Bug#942114: cache fails to store capabilities correctly
On 2019-10-10 11:17:24, Antoine Beaupré wrote: > Control: tags -1 +patch > > Here's a patch to fix this, also available in: > > https://salsa.debian.org/ganeti-team/ganeti-instance-debootstrap/merge_requests/1 I'm thinking of doing a NMU of this patch to unstable within the next month if no one else comments here. From there, if/when the package trickles down to testing, I'll ask the release team to get the update down into stable as well. A. -- La nature n'a créé ni maîtres ni esclaves Je ne veux ni donner ni recevoir de lois. - Denis Diderot signature.asc Description: PGP signature
Bug#942114: cache fails to store capabilities correctly
Control: tags -1 +patch Here's a patch to fix this, also available in: https://salsa.debian.org/ganeti-team/ganeti-instance-debootstrap/merge_requests/1 -- You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes. - Theo de Raadt >From cd34bcc48a2af92f484535b81fba2d46dad1dbb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 10 Oct 2019 11:07:51 -0400 Subject: [PATCH] respect Linux capabilities(7) in cache The default GNU tar configuration does not carry fancy extended attributes and that is where, among other things, stuff like Linux capabilities(7) are stored. This is kind of important because that's how ping(8) works for regular users. We shove --selinux and --acls in there while we're at it, because why not. We never know what the future might bring, and it seems silly *not* to create a complete archive. Note that --xattrs-include='*' is important because, by default, GNU tar will not include capabilities /even/ if --xattrs is specified on the commandline, see this bug report for details: https://bugzilla.redhat.com/show_bug.cgi?id=771927 --- create | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/create b/create index 607bab2..7526e71 100755 --- a/create +++ b/create @@ -83,7 +83,7 @@ if [ "$CLEAN_CACHE" -a -d "$CACHE_DIR" ]; then fi if [ -f "$CACHE_FILE" ]; then - tar xf "$CACHE_FILE" -C $TMPDIR + tar --acls --selinux --xattrs --xattrs-include='*' -x -f "$CACHE_FILE" -C $TMPDIR else if [ "$PROXY" ]; then export http_proxy="$PROXY" @@ -109,7 +109,7 @@ else if [ "$GENERATE_CACHE" = "yes" ]; then TMP_CACHE=`mktemp "${CACHE_FILE}.XX"` -tar cf "$TMP_CACHE" -C $TMPDIR . +tar --acls --selinux --xattrs --xattrs-include='*' -c -f "$TMP_CACHE" -C $TMPDIR . mv -f "$TMP_CACHE" "$CACHE_FILE" fi fi -- 2.20.1
Bug#942114: cache fails to store capabilities correctly
Package: ganeti-instance-debootstrap Version: 0.16-6 Severity: grave It seems that ganeti-instance-deboostrap fails to properly cache the filesystem after the first creation. This leads to stuff like `/usr/bin/ping` having the wrong permissions. On a healthy system, installed without caching, it looks like this: root@test01:~# getcap /usr/bin/ping /usr/bin/ping = cap_net_raw+ep root@test01:~# But if that instance is removed and recreated, it then looks like this: root@test01:~# getcap /usr/bin/ping root@test01:~# This is "grave" because capabilities are a serious issue. There could be suid files that are restricted by capabilities (or the opposite). We just don't quite know and this looks really wrong. At best it makes ping unusable by regular users, and that's still a serious issue. Inspection of the cache file confirms the capabilities are not stored correctly: root@fsn-node-02:~# tar fx /var/cache/ganeti-instance-debootstrap/cache-buster-amd64.tar ./usr/bin/ping root@fsn-node-02:~# getcap ./usr/bin/ping root@fsn-node-02:~# A. -- System Information: Debian Release: 10.1 APT prefers stable-debug APT policy: (500, 'stable-debug'), (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ganeti-instance-debootstrap depends on: ii debootstrap 1.0.114 ii dump 0.4b46-5 ii e2fsprogs1.44.5-1+deb10u2 ii fdisk2.33.1-0.1 ii kpartx 0.7.9-3 ii util-linux 2.33.1-0.1 ganeti-instance-debootstrap recommends no packages. ganeti-instance-debootstrap suggests no packages. -- debconf-show failed