buildd file owner/group for shared libraries

Bug #1915250 reported by Matthias Klose on 2021-02-10
104
This bug affects 14 people
Affects Status Importance Assigned to Milestone
debhelper (Debian)
New
Unknown
debhelper (Ubuntu)
Wishlist
Unassigned
fakeroot (Ubuntu)
Critical
Unassigned

Bug Description

fakeroot with glibc broke dpkg-deb for packages that do not use "Rules-Requires-Root: no" was broken.

binutils stopped preserving permissions from objcopy & strip, leading to incorrect permissions of files after stripping.

fakeroot is now patched with better glibc 2.33 support. TODO upstream changes.

binutils is not fixed, as upstream changes are still being discussed. Instead we have worked around objcopy/strip in debhelper to call those tools from dh_strip in a safe manner.

We also rebuilt binutils against glibc 2.32, to avoid this new behaviour. However, we need to resolve bintuils in a better way, one way or another.

--

the current state of -proposed creates deb packages with buildd file owner/group for shared libraries.

reported at least for kwayland-integration.

$ dpkg -c kwayland-integration_5.20.90-0ubuntu1_amd64.deb|grep \.so
-rw-r--r-- doko/doko 18984 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kguiaddons/kmodifierkey/kmodifierkey_wayland.so
-rw-r--r-- doko/doko 85392 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/kwindowsystem/KF5WindowSystemKWaylandPlugin.so
-rw-r--r-- doko/doko 35536 2021-01-21 23:44 ./usr/lib/x86_64-linux-gnu/qt5/plugins/kf5/org.kde.kidletime.platforms/KF5IdleTimeKWaylandPlugin.so

 - in a release pocket, rebuild binutils from proposed. correctly
   restores the file ownership

 - in a release pocket, update glibc from proposed. then rebuild
   binutils from proposed. shows the wrong ownership

Matthias Klose (doko) on 2021-02-10
Changed in glibc (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Matthias Klose (doko) wrote :

that's not seen for every package. ownership for most packages is correct. xz-utils in proposed is an example where things go wrong (on all architectures).

Matthias Klose (doko) on 2021-02-10
affects: glibc (Ubuntu) → fakeroot (Ubuntu)
Matthias Klose (doko) wrote :

fakeroot needs an update for glibc-2.33, see
https://bugzilla.redhat.com/show_bug.cgi?id=1889862

not just the build fix from
https://<email address hidden>/message/SMQ3RYXEYTVZH6PLQMKNB3NM4XLPMNZO/

discussions of tools not preserving file ownership/permissions:
https://groups.google.com/g/linux.gentoo.dev/c/WG-OLQe3yng/m/ZlqM-QC6BQAJ

binutils discussion:
https://sourceware.org/pipermail/binutils/2021-February/115241.html

make the packaging helper more robust:
https://git.archlinux.org/pacman.git/commit/?id=88d054093c1c99a697d95b26bd9aad5bc4d8e170

Matthias Klose (doko) wrote :

also why is the dh sequencer calling dh_fixperms before doing modifications on files (e.g. dh_strip)?

Matthias Klose (doko) wrote :

currently building binutils against the release pocket to mitigate the immediate issue

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in binutils (Ubuntu):
status: New → Confirmed
Changed in debhelper (Ubuntu):
status: New → Confirmed
Changed in glibc (Ubuntu):
status: New → Confirmed
Matthias Klose (doko) on 2021-02-10
Changed in binutils (Ubuntu):
importance: Undecided → High
tags: added: rls-hh-incoming
Alex Murray (alexmurray) wrote :

This is currently affecting snapd 2.49+21.04 which is in hirsute-proposed - https://forum.snapcraft.io/t/snapd-from-hirsute-proposed-wont-allow-snaps-to-run/22733/8

Alex Murray (alexmurray) wrote :

Oh I see - this was for shared libraries but I suspect it is also affecting setuid binaries as well?

Alex Murray (alexmurray) wrote :

$ dpkg -c snapd_2.49+21.04_amd64.deb | grep buildd
-rwxr-xr-x buildd/buildd 30952 2021-02-10 20:17 ./lib/systemd/system-generators/snapd-generator
-rwxr-xr-x buildd/buildd 19558008 2021-02-10 20:17 ./usr/bin/snap
-rwxr-xr-x buildd/buildd 43304 2021-02-10 20:17 ./usr/bin/snapfuse
-rwxr-xr-x buildd/buildd 11012584 2021-02-10 20:17 ./usr/lib/snapd/snap-bootstrap
-rwsr-xr-x buildd/buildd 134216 2021-02-10 20:17 ./usr/lib/snapd/snap-confine
-rwxr-xr-x buildd/buildd 35048 2021-02-10 20:17 ./usr/lib/snapd/snap-discard-ns
-rwxr-xr-x buildd/buildd 3086648 2021-02-10 20:17 ./usr/lib/snapd/snap-exec
-rwxr-xr-x buildd/buildd 3352968 2021-02-10 20:17 ./usr/lib/snapd/snap-failure
-rwxr-xr-x buildd/buildd 18664 2021-02-10 20:17 ./usr/lib/snapd/snap-gdb-shim
-rwxr-xr-x buildd/buildd 18664 2021-02-10 20:17 ./usr/lib/snapd/snap-gdbserver-shim
-rwxr-xr-x buildd/buildd 7602312 2021-02-10 20:17 ./usr/lib/snapd/snap-preseed
-rwxr-xr-x buildd/buildd 7566920 2021-02-10 20:17 ./usr/lib/snapd/snap-recovery-chooser
-rwxr-xr-x buildd/buildd 8760296 2021-02-10 20:17 ./usr/lib/snapd/snap-repair
-rwxr-xr-x buildd/buildd 2530704 2021-02-10 20:17 ./usr/lib/snapd/snap-seccomp
-rwxr-xr-x buildd/buildd 4535424 2021-02-10 20:17 ./usr/lib/snapd/snap-update-ns
-rwxr-xr-x buildd/buildd 6447800 2021-02-10 20:17 ./usr/lib/snapd/snapctl
-rwxr-xr-x buildd/buildd 23371432 2021-02-10 20:17 ./usr/lib/snapd/snapd
-rwxr-xr-x buildd/buildd 921504 2021-02-10 20:17 ./usr/lib/snapd/system-shutdown
-rwxr-xr-x buildd/buildd 22760 2021-02-10 20:17 ./usr/lib/systemd/system-environment-generators/snapd-env-generator

Michael Vogt (mvo) wrote :

Fwiw, mysql-8.0 is also affected:

$ dpkg -c libmysqlclient21_8.0.23-3_amd64.deb|grep buildd
drwxr-xr-x buildd/buildd 0 2021-02-11 10:32 ./
[many more]

And some more:

$ dpkg -c libqt5xdg3_3.6.0-1ubuntu2_amd64.deb |grep buildd
-rw-r--r-- buildd/buildd 268440 2021-02-11 21:58 ./usr/lib/x86_64-linux-gnu/libQt5Xdg.so.3.6.0

But it seems to have stopped around Saturday, not sure if something was done on the buildds maybe?

Dimitri John Ledkov (xnox) wrote :

@mvo we know, we are tracing them all.

Changed in fakeroot (Ubuntu):
importance: High → Critical
Matthias Klose (doko) wrote :

that's the proposed patch to dh_strip to keep permissions and owners independent of strip/objcopy keeping these.

tags: added: patch
Changed in glibc (Ubuntu):
status: Confirmed → Invalid
Changed in debhelper (Ubuntu):
importance: Undecided → Wishlist
Dimitri John Ledkov (xnox) wrote :

fakeroot with glibc broke dpkg-deb for packages that do not use "Rules-Requires-Root: no" was broken.

binutils stopped preserving permissions from objcopy & strip, leading to incorrect permissions of files after stripping.

fakeroot is now patched with better glibc 2.33 support. TODO upstream changes.

binutils is not fixed, as upstream changes are still being discussed. Instead we have worked around objcopy/strip in debhelper to call those tools from dh_strip in a safe manner.

We also rebuilt binutils against glibc 2.32, to avoid this new behaviour. However, we need to resolve bintuils in a better way, one way or another.

description: updated
Matthias Klose (doko) on 2021-02-18
Changed in debhelper (Ubuntu):
status: Confirmed → Fix Committed
Changed in fakeroot (Ubuntu):
status: Confirmed → Fix Committed
Changed in binutils (Ubuntu):
status: Confirmed → Invalid
Mathew Hodson (mhodson) on 2021-02-19
no longer affects: binutils (Ubuntu)
no longer affects: glibc (Ubuntu)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package debhelper - 13.3.3ubuntu2

---------------
debhelper (13.3.3ubuntu2) hirsute; urgency=medium

  * objcopy/strip changed in 2.36.1, not keeping file attributes of the
    original file. Work around that in dh_strip to write to a temporary
    file and cat'ing this to the original file to keep the original attributes.
    LP: #1915250.
    The sequencer could also be changed to call dh_fixperms after calling
    dh_strip, but that might introduces other issues. See #982457.

 -- Matthias Klose <email address hidden> Tue, 16 Feb 2021 15:30:21 +0100

Changed in debhelper (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fakeroot - 1.25.3-1.1ubuntu2

---------------
fakeroot (1.25.3-1.1ubuntu2) hirsute; urgency=medium

  * Fix riscv64.
  * Enable testsuite on riscv64.

 -- Dimitri John Ledkov <email address hidden> Wed, 17 Feb 2021 10:57:44 +0000

Changed in fakeroot (Ubuntu):
status: Fix Committed → Fix Released
Changed in debhelper (Debian):
status: Unknown → New
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.