Bug 112336
| Summary: | [patch] install(1): install -S (safe copy) with -C or -p is not so safe | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | John E. Hein <jhein> | ||||
| Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
| Status: | Open --- | ||||||
| Severity: | Affects Only Me | CC: | jcfyecrayz, jhein | ||||
| Priority: | Normal | Keywords: | patch | ||||
| Version: | 6.2-STABLE | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Here is a patch that implements 2 and was simpler than I thought it
would be.
It creates the temp file and does a rename, not only if the contents
of the "from" & "to" files don't match, but also if perms/ownership
don't match.
One optimization could be to try to do the chown/chmod first and if
that succceeds and the files match contents, don't bother with the
temp file. But that seems to be needlessly complex for the relatively
miniscule number of cases where we could gain from the added pedantry.
And there may be edge case failures associated with an early
chmod/chown.
Any committers willing to take this one?
Index: src/usr.bin/xinstall/xinstall.c
===================================================================
RCS file: /base/FreeBSD-CVS/src/usr.bin/xinstall/xinstall.c,v
retrieving revision 1.67
diff -u -p -r1.67 xinstall.c
--- src/usr.bin/xinstall/xinstall.c 6 Mar 2006 21:52:59 -0000 1.67
+++ src/usr.bin/xinstall/xinstall.c 7 May 2007 20:52:18 -0000
@@ -317,7 +317,19 @@ install(const char *from_name, const cha
if (docompare && !dostrip && target) {
if ((to_fd = open(to_name, O_RDONLY, 0)) < 0)
err(EX_OSERR, "%s", to_name);
- if (devnull)
+ /*
+ * Even if the contents are the same, we want to rename
+ * temp files when doing a "safe" copy if the
+ * permissions and ownership need to change. We may
+ * not have permission to chown/chmod the "to" file
+ * directly.
+ */
+ if (tempcopy &&
+ ((gid != (gid_t)-1 && gid != to_sb.st_gid) ||
+ (uid != (uid_t)-1 && uid != to_sb.st_uid) ||
+ (mode != (to_sb.st_mode & ALLPERMS))))
+ files_match = 0;
+ else if (devnull)
files_match = to_sb.st_size == 0;
else
files_match = !(compare(from_fd, from_name,
Here is an update to the patch to refresh it after a recent commit to
xinstall.c and to additionally check euid which is important in some
non-superuser cases.
Index: xinstall.c
===================================================================
RCS file: /base/FreeBSD-CVS/src/usr.bin/xinstall/xinstall.c,v
retrieving revision 1.68
diff -u -p -r1.68 xinstall.c
--- xinstall.c 14 Dec 2007 08:46:57 -0000 1.68
+++ xinstall.c 15 Dec 2007 20:21:35 -0000
@@ -278,6 +278,7 @@ install(const char *from_name, const cha
int devnull, files_match, from_fd, serrno, target;
int tempcopy, temp_fd, to_fd;
char backup[MAXPATHLEN], *p, pathbuf[MAXPATHLEN], tempfile[MAXPATHLEN];
+ uid_t euid;
files_match = 0;
from_fd = -1;
@@ -322,7 +323,20 @@ install(const char *from_name, const cha
if (docompare && !dostrip && target) {
if ((to_fd = open(to_name, O_RDONLY, 0)) < 0)
err(EX_OSERR, "%s", to_name);
- if (devnull)
+ /*
+ * Even if the contents are the same, we want to rename
+ * temp files when doing a "safe" copy if the
+ * permissions and ownership need to change. We may
+ * not have permission to chown/chmod the "to" file
+ * directly.
+ */
+ if (tempcopy && (euid = geteuid()) != 0 &&
+ euid != to_sb.st_uid &&
+ ((gid != (gid_t)-1 && gid != to_sb.st_gid) ||
+ (uid != (uid_t)-1 && uid != to_sb.st_uid) ||
+ (mode != (to_sb.st_mode & ALLPERMS))))
+ files_match = 0;
+ else if (devnull)
files_match = to_sb.st_size == 0;
else
files_match = !(compare(from_fd, from_name,
For bugs matching the following criteria: Status: In Progress Changed: (is less than) 2014-06-01 Reset to default assignee and clear in-progress tags. Mail being skipped Keyword:
patch
or patch-ready
– in lieu of summary line prefix:
[patch]
* bulk change for the keyword
* summary lines may be edited manually (not in bulk).
Keyword descriptions and search interface:
<https://bugs.freebsd.org/bugzilla/describekeywords.cgi>
Created attachment 246032 [details]
[patch] safe copy update for permission/ownership-only changes
Still a problem with -current.
Attached is a refresh on the patch against the latest code - just line numbering changes in the patch.
The patch still fixes the problem as originally described (deleted file when using -S in certain cases).
|
When using install -S, in certain cases, install will unlink the destination file defeating the point of using -S. fred & joe are both in the operator group % su - fred % mkdir /tmp/dest % chgrp operator /tmp/dest % chmod 775 /tmp/dest % touch foo % install -S -C -m 0755 foo /tmp/dest % ls -l /tmp/dest/foo -rwxr-xr-x 1 joe operator 0 Apr 27 18:02 /tmp/dest/foo* % su - joe % touch foo % install -S -C -m 0644 foo /tmp/dest install: /tmp/dest/foo: chmod: Operation not permitted % ls /tmp/dest/foo ls: /tmp/dest/foo: No such file or directory There are other ways to recreate this. For instance, if the files compare the same [1], and the user can write in the directory, but the file has the wrong ownership (as opposed to the wrong perms shown above), for instance. [1] per the content comparison done by compare() in usr.bin/xinstall/xinstall.c This happens when -C or -p is used and the file content is the same. Then the creation of the temp file used by -S is skipped and the chown/chmod is attempted directly on the destination file. Side issue: ----------- I'm not really sure what the rationale is for unlink(2)-ing the file if the chmod/chown fails. It was surprising to me to have the file deleted if the chmod fails (even without -S), but that's been in xinstall.c since 1.1. I'd be inclined to remove the unlink(2) in these cases, but that might be break POLA for some, and I may have not considered cases where it might be useful or expected (are there any?). In any case, that's a separate bug. Fix: There are at least a couple ways to fix the disappearing file issue when using safe copy mode: 1) Always operate on the temp file with -S. If you have any errors unlink the temp file rather than the target file. pros: You create the file from scratch, so you will have no problems with chmod on a file you own. cons: You lose speedup if file content is the same. You can't chmod the dest file in place, so if you don't have write perms on the dir, it will fail (but that should be expected since it is documented that -S needs to write in the directory, so this is a minor con, IMO - but install(1) should probably talk about directory perms for -S) 2) If the files compare identically, check the perms/ownership, and if chown/chmod needs to be run, fall back to creating the temp file (maybe do the perms/ownership check first since that will be faster than content comparison). pros: You don't waste time creating a temp file if not needed. cons: Code complexity. I'm trying to decide which of 1 or 2 to do in a patch. If there is a better way, let me know. How-To-Repeat: See above.