| 1 |
(I replied via https://groups.google.com/g/linux.gentoo.dev/c/WG-OLQe3yng |
| 2 |
"Reply all" (which only replied to the list AFAICT) but I did not |
| 3 |
subscribe to gentoo-dev via the official |
| 4 |
https://www.gentoo.org/get-involved/mailing-lists/ so my reply is |
| 5 |
missing) |
| 6 |
|
| 7 |
On Thu, Feb 4, 2021 at 4:09 PM Manoj Gupta <manojgupta@××××××.com> wrote: |
| 8 |
> |
| 9 |
> Hi gentoo devs, |
| 10 |
> |
| 11 |
> This question is regarding interaction of fowners [1] and estrip functionality in portage. |
| 12 |
> fowners is used on various binaries and files to assign the ownership to specific users or group. |
| 13 |
> |
| 14 |
> GNU objcopy and strip do not change the file ownership when run as root. However, llvm's versions do not preserve it and instead make root the owner of the modified file. |
| 15 |
> e.g. |
| 16 |
> sudo strip <file> keeps the original ownership . |
| 17 |
> sudo llvm-strip <file> will change ownership to root. |
| 18 |
> |
| 19 |
> We were trying to have llvm objcopy with a patch [3] to have the same behavior as GNU but LLVM developers pointed out that GNU implementation is thought to have a security issue: https://sourceware.org/bugzilla/show_bug.cgi?id=26945 |
| 20 |
> We have modified the LLVM patch to avoid chown on the final file and rather doing it on the temporay file but I am not sure if that will be enough to placate the llvm devs. |
| 21 |
> |
| 22 |
> What does everyone think of modifying usages of calls to strip and objcopy inside estrip so that file ownership is manually restored. e.g |
| 23 |
> |
| 24 |
> owner=$(stat -U file) |
| 25 |
> group=$(stat -G file) |
| 26 |
> strip <file> |
| 27 |
> chown owner:group file |
| 28 |
> |
| 29 |
> [1] https://devmanual.gentoo.org/function-reference/install-functions/ |
| 30 |
> [2] https://gitweb.gentoo.org/proj/portage.git/tree/bin/estrip |
| 31 |
> [3] https://reviews.llvm.org/D93881 |
| 32 |
> |
| 33 |
> Thanks, |
| 34 |
> Manoj |
| 35 |
|
| 36 |
> This is probably safe in portage because the temporary directory is no |
| 37 |
> longer user-accessible, but it seems perverse to seek feature parity by |
| 38 |
> adding the security vulnerability into the implementations that don't |
| 39 |
> have it, rather than by removing it from the ones that do. Hopefully |
| 40 |
> LLVM just accepts the patch. |
| 41 |
|
| 42 |
In binutils, objcopy/strip call 'smart_rename', which has a |
| 43 |
vulnerability: https://sourceware.org/bugzilla/show_bug.cgi?id=26945 |
| 44 |
The first resolution used renameat2, which is not intercepted by |
| 45 |
fakeroot (Arch Linux runs strip and tar under fakeroot, then |
| 46 |
extracting the tar to the system /). |
| 47 |
After discussion with binutils upstream, Arch Linux's resolution is to |
| 48 |
use `strip a -o b` instead of `strip a`: |
| 49 |
https://git.archlinux.org/pacman.git/commit/?id=88d054093c1c99a697d95b26bd9aad5bc4d8e170 |
| 50 |
|
| 51 |
For some unclear reason the first binutils resolution was reverted in |
| 52 |
the 2.36 branch. The latest attempt is to use open(O_TRUNC)+write |
| 53 |
instead of atomic rename |
| 54 |
https://sourceware.org/pipermail/binutils/2021-February/115282.html |
| 55 |
That preserves security context/xattr (not used by any distribution |
| 56 |
package)/owner/group/mode and avoids fchmod/chown. |
| 57 |
|
| 58 |
However, like other non-atomic operations, this approach has one |
| 59 |
wasteful write (`strip a` writes two files) and can potentially |
| 60 |
corrupt the output in the case of full disk situation and other |
| 61 |
erroneous cases. |
| 62 |
|
| 63 |
The root cause is that `sudo strip a` (or `strip a` under fakeroot) |
| 64 |
restoring owner/group is a questionable interface and distributions |
| 65 |
read too much from the behavior. |
| 66 |
Personally I'd like llvm-objcopy to keep the behavior as is (no |
| 67 |
chown/fchown). Neither https://reviews.llvm.org/D96308 nor |
| 68 |
https://reviews.llvm.org/D93881 is appealing. |
| 69 |
|
| 70 |
Doing this (get_owner_group; {strip,llvm-strip} file -o temp && chown |
| 71 |
owner:group file && mv temp file) on Portage side is doing a favor to |
| 72 |
LLVM binary utilities. |
| 73 |
It benefits GNU binutils as well - with newer binutils, the current |
| 74 |
`strip a` will have a wasteful write and 2x dirty pages (write a |
| 75 |
temporary file and copy that content to the original file). |
Archives