by uid/gid 1000
foo is owned by root
Or another example:
puts IO.popen("cd .; mkdir test", err: [:child, :out]).readlines.join("")
puts IO.popen("cd .; mkdir test2", err: [:child, :out]).readlines.join("")
test is owned by uid/gid 1000
test2 is owned by root
--- End Message ---
--- Begin Message ---
On Thu, Jun 06, 2019 at 06:57:49PM +0100, John Hagemeister wrote:
> The first test case is readily reproducible (buster=1:2.5.1) with the
> executable script invoked by root.
>
> The surprising difference in directory ownership can likely be explained by
> the absence/presence of a semicolon:
> https://ruby-doc.org/core-2.5.1/Kernel.html#method-i-exec
>
> Merely adding a trailing semicolon, i.e. `...bar;` changes the process
> hierarchy and resulting directory ownership; compare and contrast using
> strace -ff -o /tmp/repro -e process ./repro.rb
>
> Whenever /bin/sh occurs in the process hierarchy between the Ruby
> interpreter and the actual shell command then the EUID/EGID settings appear
> to be dropped. However, beyond this clarification, I offer no opinion on
> whether the observed behaviour constitutes a bug or a security feature.
Thanks for looking into it.
This is very unlikely to be solved specifically in Debian, and it is
probably a feature, not a bug. Therefore, I'm closing this bug report.
signature.asc
Description: PGP signature
--- End Message ---
