GNU bug report logs - #11436
Please disable test cp/parent-perm-race on hurd-i386

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 11436 in the body.
You can then email your comments to 11436 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Samuel Thibault <samuel.thibault <at> gnu.org>
To: bug-coreutils <at> gnu.org
Subject: Please disable test cp/parent-perm-race on hurd-i386
Date: Tue, 8 May 2012 20:38:16 +0200

Hello,

(From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670478 )

cp/parent-perm-race tries to copy a fifo with the --copy-contents
option.  The problem is that cp still uses O_NOFOLLOW in that case,
strace shows:

open("mode/fifo", O_RDONLY|O_NOFOLLOW)

O_NOFOLLOW is actually normally meant for security, to avoid attacks
through symlink redirection.  In that case, the Hurd thus disables
translators too, to avoid any rogue translator that would achieve the
same kind attack as symlink redirection.  But then --copy-contents can
not work, since the fifo thus can not work (it's a translator that
implements it).  I don't think either the Hurd or coreutils will want to
change their behavior, so could the test be disabled on GNU/Hurd?

Samuel

Message #8 received at 11436 <at> debbugs.gnu.org (full text, mbox):

From: Eric Blake <eblake <at> redhat.com>
To: Samuel Thibault <samuel.thibault <at> gnu.org>
Cc: 11436 <at> debbugs.gnu.org
Subject: Re: bug#11436: Please disable test cp/parent-perm-race on hurd-i386
Date: Tue, 08 May 2012 12:46:57 -0600

[Message part 1 (text/plain, inline)]

On 05/08/2012 12:38 PM, Samuel Thibault wrote:
> Hello,
> 
> (From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670478 )
> 
> cp/parent-perm-race tries to copy a fifo with the --copy-contents
> option.  The problem is that cp still uses O_NOFOLLOW in that case,
> strace shows:
> 
> open("mode/fifo", O_RDONLY|O_NOFOLLOW)
> 
> O_NOFOLLOW is actually normally meant for security, to avoid attacks
> through symlink redirection.  In that case, the Hurd thus disables
> translators too, to avoid any rogue translator that would achieve the
> same kind attack as symlink redirection.  But then --copy-contents can
> not work, since the fifo thus can not work (it's a translator that
> implements it).  I don't think either the Hurd or coreutils will want to
> change their behavior, so could the test be disabled on GNU/Hurd?

I can't help but think that Hurd is broken for disabling fifos, since
POSIX is quite clear that O_NOFOLLOW has no effect on any file type
except symlinks.

http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
O_NOFOLLOW
    If path names a symbolic link, fail and set errno to [ELOOP].

I wouldn't object to yet another O_* flag that can be used to disable
translators, but don't see how breaking POSIX semantics of a FIFO just
because O_NOFOLLOW was used is warranted.

-- 
Eric Blake   eblake <at> redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

[signature.asc (application/pgp-signature, attachment)]

Message #11 received at 11436 <at> debbugs.gnu.org (full text, mbox):

From: Samuel Thibault <samuel.thibault <at> gnu.org>
To: Eric Blake <eblake <at> redhat.com>
Cc: bug-hurd <at> gnu.org, 11436 <at> debbugs.gnu.org
Subject: Re: bug#11436: Please disable test cp/parent-perm-race on hurd-i386
Date: Tue, 8 May 2012 20:50:27 +0200

Eric Blake, le Tue 08 May 2012 12:46:57 -0600, a écrit :
> http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
> O_NOFOLLOW
>     If path names a symbolic link, fail and set errno to [ELOOP].
> 
> I wouldn't object to yet another O_* flag that can be used to disable
> translators,

The problem is that we can't expect people to know about that flag, and
use it where security is needed.

> but don't see how breaking POSIX semantics of a FIFO just because
> O_NOFOLLOW was used is warranted.

I don't mean it's warranted.  I mean that it's expected that using
O_NOFOLLOW will disable translators.  We can however perhaps refine the
behavior to at least make standard fifos work.

Samuel

Message #14 received at 11436 <at> debbugs.gnu.org (full text, mbox):

From: ludo <at> gnu.org (Ludovic Courtès)
To: Samuel Thibault <samuel.thibault <at> gnu.org>
Cc: Eric Blake <eblake <at> redhat.com>, bug-hurd <at> gnu.org, 11436 <at> debbugs.gnu.org
Subject: Re: bug#11436: Please disable test cp/parent-perm-race on hurd-i386
Date: Wed, 09 May 2012 01:06:34 +0200

Hi,

Samuel Thibault <samuel.thibault <at> gnu.org> skribis:

> Eric Blake, le Tue 08 May 2012 12:46:57 -0600, a écrit :
>> http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
>> O_NOFOLLOW
>>     If path names a symbolic link, fail and set errno to [ELOOP].
>> 
>> I wouldn't object to yet another O_* flag that can be used to disable
>> translators,
>
> The problem is that we can't expect people to know about that flag, and
> use it where security is needed.
>
>> but don't see how breaking POSIX semantics of a FIFO just because
>> O_NOFOLLOW was used is warranted.
>
> I don't mean it's warranted.  I mean that it's expected that using
> O_NOFOLLOW will disable translators.  We can however perhaps refine the
> behavior to at least make standard fifos work.

Yes.  In glibc, ‘__hurd_file_name_lookup_retry’ does this:

--8<---------------cut here---------------start------------->8---
        if (flags & O_NOFOLLOW)
          {
            /* In Linux, O_NOFOLLOW means to reject symlinks.  If we
               did an O_NOLINK lookup above and io_stat here to check
               for S_IFLNK, a translator like firmlink could easily
               spoof this check by not showing S_IFLNK, but in fact
               redirecting the lookup to some other name
               (i.e. opening the very same holes a symlink would).

               Instead we do an O_NOTRANS lookup above, and stat the
               underlying node: if it has a translator set, and its
               owner is not root (st_uid 0) then we reject it.
               Since the motivation for this feature is security, and
               that security presumes we trust the containing
               directory, this check approximates the security of
               refusing symlinks while accepting mount points.
               Note that we actually permit something Linux doesn't:
               we follow root-owned symlinks; if that is deemed
               undesireable, we can add a final check for that
               one exception to our general translator-based rule.  */
            struct stat64 st;
            err = __io_stat (*result, &st);
            if (!err
                && (st.st_mode & (S_IPTRANS|S_IATRANS)))
              {
                if (st.st_uid != 0)
                  err = ENOENT;
                else if (st.st_mode & S_IPTRANS)
                  {
                    char buf[1024];
                    char *trans = buf;
                    size_t translen = sizeof buf;
                    err = __file_get_translator (*result,
                                                 &trans, &translen);
                    if (!err
                        && translen > sizeof _HURD_SYMLINK
                        && !memcmp (trans,
                                    _HURD_SYMLINK, sizeof _HURD_SYMLINK))
                      err = ENOENT;
                  }
              }
          }
--8<---------------cut here---------------end--------------->8---

What about looking up without O_NOTRANS when _HURD_FIFO is found here,
regardless of whether the node is root-owned?

The problem with these hacks is that in a chroot /hurd/{symlink,fifo}
could be anything…

Thanks,
Ludo’.

Message #21 received at 11436-done <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <meyering <at> hx.meyering.net>
To: ludo <at> gnu.org (Ludovic Courtès)
Cc: bug-hurd <at> gnu.org, Eric Blake <eblake <at> redhat.com>,
	Samuel Thibault <samuel.thibault <at> gnu.org>, 11436-done <at> debbugs.gnu.org
Subject: Re: bug#11436: Please disable test cp/parent-perm-race on hurd-i386
Date: Sun, 07 Oct 2012 11:46:16 +0200

Ludovic Courtès wrote:
> Samuel Thibault <samuel.thibault <at> gnu.org> skribis:
>
>> Eric Blake, le Tue 08 May 2012 12:46:57 -0600, a écrit :
>>> http://pubs.opengroup.org/onlinepubs/9699919799/functions/open.html
>>> O_NOFOLLOW
>>>     If path names a symbolic link, fail and set errno to [ELOOP].
>>> 
>>> I wouldn't object to yet another O_* flag that can be used to disable
>>> translators,
>>
>> The problem is that we can't expect people to know about that flag, and
>> use it where security is needed.
>>
>>> but don't see how breaking POSIX semantics of a FIFO just because
>>> O_NOFOLLOW was used is warranted.
>>
>> I don't mean it's warranted.  I mean that it's expected that using
>> O_NOFOLLOW will disable translators.  We can however perhaps refine the
>> behavior to at least make standard fifos work.
>
> Yes.  In glibc, ‘__hurd_file_name_lookup_retry’ does this:
>
>         if (flags & O_NOFOLLOW)
>           {
>             /* In Linux, O_NOFOLLOW means to reject symlinks.  If we

Thanks.
I'm closing this issue as notabug.
If you still think the test should be disabled for the Hurd,
feel free to reopen it.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.