Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

lib/repo: For bare-user, make repo modes mirror checkout user-mode #908

Closed
wants to merge 3 commits into from
Closed

lib/repo: For bare-user, make repo modes mirror checkout user-mode #908

wants to merge 3 commits into from

Conversation

cgwalters
Copy link
Member

Having every object in a bare-user repo (and checkouts) be executable
is ugly. I can't think of a good reason to do that. So make
the committed mode semantics mirror that for user-mode checkouts; we
strip suid/sgid bits.

However, we also do ensure that the written files are read/writable by the
owning user, since otherwise we couldn't do anything to them. I'm not aware of
any real use cases for non-readable/non-writable by owner files in ostree.

Closes: #907

@cgwalters cgwalters mentioned this pull request Jun 5, 2017
Closed
@cgwalters
Copy link
Member Author

cgwalters commented Jun 5, 2017
edited
Loading

Oh, interesting. So this started failing in bare-user-only because the test suite does:

$OSTREE checkout test2-override checkout-test2-override
test -g checkout-test2-override/a/nested/2

For bare-user, because we weren't passing -U we ended up with a copy. For bare-user-only, we suddenly started dropping suidness.

@alexlarsson - do you want ostree to preserve suid files in bare-user-only? It seems like a bad idea, no? Hmm, couldn't an app write a setuid root file via the system helper today?

@alexlarsson
Copy link
Member

No that sounds pretty bad. We probably want to strip setuid in bare-user-only repos (i.e. lose fidelity for such objects).

cgwalters added a commit to cgwalters/flatpak that referenced this pull request Jun 6, 2017
@cgwalters
build-export: Filter out sgid and world-writable content too
aa319b4 
These are both just bad ideas.  See also
ostreedev/ostree#908
@cgwalters
Copy link
Member Author

I wrote flatpak/flatpak#837 - let's discuss this there.

cgwalters added a commit to cgwalters/ostree that referenced this pull request Jun 6, 2017
@cgwalters
Canonicalize bare-user-only perms with 0755 mask
a8eaf0d 
For the flatpak use case where bare-user-only was introduced, we actually
don't want to support s{u,g} id files in particular.

Actually, I can't think of a reason to have anything outside of the
`0755 i.e. (u=rwx,g=rx,o=rx)` mask, so that's what we do here.

This will have the effect of treating existing `bare-user-only` repositories as
corrupted if they have files outside of that mask, but I think we should do this
now; most of the flatpak users will still be on `bare-user`, and we haven't
changed the semantics of that mode yet.

Note that in this patch we will also *reject* file content that doesn't
match this.  This is somewhat asymmetric, since we aren't similarly rejecting
e.g. directory metadata.  But, this will close off the biggest source
of the problem for flatpak (setuid binaries).

See: ostreedev#908
See: flatpak/flatpak#837
@cgwalters cgwalters mentioned this pull request Jun 6, 2017
Closed
@alexlarsson alexlarsson mentioned this pull request Jun 7, 2017
Merged
rh-atomic-bot pushed a commit that referenced this pull request Jun 7, 2017
@cgwalters @rh-atomic-bot
Canonicalize bare-user-only perms with 0755 mask
0c4b3a2 
For the flatpak use case where bare-user-only was introduced, we actually
don't want to support s{u,g} id files in particular.

Actually, I can't think of a reason to have anything outside of the
`0755 i.e. (u=rwx,g=rx,o=rx)` mask, so that's what we do here.

This will have the effect of treating existing `bare-user-only` repositories as
corrupted if they have files outside of that mask, but I think we should do this
now; most of the flatpak users will still be on `bare-user`, and we haven't
changed the semantics of that mode yet.

Note that in this patch we will also *reject* file content that doesn't
match this.  This is somewhat asymmetric, since we aren't similarly rejecting
e.g. directory metadata.  But, this will close off the biggest source
of the problem for flatpak (setuid binaries).

See: #908
See: flatpak/flatpak#837

Closes: #909
Approved by: alexlarsson
@cgwalters
lib/repo: For bare-user, mask content object modes with 0775
5f31f90 
Having every object in a bare-user repo (and checkouts) be executable
is ugly.  I can't think of a good reason to do that; they should only
be executable if their input is.  This does
for `bare-user` what we did for `bare-user-only` in
ostreedev#909
It's also a stronger version of what we do with `checkout -U` in suppressing
suid - here we also strip world-writable files and the sticky bit (even though
that's meaningless today, it might not be in the future).

Closes: ostreedev#907
@cgwalters
Copy link
Member Author

cgwalters commented Jun 7, 2017
edited
Loading

OK, updated this based on discussion in #907
Tests should pass now that we also fixed the bare-user-only suid bits in #909

@cgwalters
Copy link
Member Author

Argh, running into umask issues - at least in Fedora unprivileged users get 002, but it looks like our Docker containers get 022. Added a fixup ⬆️

@alexlarsson
Copy link
Member

@rh-atomic-bot r+ 8fadd15

@rh-atomic-bot
Copy link

⌛ Testing commit 8fadd15 with merge 5913b22...

@rh-atomic-bot
Copy link

☀️ Test successful - status-atomicjenkins
Approved by: alexlarsson
Pushing 5913b22 to master...

@cgwalters cgwalters mentioned this pull request Jun 19, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cgwalters @alexlarsson @rh-atomic-bot