[Bug 784670] New: RPM macro %fdupes links files with different owner, group, or permissions
https://bugzilla.novell.com/show_bug.cgi?id=784670 https://bugzilla.novell.com/show_bug.cgi?id=784670#c0 Summary: RPM macro %fdupes links files with different owner, group, or permissions Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: All OS/Version: SUSE Other Status: NEW Severity: Major Priority: P5 - None Component: BuildService AssignedTo: mvyskocil@suse.com ReportedBy: jsmeix@suse.com QAContact: adrian@suse.com CC: security-team@suse.de Found By: Development Blocker: --- /usr/bin/fdupes finds files with identical content but does not care about owner, group, or permissions. Accordingly the RPM macro %fdupes links files with identical content but does not care about owner, group, or permissions. When there are two files with identical content which differ in owner, group, or permissions the RPM macro %fdupes overwrites one of them with a link which effectively lets the two files have same owner, group, and permissions. I think this is even a security issue. I think it can happen that a file with restricted permissions (e.g. a file in another sub-direcory with restricted permissions) becomes accessible via an unrestricted accessible link? E.g. assume there are two files with identical content -rw-r--r-- root root /etc/secure-stuff.conf -rw-rw-rw- root root /usr/share/doc/package/secure-stuff.conf-example and the RPM macro %fdupes overwrites /etc/secure-stuff.conf by a link (I know "-rw-rw-rw- root root" should not happen, it is only meant as a simple example to show the idea behind). I added our security team to Cc to have a look. The RPM macro %fdupes should be enhanced by a test that additionally compares owner, group, and permissions and only link files with identical content, owner, group, and permissions including owner, group, and permissions of all (parent) directories. As far as I see this issue affects the build of all our products. Therefore I filed the bug report for "BuildService" (and not just as a normal bug for the fdupes package) but I assigned it to the fdupes package bugowner. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c1
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c2
--- Comment #2 from Michal Vyskocil
The RPM macro %fdupes should be enhanced by a test that additionally compares owner, group, and permissions and only link files with identical content, owner, group, and permissions including owner, group, and permissions
That's a trivial change - just add few lines into fdupes.c
of all (parent) directories.
OK, that's not that easy - we can't compare the lists of uid:guid:mode from the path as path's can be different. We cannot use set's as there is a counter-example /user-dir/root-dir/same-file /root-dir/user-dir/same-file thus we might create a list of the uid:guid:mode from the path, call uniq and compare the results. That one seems to be more easier writtable in bash ... however I am not sure if the effort is not pointless - are there any occurrences of it in our packages? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c3
Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c4
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c5
--- Comment #5 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c6
--- Comment #6 from Michal Vyskocil
Many thanks for the fast response!
Because I provide HPLIP in the Printing project also for older products like SLE_11, SLE_11_SP1, SLE_11_SP2 I cannot use "fdupes -p" (I must work with what I get in the build environments).
That't not hard - if you have useforbuild option enabled, just link the fdupes package from openSUSE:Factory to your project (and limit the build on older distributions) once the fixed version appear here. Then the fixed package will be installed in your buildroot and -p will be used automatically.
Regarding complete path checking:
I think the security experts should decide this because this is too complicated for me - e.g. what about if there are links in the path or what about different filesystems under different path with different capabilities regarding access permissions e.g. ACLs or such stuff...
sure - that's still an opened question to @security-team.
Regarding %fdupes links across sub-package boundaries:
One more reason to have this issue reported under "BuildService" to have them at least aware of the issue.
rpmlint does not show a dangling symlink warning in any case when there are links across sub-package boundaries.
Can I ask you to split this particular issue to the separate bug? You can simply clone this one and limit it to the dangling symlink problem. I'll move this one to factory then. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c7
--- Comment #7 from Johannes Meixner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c8
--- Comment #8 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c9
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c10
--- Comment #10 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c11
--- Comment #11 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c12
--- Comment #12 from Michal Vyskocil
Can we identify the affected packages of case 1 mixed permissions/ownerships?
Store all build logs from Factory, trigger the complete rebuild and review the rpmling warnings for duplicated files? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c13
--- Comment #13 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c14
Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c15
--- Comment #15 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c16
--- Comment #16 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c17
--- Comment #17 from Michal Vyskocil
12.2:
antlr
there are different permissions in header files in examples/, no need to update, fixed in factory The rest is WIP -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c18
Michal Vyskocil
12.2:
dicts
0644 vs 0640 in COPYING files, not need to update
docbook-xsl-stylesheets
don't know - Karl, please check the log in comment#16 if the link was intentional, or not
erlang
don't know - Sascha, please check the log in comment#16 if the link was intentional, or not
gimp-help
one png file got 0755, no need to update
gnome-blog
don't know, gnome maintainers, please check the log in comment#16 to realize if link was intentional, or not
hawk
no needed, 0664 vc 0644 in COPYING
hplip
this one triggers the bug, so I would say we need to rebuit it
ipsec-tools
not needed, some 0600 vc 0644 in examples
kernel-source
0755 vs 0644 in header files, not needed to update
leechcraft
a lot of 0755 vs 0644 differences in images
mono-core
Andrew, please please check the log in comment#16 to realize if link was intentional, or not - to me it seems like packaging bug
ndoutils
0755 vs 0644 in png files, not needed to update
python-M2Crypto
sascha, next your package, please check
texlive-bin
0755 vs 0644 in some data files, no need to update
virtualbox
there are some so files with 0644, michal, please review the log in comment#16 - it seems like packaging bug -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c19
--- Comment #19 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c20
--- Comment #20 from Sascha Peilicke
erlang
don't know - Sascha, please check the log in comment#16 if the link was intentional, or not False positive, the script is comparing different files, no?
erlang.i586.log:[ 947s] files erlang-R14B04-3.2.1.i386//usr/lib/erlang/erts-5.8.5/bin/start_erl.src and erlang-R14B04-3.2.1.i386//usr/lib/erlang/bin/start_erl compare 100644 vs 100755, but modes are different!
python-M2Crypto
sascha, next your package, please check
python-M2Crypto.i586.log:[ 72s] files ./M2Crypto/BN.py and ./build/lib.linux-i686-2.7/M2Crypto/BN.py compare 100755 vs 100644, but modes are different! Dito, BN.py is installed only once (i.e. not linked). So I limited the scope of fdupes, see sr#139855. Not worth an update to 12.2 IMO. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c21
--- Comment #21 from Michal Vyskocil
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c22
--- Comment #22 from Karl Eichwalder
docbook-xsl-stylesheets
don't know - Karl, please check the log in comment#16 if the link was intentional, or not
Not nice, but in the worst case there are just links from /usr/share/xml/docbook/stylesheet/$SOME/$THING to /usr/bin/$SCRIPT executables such as ls -l /usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub lrwxrwxrwx 1 root root 36 Sep 12 11:30 /usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub -> ../../../../../../../../bin/dbtoepub* DO you think that that's ok? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c23
--- Comment #23 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c24
--- Comment #24 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c25
--- Comment #25 from Michal Vyskocil
(probably at random, depending on filetree walk order).
It is actually not random - old fdupes sorts by name, the 1.5.0RC2 in Factory sorts by mtab. However from packager's point of view it's random. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c26
--- Comment #26 from Michal Vyskocil
Not nice, but in the worst case there are just links from /usr/share/xml/docbook/stylesheet/$SOME/$THING to /usr/bin/$SCRIPT executables such as
ls -l /usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub lrwxrwxrwx 1 root root 36 Sep 12 11:30 /usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub -> ../../../../../../../../bin/dbtoepub*
DO you think that that's ok?
I would say no need to maintenance update - in the worst case you'll end with /usr/bin/$SCRIPT beeing a symlink to 0644 file, which breaks the package, but it's not a security issue. However you should change the mode of all $HOME/$THING to 0755, because fdupes now sorts according mtab, so the 0644 /usr/bin symlink might happen. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c27
--- Comment #27 from Karl Eichwalder
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c28
--- Comment #28 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c29
--- Comment #29 from Karl Eichwalder
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c30
--- Comment #30 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c31
--- Comment #31 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c32
--- Comment #32 from Michal Vyskocil
Yes, but we will fix it for Factory? I do not understand, why Michal says:
Hi Karl, sorry for beeing cryptic
"However you should change the mode of all $HOME/$THING to 0755, because fdupes now sorts according mtab, so the 0644 /usr/bin symlink might happen."
The SUSE patched fdupes sort duplicates according name - that means, the output for docbook package was usr/bin/dbtoepub usr/share/xml/docbook/stylesheet/nwalsh/1.77.1/epub/bin/dbtoepub so the %fdupes macro left the first line untouched and converted all others to a link. But that have changed in Factory, because in fdupes 1.5 upstream have added the sorting according mtime. I did not want to deviate from upstream much, but it's no longer guaranteed that shorter path will win. On the other hand, %fdupes no longer link files with different uid/gid/permissions, so that's not the big issue.
Shall I do this for 12.2? Or for Factory (just for sure?)?
Factory is enough. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=784670
https://bugzilla.novell.com/show_bug.cgi?id=784670#c33
Jiri Bohac
participants (1)
-
bugzilla_noreply@novell.com