Running "dconf update" with different umask affects the permissions of dconf databases in /etc/dconf/db/
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dconf |
Fix Released
|
Unknown
|
|||
dconf (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
In Progress
|
Medium
|
Wesley Hershberger | ||
Noble |
In Progress
|
Medium
|
Wesley Hershberger | ||
Oracular |
In Progress
|
Medium
|
Wesley Hershberger | ||
Plucky |
In Progress
|
Medium
|
Wesley Hershberger | ||
glib2.0 (Ubuntu) |
Fix Released
|
Undecided
|
Wesley Hershberger | ||
Jammy |
Won't Fix
|
Medium
|
Wesley Hershberger | ||
Noble |
Won't Fix
|
Medium
|
Wesley Hershberger | ||
Oracular |
Won't Fix
|
Medium
|
Wesley Hershberger | ||
Plucky |
Won't Fix
|
Medium
|
Wesley Hershberger |
Bug Description
[ Impact ]
This was originally reported by a user applying the DISA-STIG on Ubuntu
desktop [1], which requires a global umask of 077. The global dconf databases
in /etc/dconf/db are intended to be read by many users (mode 644).
dconf uses g_file_set_contents from GLib to guarantee consistent writes [2][3].
The function creates a tempfile to rename over the original but does not
guarantee that the permissions of the tempfile to be the same as the original [4].
With umask 077, this causes a dconf database write to change the permissions of
the db file from 644 to 600.
This behavior was changed upstream in 45a36e52 to guarantee that the mode of the
original file is preserved [5].
45a36e52 has been picked into debian/latest and is present in Questing (glib2.0=2.84.1-2).
g_file_set_contents is used in over 300 packages in Debian [6]. The potential
for a backport of 45a36e52 to break some use-case is rather high. Because this
is an easily worked-around issue that has only been relevant for users applying
DISA-STIG on Ubuntu, applying the upstream fix is not worth the regression risk.
That said, I'd still like to see this fixed in LTS as DISA-STIG users also often
have FIPS requirements, so won't be able to take advantage of the upstream fix
for several years.
The original upstream bug report included a patch for dconf that implements the
same semantics as 45a36e52 [7]. That patch was rejected upstream because it has
a race condition [8]. However, the race is extremely unlikely and any broken
behavior is trivial to correct with chmod (see "What problems could occur").
A modified version of that patch has been carried in OpenSUSE for 8 years with
no bugs I was able to find [9][10]. I'm submitting the original patch as its
behavior more closely resembles the glib change.
As the dconf version in Questing is the same as Plucky (0.40.0-5) and it does
not need changes (as the upstream fix is present in Questing), I suspect
that Questing needs a no-change bump (0.40.0-5ubuntu1) before Plucky
(0.40.0-5ubuntu0.1) is accepted.
[1] https:/
[2] https:/
[3] https:/
[4] https:/
[5] https:/
[6] https:/
[7] https:/
[8] https:/
[9] https:/
[10] https:/
[ Test Plan ]
Ensure that the patch resolves the original bug:
```
sudo apt-get install dconf-cli
mkdir -p /etc/dconf/
cat >/etc/dconf/
[test]
hello='world'
EOF
dconf update
ls -la /etc/dconf/
umask 0077
dconf update
ls -la /etc/dconf/
```
Expected result:
-rw-r--r-- 1 root root 152 Apr 24 14:16 /etc/dconf/
Observed result:
-rw------- 1 root root 152 Apr 24 14:16 /etc/dconf/
Regression check:
On Ubuntu Desktop, use gsettings to set a configuration key:
```
gsettings set org.gnome.mutter center-new-windows false
```
Ensure that the setting takes effect in mutter (open a new window), and check
the syslog for permissions errors.
[ Where problems could occur ]
The patch I'm proposing for SRU contains a race condition; the permissions of
a dconf database may be incorrect for a short time between the move-over and
chmod. There are two problem cases:
* An application attempts to read the dconf database between the move of the
tempfile & the chmod, resulting in a permissions error. A retry should
work around this. Because dconf writes are extremely uncommon, the chances
of this occuring are very low (it was not reported in OpenSUSE for 8 years).
* dconf crashes or is killed between the move and the chmod, causing the file
to retain incorrect permissions. This is the current behavior of dconf and
can be resolved with a chmod of the file to the desired permissions.
[ Original Description ]
Is it possible to include this [1] upstream fix in Jammy and Noble?
Steps to reproduce:
```
root@test-
root@test-
-rw-r--r-- 1 root root 61 Jul 9 12:27 local
root@test-
0022
root@test-
root@test-
0077
root@test-
root@test-
-rw------- 1 root root 61 Jul 9 12:28 local
root@test-
dconf-cli:
Installed: 0.40.0-3
Candidate: 0.40.0-3
Version table:
*** 0.40.0-3 500
500 http://
100 /var/lib/
```
Danger of unexpected misconfiguration is great: others require read access to dconf-databases or their dconf-settings will not update as expected.
Related branches
- Support Engineering Sponsors: Pending requested
-
Diff: 80 lines (+61/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/0001-gvdb-Restore-permissions-on-changed-files.patch (+52/-0)
debian/patches/series (+1/-0)
- Support Engineering Sponsors: Pending requested
-
Diff: 80 lines (+61/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/0001-gvdb-Restore-permissions-on-changed-files.patch (+52/-0)
debian/patches/series (+1/-0)
- Support Engineering Sponsors: Pending requested
-
Diff: 80 lines (+61/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/0001-gvdb-Restore-permissions-on-changed-files.patch (+52/-0)
debian/patches/series (+1/-0)
- Support Engineering Sponsors: Pending requested
-
Diff: 80 lines (+61/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/0001-gvdb-Restore-permissions-on-changed-files.patch (+52/-0)
debian/patches/series (+1/-0)
- Ubuntu Sponsors: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 156 lines (+134/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/lp2072586-gfileutils-Preserve-mode-during-atomic-updates.patch (+125/-0)
debian/patches/series (+1/-0)
- Ubuntu Sponsors: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 156 lines (+134/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/lp2072586-gfileutils-Preserve-mode-during-atomic-updates.patch (+125/-0)
debian/patches/series (+1/-0)
- Ubuntu Sponsors: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 156 lines (+134/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/lp2072586-gfileutils-Preserve-mode-during-atomic-updates.patch (+125/-0)
debian/patches/series (+1/-0)
- Ubuntu Sponsors: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 156 lines (+134/-0)3 files modifieddebian/changelog (+8/-0)
debian/patches/lp2072586-gfileutils-Preserve-mode-during-atomic-updates.patch (+125/-0)
debian/patches/series (+1/-0)
tags: | added: sts |
Changed in dconf (Ubuntu): | |
assignee: | nobody → Wesley Hershberger (whershberger) |
description: | updated |
affects: | dconf (Ubuntu) → glib2.0 (Ubuntu) |
Changed in glib2.0 (Ubuntu): | |
status: | Confirmed → Triaged |
Changed in glib2.0 (Ubuntu Jammy): | |
status: | New → Triaged |
Changed in glib2.0 (Ubuntu Noble): | |
status: | New → Triaged |
Changed in glib2.0 (Ubuntu Plucky): | |
status: | New → Triaged |
Changed in glib2.0 (Ubuntu Jammy): | |
assignee: | nobody → Wesley Hershberger (whershberger) |
Changed in glib2.0 (Ubuntu Plucky): | |
assignee: | nobody → Wesley Hershberger (whershberger) |
Changed in glib2.0 (Ubuntu Noble): | |
assignee: | nobody → Wesley Hershberger (whershberger) |
Changed in glib2.0 (Ubuntu): | |
status: | Triaged → Fix Committed |
description: | updated |
Changed in glib2.0 (Ubuntu Jammy): | |
status: | Triaged → In Progress |
Changed in glib2.0 (Ubuntu Noble): | |
status: | Triaged → In Progress |
Changed in glib2.0 (Ubuntu Oracular): | |
status: | Triaged → In Progress |
Changed in glib2.0 (Ubuntu Plucky): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
description: | updated |
information type: | Public → Public Security |
affects: | glib → dconf |
Changed in dconf: | |
status: | Unknown → Fix Released |
Changed in glib2.0 (Ubuntu Plucky): | |
importance: | Undecided → Medium |
Changed in glib2.0 (Ubuntu Oracular): | |
importance: | Undecided → Medium |
Changed in glib2.0 (Ubuntu Noble): | |
importance: | Undecided → Medium |
Changed in glib2.0 (Ubuntu Jammy): | |
importance: | Undecided → Medium |
description: | updated |
Changed in dconf (Ubuntu): | |
status: | New → Invalid |
Changed in dconf (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in dconf (Ubuntu Noble): | |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in dconf (Ubuntu Jammy): | |
assignee: | nobody → Wesley Hershberger (whershberger) |
importance: | Undecided → Medium |
Changed in dconf (Ubuntu Noble): | |
assignee: | nobody → Wesley Hershberger (whershberger) |
Changed in dconf (Ubuntu Oracular): | |
assignee: | nobody → Wesley Hershberger (whershberger) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in dconf (Ubuntu Plucky): | |
assignee: | nobody → Wesley Hershberger (whershberger) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in glib2.0 (Ubuntu Jammy): | |
status: | In Progress → Won't Fix |
Changed in glib2.0 (Ubuntu Noble): | |
status: | In Progress → Won't Fix |
Changed in glib2.0 (Ubuntu Oracular): | |
status: | In Progress → Won't Fix |
Changed in glib2.0 (Ubuntu Plucky): | |
status: | In Progress → Won't Fix |
description: | updated |
Status changed to 'Confirmed' because the bug affects multiple users.