Ubuntu
fakeroot package

buildd file owner/group for shared libraries

Bug #1915250 reported by Matthias Klose
104
This bug affects 14 people
Affects Status Importance Assigned to Milestone
debhelper (Debian)
New
Unknown
debhelper (Ubuntu)
Fix Released
Wishlist
Unassigned
fakeroot (Ubuntu)
Fix Released
Critical
Unassigned

Bug Description

fakeroot with glibc broke dpkg-deb for packages that do not use "Rules-Requires-Root: no" was broken.

binutils stopped preserving permissions from objcopy & strip, leading to incorrect permissions of files after stripping.

fakeroot is now patched with better glibc 2.33 support. TODO upstream changes.

binutils is not fixed, as upstream changes are still being discussed. Instead we have worked around objcopy/strip in debhelper to call those tools from dh_strip in a safe manner.

We also rebuilt binutils against glibc 2.32, to avoid this new behaviour. However, we need to resolve bintuils in a better way, one way or another.

--

the current state of -proposed creates deb packages with buildd file owner/group for shared libraries.

reported at least for kwayland-integration.

$ dpkg -c kwayland-integration_5.20.90-0ubuntu1_amd64.deb|grep \.so
-rw-r--r-- doko/doko 18984 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kguiaddons/kmodifierkey/kmodifierkey_wayland.so
-rw-r--r-- doko/doko 85392 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kwindowsystem/KF5WindowSystemKWaylandPlugin.so
-rw-r--r-- doko/doko 35536 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/org.kde.kidletime.platforms/KF5IdleTimeKWaylandPlugin.so

 - in a release pocket, rebuild binutils from proposed. correctly
   restores the file ownership

 - in a release pocket, update glibc from proposed. then rebuild
   binutils from proposed. shows the wrong ownership

See original description
Matthias Klose (doko)
Changed in glibc (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Matthias Klose (doko) wrote :

that's not seen for every package. ownership for most packages is correct. xz-utils in proposed is an example where things go wrong (on all architectures).

Matthias Klose (doko)
affects: glibc (Ubuntu) → fakeroot (Ubuntu)
Revision history for this message
Matthias Klose (doko) wrote :

fakeroot needs an update for glibc-2.33, see
https://bugzilla.redhat.com/show_bug.cgi?id=1889862

not just the build fix from
https://<email address hidden>/message/SMQ3RYXEYTVZH6PLQMKNB3NM4XLPMNZO/

discussions of tools not preserving file ownership/permissions:
https://groups.google.com/g/linux.gentoo.dev/c/WG-OLQe3yng/m/ZlqM-QC6BQAJ

binutils discussion:
https://sourceware.org/pipermail/binutils/2021-February/115241.html

make the packaging helper more robust:
https://git.archlinux.org/pacman.git/commit/?id=88d054093c1c99a697d95b26bd9aad5bc4d8e170

Revision history for this message
Matthias Klose (doko) wrote :

also why is the dh sequencer calling dh_fixperms before doing modifications on files (e.g. dh_strip)?

Revision history for this message
Matthias Klose (doko) wrote :

currently building binutils against the release pocket to mitigate the immediate issue

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in binutils (Ubuntu):
status: New → Confirmed
Changed in debhelper (Ubuntu):
status: New → Confirmed
Changed in glibc (Ubuntu):
status: New → Confirmed
Matthias Klose (doko)
Changed in binutils (Ubuntu):
importance: Undecided → High
Matthieu Clemenceau (mclemenceau)
tags: added: rls-hh-incoming
Revision history for this message
Alex Murray (alexmurray) wrote :

This is currently affecting snapd 2.49+21.04 which is in hirsute-proposed - https://forum.snapcraft.io/t/snapd-from-hirsute-proposed-wont-allow-snaps-to-run/22733/8

Revision history for this message
Alex Murray (alexmurray) wrote :

Oh I see - this was for shared libraries but I suspect it is also affecting setuid binaries as well?

Revision history for this message
Alex Murray (alexmurray) wrote :

$ dpkg -c snapd_2.49+21.04_amd64.deb | grep buildd
-rwxr-xr-x buildd/buildd 30952 2021-02-10 20:17 ./lib/systemd/system-generators/snapd-generator
-rwxr-xr-x buildd/buildd 19558008 2021-02-10 20:17 ./usr/bin/snap
-rwxr-xr-x buildd/buildd 43304 2021-02-10 20:17 ./usr/bin/snapfuse
-rwxr-xr-x buildd/buildd 11012584 2021-02-10 20:17 ./usr/lib/snapd/snap-bootstrap
-rwsr-xr-x buildd/buildd 134216 2021-02-10 20:17 ./usr/lib/snapd/snap-confine
-rwxr-xr-x buildd/buildd 35048 2021-02-10 20:17 ./usr/lib/snapd/snap-discard-ns
-rwxr-xr-x buildd/buildd 3086648 2021-02-10 20:17 ./usr/lib/snapd/snap-exec
-rwxr-xr-x buildd/buildd 3352968 2021-02-10 20:17 ./usr/lib/snapd/snap-failure
-rwxr-xr-x buildd/buildd 18664 2021-02-10 20:17 ./usr/lib/snapd/snap-gdb-shim
-rwxr-xr-x buildd/buildd 18664 2021-02-10 20:17 ./usr/lib/snapd/snap-gdbserver-shim
-rwxr-xr-x buildd/buildd 7602312 2021-02-10 20:17 ./usr/lib/snapd/snap-preseed
-rwxr-xr-x buildd/buildd 7566920 2021-02-10 20:17 ./usr/lib/snapd/snap-recovery-chooser
-rwxr-xr-x buildd/buildd 8760296 2021-02-10 20:17 ./usr/lib/snapd/snap-repair
-rwxr-xr-x buildd/buildd 2530704 2021-02-10 20:17 ./usr/lib/snapd/snap-seccomp
-rwxr-xr-x buildd/buildd 4535424 2021-02-10 20:17 ./usr/lib/snapd/snap-update-ns
-rwxr-xr-x buildd/buildd 6447800 2021-02-10 20:17 ./usr/lib/snapd/snapctl
-rwxr-xr-x buildd/buildd 23371432 2021-02-10 20:17 ./usr/lib/snapd/snapd
-rwxr-xr-x buildd/buildd 921504 2021-02-10 20:17 ./usr/lib/snapd/system-shutdown
-rwxr-xr-x buildd/buildd 22760 2021-02-10 20:17 ./usr/lib/systemd/system-environment-generators/snapd-env-generator

Revision history for this message
Michael Vogt (mvo) wrote :

Fwiw, mysql-8.0 is also affected:

$ dpkg -c libmysqlclient21_8.0.23-3_amd64.deb|grep buildd
drwxr-xr-x buildd/buildd 0 2021-02-11 10:32 ./
[many more]

And some more:

$ dpkg -c libqt5xdg3_3.6.0-1ubuntu2_amd64.deb |grep buildd
-rw-r--r-- buildd/buildd 268440 2021-02-11 21:58 ./usr/lib/x86_64-linux-gnu/libQt5Xdg.so.3.6.0

But it seems to have stopped around Saturday, not sure if something was done on the buildds maybe?

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

@mvo we know, we are tracing them all.

Dimitri John Ledkov (xnox)
Changed in fakeroot (Ubuntu):
importance: High → Critical
Revision history for this message
Matthias Klose (doko) wrote :

that's the proposed patch to dh_strip to keep permissions and owners independent of strip/objcopy keeping these.

Revision history for this message
Thomas Karl Pietrowski (thopiekar) wrote :

@xnox: To fill your list: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1915784

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Dimitri John Ledkov (xnox)
Changed in glibc (Ubuntu):
status: Confirmed → Invalid
Changed in debhelper (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

fakeroot with glibc broke dpkg-deb for packages that do not use "Rules-Requires-Root: no" was broken.

binutils stopped preserving permissions from objcopy & strip, leading to incorrect permissions of files after stripping.

fakeroot is now patched with better glibc 2.33 support. TODO upstream changes.

binutils is not fixed, as upstream changes are still being discussed. Instead we have worked around objcopy/strip in debhelper to call those tools from dh_strip in a safe manner.

We also rebuilt binutils against glibc 2.32, to avoid this new behaviour. However, we need to resolve bintuils in a better way, one way or another.

description: updated
Matthias Klose (doko)
Changed in debhelper (Ubuntu):
status: Confirmed → Fix Committed
Changed in fakeroot (Ubuntu):
status: Confirmed → Fix Committed
Changed in binutils (Ubuntu):
status: Confirmed → Invalid
Mathew Hodson (mhodson)
no longer affects: binutils (Ubuntu)
no longer affects: glibc (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debhelper - 13.3.3ubuntu2

---------------
debhelper (13.3.3ubuntu2) hirsute; urgency=medium

  * objcopy/strip changed in 2.36.1, not keeping file attributes of the
    original file. Work around that in dh_strip to write to a temporary
    file and cat'ing this to the original file to keep the original attributes.
    LP: #1915250.
    The sequencer could also be changed to call dh_fixperms after calling
    dh_strip, but that might introduces other issues. See #982457.

 -- Matthias Klose <email address hidden> Tue, 16 Feb 2021 15:30:21 +0100

Changed in debhelper (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fakeroot - 1.25.3-1.1ubuntu2

---------------
fakeroot (1.25.3-1.1ubuntu2) hirsute; urgency=medium

  * Fix riscv64.
  * Enable testsuite on riscv64.

 -- Dimitri John Ledkov <email address hidden> Wed, 17 Feb 2021 10:57:44 +0000

Changed in fakeroot (Ubuntu):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in debhelper (Debian):
status: Unknown → New
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

The cat trick does not preserve setuid when building with Rules-Requires-Root:no.

Not sure why though.

Either we need to fix for this to work with Rules-Requires-Root:no or bail out in such a scenario.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.