GNU bug report logs -
#11436
Please disable test cp/parent-perm-race on hurd-i386
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 11436 in the body.
You can then email your comments to 11436 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-coreutils <at> gnu.org
:
bug#11436
; Package
coreutils
.
(Tue, 08 May 2012 18:41:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Samuel Thibault <samuel.thibault <at> gnu.org>
:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org
.
(Tue, 08 May 2012 18:41:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
(From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670478 )
cp/parent-perm-race tries to copy a fifo with the --copy-contents
option. The problem is that cp still uses O_NOFOLLOW in that case,
strace shows:
open("mode/fifo", O_RDONLY|O_NOFOLLOW)
O_NOFOLLOW is actually normally meant for security, to avoid attacks
through symlink redirection. In that case, the Hurd thus disables
translators too, to avoid any rogue translator that would achieve the
same kind attack as symlink redirection. But then --copy-contents can
not work, since the fifo thus can not work (it's a translator that
implements it). I don't think either the Hurd or coreutils will want to
change their behavior, so could the test be disabled on GNU/Hurd?
Samuel
Information forwarded
to
bug-coreutils <at> gnu.org
:
bug#11436
; Package
coreutils
.
(Tue, 08 May 2012 18:50:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 11436 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 05/08/2012 12:38 PM, Samuel Thibault wrote:
> Hello,
>
> (From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670478 )
>
> cp/parent-perm-race tries to copy a fifo with the --copy-contents
> option. The problem is that cp still uses O_NOFOLLOW in that case,
> strace shows:
>
> open("mode/fifo", O_RDONLY|O_NOFOLLOW)
>
> O_NOFOLLOW is actually normally meant for security, to avoid attacks
> through symlink redirection. In that case, the Hurd thus disables
> translators too, to avoid any rogue translator that would achieve the
> same kind attack as symlink redirection. But then --copy-contents can
> not work, since the fifo thus can not work (it's a translator that
> implements it). I don't think either the Hurd or coreutils will want to
> change their behavior, so could the test be disabled on GNU/Hurd?
I can't help but think that Hurd is broken for disabling fifos, since
POSIX is quite clear that O_NOFOLLOW has no effect on any file type
except symlinks.
http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
O_NOFOLLOW
If path names a symbolic link, fail and set errno to [ELOOP].
I wouldn't object to yet another O_* flag that can be used to disable
translators, but don't see how breaking POSIX semantics of a FIFO just
because O_NOFOLLOW was used is warranted.
--
Eric Blake eblake <at> redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to
bug-coreutils <at> gnu.org
:
bug#11436
; Package
coreutils
.
(Tue, 08 May 2012 18:53:01 GMT)
Full text and
rfc822 format available.
Message #11 received at 11436 <at> debbugs.gnu.org (full text, mbox):
Eric Blake, le Tue 08 May 2012 12:46:57 -0600, a écrit :
> http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
> O_NOFOLLOW
> If path names a symbolic link, fail and set errno to [ELOOP].
>
> I wouldn't object to yet another O_* flag that can be used to disable
> translators,
The problem is that we can't expect people to know about that flag, and
use it where security is needed.
> but don't see how breaking POSIX semantics of a FIFO just because
> O_NOFOLLOW was used is warranted.
I don't mean it's warranted. I mean that it's expected that using
O_NOFOLLOW will disable translators. We can however perhaps refine the
behavior to at least make standard fifos work.
Samuel
Information forwarded
to
bug-coreutils <at> gnu.org
:
bug#11436
; Package
coreutils
.
(Tue, 08 May 2012 23:09:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 11436 <at> debbugs.gnu.org (full text, mbox):
Hi,
Samuel Thibault <samuel.thibault <at> gnu.org> skribis:
> Eric Blake, le Tue 08 May 2012 12:46:57 -0600, a écrit :
>> http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
>> O_NOFOLLOW
>> If path names a symbolic link, fail and set errno to [ELOOP].
>>
>> I wouldn't object to yet another O_* flag that can be used to disable
>> translators,
>
> The problem is that we can't expect people to know about that flag, and
> use it where security is needed.
>
>> but don't see how breaking POSIX semantics of a FIFO just because
>> O_NOFOLLOW was used is warranted.
>
> I don't mean it's warranted. I mean that it's expected that using
> O_NOFOLLOW will disable translators. We can however perhaps refine the
> behavior to at least make standard fifos work.
Yes. In glibc, ‘__hurd_file_name_lookup_retry’ does this:
--8<---------------cut here---------------start------------->8---
if (flags & O_NOFOLLOW)
{
/* In Linux, O_NOFOLLOW means to reject symlinks. If we
did an O_NOLINK lookup above and io_stat here to check
for S_IFLNK, a translator like firmlink could easily
spoof this check by not showing S_IFLNK, but in fact
redirecting the lookup to some other name
(i.e. opening the very same holes a symlink would).
Instead we do an O_NOTRANS lookup above, and stat the
underlying node: if it has a translator set, and its
owner is not root (st_uid 0) then we reject it.
Since the motivation for this feature is security, and
that security presumes we trust the containing
directory, this check approximates the security of
refusing symlinks while accepting mount points.
Note that we actually permit something Linux doesn't:
we follow root-owned symlinks; if that is deemed
undesireable, we can add a final check for that
one exception to our general translator-based rule. */
struct stat64 st;
err = __io_stat (*result, &st);
if (!err
&& (st.st_mode & (S_IPTRANS|S_IATRANS)))
{
if (st.st_uid != 0)
err = ENOENT;
else if (st.st_mode & S_IPTRANS)
{
char buf[1024];
char *trans = buf;
size_t translen = sizeof buf;
err = __file_get_translator (*result,
&trans, &translen);
if (!err
&& translen > sizeof _HURD_SYMLINK
&& !memcmp (trans,
_HURD_SYMLINK, sizeof _HURD_SYMLINK))
err = ENOENT;
}
}
}
--8<---------------cut here---------------end--------------->8---
What about looking up without O_NOTRANS when _HURD_FIFO is found here,
regardless of whether the node is root-owned?
The problem with these hacks is that in a chroot /hurd/{symlink,fifo}
could be anything…
Thanks,
Ludo’.
Added tag(s) notabug.
Request was from
Jim Meyering <meyering <at> hx.meyering.net>
to
control <at> debbugs.gnu.org
.
(Sun, 07 Oct 2012 09:47:01 GMT)
Full text and
rfc822 format available.
Reply sent
to
Jim Meyering <meyering <at> hx.meyering.net>
:
You have taken responsibility.
(Sun, 07 Oct 2012 09:47:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Samuel Thibault <samuel.thibault <at> gnu.org>
:
bug acknowledged by developer.
(Sun, 07 Oct 2012 09:47:02 GMT)
Full text and
rfc822 format available.
Message #21 received at 11436-done <at> debbugs.gnu.org (full text, mbox):
Ludovic Courtès wrote:
> Samuel Thibault <samuel.thibault <at> gnu.org> skribis:
>
>> Eric Blake, le Tue 08 May 2012 12:46:57 -0600, a écrit :
>>> http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
>>> O_NOFOLLOW
>>> If path names a symbolic link, fail and set errno to [ELOOP].
>>>
>>> I wouldn't object to yet another O_* flag that can be used to disable
>>> translators,
>>
>> The problem is that we can't expect people to know about that flag, and
>> use it where security is needed.
>>
>>> but don't see how breaking POSIX semantics of a FIFO just because
>>> O_NOFOLLOW was used is warranted.
>>
>> I don't mean it's warranted. I mean that it's expected that using
>> O_NOFOLLOW will disable translators. We can however perhaps refine the
>> behavior to at least make standard fifos work.
>
> Yes. In glibc, ‘__hurd_file_name_lookup_retry’ does this:
>
> if (flags & O_NOFOLLOW)
> {
> /* In Linux, O_NOFOLLOW means to reject symlinks. If we
Thanks.
I'm closing this issue as notabug.
If you still think the test should be disabled for the Hurd,
feel free to reopen it.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sun, 04 Nov 2012 12:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 11 years and 198 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.