1 |
On Tue, Feb 9, 2021 at 6:02 PM Michael Orlitzky <mjo@g.o> wrote: |
2 |
|
3 |
> On Tue, 2021-02-09 at 17:53 -0800, Fāng-ruì Sòng wrote: |
4 |
> > (I replied via |
5 |
> https://groups.google.com/g/linux.gentoo.dev/c/WG-OLQe3yng |
6 |
> > "Reply all" (which only replied to the list AFAICT) but I did not |
7 |
> > subscribe to gentoo-dev via the official |
8 |
> > https://www.gentoo.org/get-involved/mailing-lists/ so my reply is |
9 |
> > missing) |
10 |
> > |
11 |
> |
12 |
> Apologies for hijacking your post with a tangential question, but you |
13 |
> reminded me to ask: how did you notice this problem? Ultimately all |
14 |
> system executables (in $PATH) should be owned by (and writable only by) |
15 |
> root anyway; otherwise you get silly security vulnerabilities like "cat |
16 |
> ~/virus > /usr/bin/foo" as a regular user. |
17 |
> |
18 |
> |
19 |
> Root is the owner but often there is also a group that has access to the |
20 |
files. |
21 |
After stripping with llvm-strip, new ownership is root:root instead of |
22 |
root:<group>. |
23 |
Therefore, the members of the group lose access to the files post stripping. |
24 |
|
25 |
We found this issue in Chrome OS when we tried to switch the defaults to |
26 |
llvm's objcopy/strip. |
27 |
|
28 |
Example of ebuilds: |
29 |
$ grep -ri fowners .|grep bin|grep usr|tail -10 |
30 |
./net-analyzer/tcpdump/tcpdump-4.9.3-r4.ebuild: fowners root:pcap |
31 |
/usr/sbin/tcpdump |
32 |
./net-analyzer/tcpdump/tcpdump-4.99.0.ebuild: fowners root:pcap |
33 |
/usr/sbin/tcpdump |
34 |
./net-analyzer/netselect/netselect-9999.ebuild: fowners root:wheel |
35 |
/usr/bin/netselect |
36 |
./net-analyzer/netselect/netselect-0.4-r1.ebuild: fowners root:wheel |
37 |
/usr/bin/netselect |
38 |
./net-analyzer/driftnet/driftnet-1.3.0.ebuild: fowners root:wheel |
39 |
"/usr/bin/driftnet" |
40 |
./mail-filter/procmail/procmail-3.22-r14.ebuild: fowners root:mail |
41 |
/usr/bin/lockfile |
42 |
./sys-block/scsiadd/scsiadd-1.97-r1.ebuild: fowners root:scsi |
43 |
/usr/sbin/scsiadd |
44 |
./x11-terms/aterm/aterm-1.0.1-r4.ebuild: fowners root:utmp /usr/bin/aterm |
45 |
./x11-terms/mrxvt/mrxvt-0.5.4.ebuild: fowners root:utmp /usr/bin/mrxvt |
46 |
./games-arcade/xboing/xboing-2.4-r3.ebuild: fowners root:gamestat |
47 |
/var/games/xboing.score /usr/bin/xboing |
48 |
|
49 |
Thanks, |
50 |
Manoj |