Bug 112336 - [patch] install(1): install -S (safe copy) with -C or -p is not so safe
Summary: [patch] install(1): install -S (safe copy) with -C or -p is not so safe
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 6.2-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-02 01:50 UTC by John E. Hein
Modified: 2018-09-12 23:18 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John E. Hein 2007-05-02 01:50:03 UTC
When using install -S, in certain cases, install will unlink
the destination file defeating the point of using -S.

fred & joe are both in the operator group

% su - fred
% mkdir /tmp/dest
% chgrp operator /tmp/dest
% chmod 775 /tmp/dest

% touch foo
% install -S -C -m 0755 foo /tmp/dest
% ls -l /tmp/dest/foo
-rwxr-xr-x   1 joe  operator     0 Apr 27 18:02 /tmp/dest/foo*

% su - joe
% touch foo
% install -S -C -m 0644 foo /tmp/dest
install: /tmp/dest/foo: chmod: Operation not permitted

% ls /tmp/dest/foo
ls: /tmp/dest/foo: No such file or directory


There are other ways to recreate this.  For instance, if the files compare
the same [1], and the user can write in the directory, but the file has the
wrong ownership (as opposed to the wrong perms shown above), for
instance.

[1] per the content comparison done by compare() in
    usr.bin/xinstall/xinstall.c

This happens when -C or -p is used and the file content is the same.
Then the creation of the temp file used by -S is skipped and the
chown/chmod is attempted directly on the destination file.


Side issue:
-----------
I'm not really sure what the rationale is for unlink(2)-ing the file
if the chmod/chown fails.  It was surprising to me to have the file
deleted if the chmod fails (even without -S), but that's been in
xinstall.c since 1.1.  I'd be inclined to remove the unlink(2) in
these cases, but that might be break POLA for some, and I may have not
considered cases where it might be useful or expected (are there any?).  In
any case, that's a separate bug.

Fix: 

There are at least a couple ways to fix the disappearing file issue
when using safe copy mode:


1) Always operate on the temp file with -S.  If you have any errors unlink
  the temp file rather than the target file.

  pros: You create the file from scratch, so you will have no
        problems with chmod on a file you own.

  cons: You lose speedup if file content is the same.

        You can't chmod the dest file in place, so if you
        don't have write perms on the dir, it will fail
        (but that should be expected since it is documented
         that -S needs to write in the directory, so this
         is a minor con, IMO - but install(1) should probably
         talk about directory perms for -S)

2) If the files compare identically, check the perms/ownership, and if
  chown/chmod needs to be run, fall back to creating the temp file
  (maybe do the perms/ownership check first since that will be faster
  than content comparison).

  pros: You don't waste time creating a temp file if not needed.

  cons: Code complexity.


I'm trying to decide which of 1 or 2 to do in a patch.
If there is a better way, let me know.
How-To-Repeat: 
See above.
Comment 1 John E. Hein 2007-05-07 22:13:24 UTC
Here is a patch that implements 2 and was simpler than I thought it
would be.

It creates the temp file and does a rename, not only if the contents
of the "from" & "to" files don't match, but also if perms/ownership
don't match.

One optimization could be to try to do the chown/chmod first and if
that succceeds and the files match contents, don't bother with the
temp file.  But that seems to be needlessly complex for the relatively
miniscule number of cases where we could gain from the added pedantry.
And there may be edge case failures associated with an early
chmod/chown.

Any committers willing to take this one?


Index: src/usr.bin/xinstall/xinstall.c
===================================================================
RCS file: /base/FreeBSD-CVS/src/usr.bin/xinstall/xinstall.c,v
retrieving revision 1.67
diff -u -p -r1.67 xinstall.c
--- src/usr.bin/xinstall/xinstall.c	6 Mar 2006 21:52:59 -0000	1.67
+++ src/usr.bin/xinstall/xinstall.c	7 May 2007 20:52:18 -0000
@@ -317,7 +317,19 @@ install(const char *from_name, const cha
 	if (docompare && !dostrip && target) {
 		if ((to_fd = open(to_name, O_RDONLY, 0)) < 0)
 			err(EX_OSERR, "%s", to_name);
-		if (devnull)
+		/*
+		 * Even if the contents are the same, we want to rename
+		 * temp files when doing a "safe" copy if the
+		 * permissions and ownership need to change.  We may
+		 * not have permission to chown/chmod the "to" file
+		 * directly.
+		 */
+		if (tempcopy &&
+		    ((gid != (gid_t)-1 && gid != to_sb.st_gid) ||
+		    (uid != (uid_t)-1 && uid != to_sb.st_uid) ||
+		    (mode != (to_sb.st_mode & ALLPERMS))))
+		    files_match = 0;
+		else if (devnull)
 			files_match = to_sb.st_size == 0;
 		else
 			files_match = !(compare(from_fd, from_name,
Comment 2 John E. Hein 2007-12-15 20:34:12 UTC
Here is an update to the patch to refresh it after a recent commit to
xinstall.c and to additionally check euid which is important in some
non-superuser cases.

Index: xinstall.c
===================================================================
RCS file: /base/FreeBSD-CVS/src/usr.bin/xinstall/xinstall.c,v
retrieving revision 1.68
diff -u -p -r1.68 xinstall.c
--- xinstall.c	14 Dec 2007 08:46:57 -0000	1.68
+++ xinstall.c	15 Dec 2007 20:21:35 -0000
@@ -278,6 +278,7 @@ install(const char *from_name, const cha
 	int devnull, files_match, from_fd, serrno, target;
 	int tempcopy, temp_fd, to_fd;
 	char backup[MAXPATHLEN], *p, pathbuf[MAXPATHLEN], tempfile[MAXPATHLEN];
+	uid_t euid;
 
 	files_match = 0;
 	from_fd = -1;
@@ -322,7 +323,20 @@ install(const char *from_name, const cha
 	if (docompare && !dostrip && target) {
 		if ((to_fd = open(to_name, O_RDONLY, 0)) < 0)
 			err(EX_OSERR, "%s", to_name);
-		if (devnull)
+		/*
+		 * Even if the contents are the same, we want to rename
+		 * temp files when doing a "safe" copy if the
+		 * permissions and ownership need to change.  We may
+		 * not have permission to chown/chmod the "to" file
+		 * directly.
+		 */
+		if (tempcopy && (euid = geteuid()) != 0 &&
+		    euid != to_sb.st_uid &&
+		    ((gid != (gid_t)-1 && gid != to_sb.st_gid) ||
+		    (uid != (uid_t)-1 && uid != to_sb.st_uid) ||
+		    (mode != (to_sb.st_mode & ALLPERMS))))
+		    files_match = 0;
+		else if (devnull)
 			files_match = to_sb.st_size == 0;
 		else
 			files_match = !(compare(from_fd, from_name,
Comment 3 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:58:23 UTC
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped