unsquashfs does not preserve sticky bit when run as non-root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
squashfs-tools (Debian) |
Fix Released
|
Unknown
|
|||
squashfs-tools (Ubuntu) |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Trusty |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Xenial |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Bionic |
Fix Released
|
Undecided
|
Jamie Strandboge | ||
Cosmic |
Fix Released
|
Undecided
|
Jamie Strandboge |
Bug Description
[Impact]
unsquashfs does not preserve the stickybit when run as non-root (unlike other archive tools, like tar). While this is a bug in and of itself, it causes snaps with sticky directories to fail automated review because the requashed snap has the bit stripped and the resquashed snap as a result has a different checksum.
The fix is to attempt the chmod with the stickybit and if it fails with EPERM when not root, try again without the stickybit.
[Test Case]
1. create a squashfs with a sticky dir:
$ mkdir -p /tmp/foo/sticky-dir
$ chmod 1777 /tmp/foo/sticky-dir
$ mksquashfs /tmp/foo test.squash -all-root
2. see that the squashfs has the sticky dir in the squash:
$ unsquashfs -lls ./test.squash
...
drwxrwxrwt root/root 3 2018-07-05 16:03 squashfs-
3. unsquash the squash as non-root:
$ unsquashfs test.squash
4. verify the stickybit is set:
$ ls -ld squashfs-
drwxrwxrwt 2 jamie jamie 4096 Jul 5 16:07 squashfs-
Without the SRU, the directory is 0777:
$ ls -ld squashfs-
drwxrwxrwx 2 jamie jamie 4096 Jul 5 16:07 squashfs-
[Regression Potential]
Due to the fallback behavior, the regression potential is considered low. Furthermore, because the non-root user is still the owner of the resulting unpacked sticky directories, there is no problem with being able to remove the unpacked directories on error, etc.
[ Other Info ]
In addition to the above, I've added test-squashfs-
[ Original description ]
From https:/
"This set is an attempt to preserve the sticky bit when running unsquashfs as a non-root user. My main motivation for these changes is to improve
reproducability when doing a sequence of "unsquashfs -> mksquashfs" as a
non-root user but I think there's even more value in preserving the sticky bit in the case of a squashfs image containing a world-writable directory filled with files owned by a single user. Dropping the sticky bit could be considered to be a real bug in that scenario."
summary: |
- unsquashfs strips sticky bit when run as non-root + unsquashfs does not preserve sticky bit when run as non-root |
Changed in squashfs-tools (Ubuntu): | |
status: | New → In Progress |
Changed in squashfs-tools (Ubuntu Trusty): | |
status: | New → Triaged |
Changed in squashfs-tools (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in squashfs-tools (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in squashfs-tools (Ubuntu Trusty): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in squashfs-tools (Ubuntu Xenial): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in squashfs-tools (Ubuntu Bionic): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in squashfs-tools (Ubuntu Cosmic): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
description: | updated |
description: | updated |
Changed in squashfs-tools (Ubuntu Cosmic): | |
status: | In Progress → Fix Committed |
Changed in squashfs-tools (Ubuntu Trusty): | |
status: | Triaged → In Progress |
Changed in squashfs-tools (Ubuntu Xenial): | |
status: | Triaged → In Progress |
Changed in squashfs-tools (Ubuntu Bionic): | |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
Changed in squashfs-tools (Debian): | |
status: | Unknown → New |
description: | updated |
description: | updated |
description: | updated |
Changed in squashfs-tools (Debian): | |
status: | New → Fix Released |
This bug was fixed in the package squashfs-tools - 1:4.3-6ubuntu1
---------------
squashfs-tools (1:4.3-6ubuntu1) cosmic; urgency=medium
* debian/ patches/ 0010-use- macros- not-raw- octal-with- chmod.patch, patches/ 0011-also- set-stickybit- as-non- root.patch: apply stickybit
debian/
when run as non-root (LP: #1779914). Patches thanks to Tyler Hicks.
-- Jamie Strandboge <email address hidden> Thu, 05 Jul 2018 20:14:24 +0000