Hi Stefan, You're absolutely right, I was building the package as root inside a docker container, mostly as a one-off kind of build to add some debugging information. I tried using fakeroot instead, and it masked the problem as you mentioned, as the file at the end still has the setuid bit, even though it has changed group (and the same happens if the owner is changed):
jvperrin@fireball:~$ fakeroot /bin/bash root@fireball:~# touch test.txt root@fireball:~# ls -l test.txt -rw-r--r-- 1 root root 0 Jun 2 13:08 test.txt root@fireball:~# chmod 4754 test.txt root@fireball:~# ls -l test.txt -rwsr-xr-- 1 root root 0 Jun 2 13:08 test.txt* root@fireball:~# chgrp nogroup test.txt root@fireball:~# ls -l test.txt -rwsr-xr-- 1 root nogroup 0 Jun 2 13:08 test.txt* If I do the same without fakeroot, it loses the setuid bit (as it should): jvperrin@fireball:~$ sudo -i root@fireball:~# touch test.txt root@fireball:~# ls -l test.txt -rw-r--r-- 1 root root 0 Jun 2 13:11 test.txt root@fireball:~# chmod 4754 test.txt root@fireball:~# ls -l test.txt -rwsr-xr-- 1 root root 0 Jun 2 13:11 test.txt* root@fireball:~# chgrp nogroup test.txt root@fireball:~# ls -l test.txt -rwxr-xr-- 1 root nogroup 0 Jun 2 13:11 test.txt* This suggests to me that this is indeed a problem with fakeroot, not with this package, although I do still think the patch I included on this bug report could be helpful as it wouldn't change the behavior when it fakeroot and fixes the issue if anyone else is building manually outside of fakeroot. Looking at fakeroot's bug reports, it's already been reported almost a decade ago (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497109). It hasn't had any activity since then, so that's unfortunate, I'll try and follow up there. Thank you for your help, that was very useful! On Sat, Jun 2, 2018 at 1:35 AM Stefan Fritsch <s...@sfritsch.de> wrote: > > On Saturday, 2 June 2018 02:06:10 CEST Jason Perrin wrote: > > > This appears to be a problem in the source for this package, on the master > > branch, as well as on separate branches for different distros: > > https://salsa.debian.org/apache-team/apache2/blob/master/debian/rules#L148-1 > > 53 I'm not sure how this has worked properly to produce packages, since the > > last change to that section was 6 years ago, so I'm a bit confused on that > > point. > > > That's weird because it seems all distributed packages in the last 6 years > have the correct permissions. Do you build the package as root? Usually > packages are built as non-root user using fakeroot. Maybe fakeroot is not > being faithful to the real kernel behavior and hides the bug. > > Cheers, > Stefan > > >