unsquashfs does not preserve sticky bit when run as non-root

Bug #1779914 reported by Jamie Strandboge on 2018-07-03
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squashfs-tools (Debian)
New
Unknown
squashfs-tools (Ubuntu)
Status tracked in Cosmic
Trusty
Undecided
Jamie Strandboge
Xenial
Undecided
Jamie Strandboge
Bionic
Undecided
Jamie Strandboge
Cosmic
Undecided
Jamie Strandboge

Bug Description

[Impact]
unsquashfs does not preserve the stickybit when run as non-root (unlike other archive tools, like tar). While this is a bug in and of itself, it causes snaps with sticky directories to fail automated review because the requashed snap has the bit stripped and the resquashed snap as a result has a different checksum.

The fix is to attempt the chmod with the stickybit and if it fails with EPERM when not root, try again without the stickybit.

[Test Case]

1. create a squashfs with a sticky dir:

$ mkdir -p /tmp/foo/sticky-dir
$ chmod 1777 /tmp/foo/sticky-dir
$ mksquashfs /tmp/foo test.squash -all-root

2. see that the squashfs has the sticky dir in the squash:

$ unsquashfs -lls ./test.squash
...
drwxrwxrwt root/root 3 2018-07-05 16:03 squashfs-root/sticky-dir

3. unsquash the squash as non-root:

$ unsquashfs test.squash

4. verify the stickybit is set:

$ ls -ld squashfs-root/sticky-dir/
drwxrwxrwt 2 jamie jamie 4096 Jul 5 16:07 squashfs-root/sticky-dir/

Without the SRU, the directory is 0777:

$ ls -ld squashfs-root/sticky-dir/
drwxrwxrwx 2 jamie jamie 4096 Jul 5 16:07 squashfs-root/sticky-dir/

[Regression Potential]

Due to the fallback behavior, the regression potential is considered low. Furthermore, because the non-root user is still the owner of the resulting unpacked sticky directories, there is no problem with being able to remove the unpacked directories on error, etc.

[ Other Info ]
In addition to the above, I've added test-squashfs-tools.py to QRT which verifies type, owner and permissions with mksquashfs and unsquashfs for many different entries. These fail for the sticky bit (but otherwise pass) when unpatched and pass when patched.

[ Original description ]
From https://sourceforge.net/p/squashfs/mailman/message/36343213/:

"This set is an attempt to preserve the sticky bit when running unsquashfs as a non-root user. My main motivation for these changes is to improve
reproducability when doing a sequence of "unsquashfs -> mksquashfs" as a
non-root user but I think there's even more value in preserving the sticky bit in the case of a squashfs image containing a world-writable directory filled with files owned by a single user. Dropping the sticky bit could be considered to be a real bug in that scenario."

summary: - unsquashfs strips sticky bit when run as non-root
+ unsquashfs does not preserve sticky bit when run as non-root
Changed in squashfs-tools (Ubuntu):
status: New → In Progress
Changed in squashfs-tools (Ubuntu Trusty):
status: New → Triaged
Changed in squashfs-tools (Ubuntu Xenial):
status: New → Triaged
Changed in squashfs-tools (Ubuntu Bionic):
status: New → Triaged
Changed in squashfs-tools (Ubuntu Trusty):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in squashfs-tools (Ubuntu Xenial):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in squashfs-tools (Ubuntu Bionic):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in squashfs-tools (Ubuntu Cosmic):
assignee: nobody → Jamie Strandboge (jdstrand)
description: updated
description: updated
Changed in squashfs-tools (Ubuntu Cosmic):
status: In Progress → Fix Committed
Changed in squashfs-tools (Ubuntu Trusty):
status: Triaged → In Progress
Changed in squashfs-tools (Ubuntu Xenial):
status: Triaged → In Progress
Changed in squashfs-tools (Ubuntu Bionic):
status: Triaged → In Progress
description: updated
description: updated
Changed in squashfs-tools (Debian):
status: Unknown → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squashfs-tools - 1:4.3-6ubuntu1

---------------
squashfs-tools (1:4.3-6ubuntu1) cosmic; urgency=medium

  * debian/patches/0010-use-macros-not-raw-octal-with-chmod.patch,
    debian/patches/0011-also-set-stickybit-as-non-root.patch: apply stickybit
    when run as non-root (LP: #1779914). Patches thanks to Tyler Hicks.

 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2018 20:14:24 +0000

Changed in squashfs-tools (Ubuntu Cosmic):
status: Fix Committed → Fix Released
description: updated
description: updated
description: updated

Hello Jamie, or anyone else affected,

Accepted squashfs-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/squashfs-tools/1:4.3-6ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in squashfs-tools (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Changed in squashfs-tools (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Brian Murray (brian-murray) wrote :

Hello Jamie, or anyone else affected,

Accepted squashfs-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/squashfs-tools/1:4.3-3ubuntu2.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Brian Murray (brian-murray) wrote :

Hello Jamie, or anyone else affected,

Accepted squashfs-tools into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/squashfs-tools/1:4.2+20130409-2ubuntu0.14.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in squashfs-tools (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed-trusty
Jamie Strandboge (jdstrand) wrote :

I've verified on amd64 and i386 on 14.04, 16.04 and 18.04 that unsquashfs works correctly wrt the test case and QRT passes.

tags: added: verification-done verification-done-bionic verification-done-trusty verification-done-xenial
removed: verification-needed verification-needed-bionic verification-needed-trusty verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

I ran the snapcraft ADT tests with no triggers and experienced the same failure as seen in the squashfs-upload - noting it as a regression and not blocking on it for now.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squashfs-tools - 1:4.3-6ubuntu0.18.04.1

---------------
squashfs-tools (1:4.3-6ubuntu0.18.04.1) bionic; urgency=medium

  * debian/patches/0010-use-macros-not-raw-octal-with-chmod.patch,
    debian/patches/0011-also-set-stickybit-as-non-root.patch: apply stickybit
    when run as non-root (LP: #1779914). Patches thanks to Tyler Hicks.

 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2018 19:49:18 +0000

Changed in squashfs-tools (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for squashfs-tools has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squashfs-tools - 1:4.3-3ubuntu2.16.04.2

---------------
squashfs-tools (1:4.3-3ubuntu2.16.04.2) xenial; urgency=medium

  * debian/patches/0008-use-macros-not-raw-octal-with-chmod.patch,
    debian/patches/0009-also-set-stickybit-as-non-root.patch: apply stickybit
    when run as non-root (LP: #1779914). Patches thanks to Tyler Hicks.

 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2018 19:53:27 +0000

Changed in squashfs-tools (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package squashfs-tools - 1:4.2+20130409-2ubuntu0.14.04.3

---------------
squashfs-tools (1:4.2+20130409-2ubuntu0.14.04.3) trusty; urgency=medium

  * debian/patches/0004-use-macros-not-raw-octal-with-chmod.patch,
    debian/patches/0005-also-set-stickybit-as-non-root.patch: apply stickybit
    when run as non-root (LP: #1779914). Patches thanks to Tyler Hicks.

 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2018 20:13:00 +0000

Changed in squashfs-tools (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.