From 334f0b89be271cbe2b9973ebc7eab50f955517e8 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 10 Oct 2017 11:10:48 -0400 Subject: [PATCH] ex-container: Make /usr/etc/{,g}shadow user-readable For the `ex container` case, there's no security issues here; one shouldn't be doing user management in these roots at all. This is for work on exporting `ex container` roots to OCI as non-root. Without this fix, libostree just tries to `openat()` the object for export to tar, and fails. See also https://github.com/projectatomic/rpm-ostree/issues/1045 Closes: #1046 Approved by: jlebon --- src/app/rpmostree-container-builtins.c | 7 +++++++ src/libpriv/rpmostree-postprocess.c | 27 ++++++++++++++++++++++++++ src/libpriv/rpmostree-postprocess.h | 5 +++++ tests/ex-container-tests/test-bash.sh | 5 +++++ 4 files changed, 44 insertions(+) diff --git a/src/app/rpmostree-container-builtins.c b/src/app/rpmostree-container-builtins.c index 46e20134..00d662da 100644 --- a/src/app/rpmostree-container-builtins.c +++ b/src/app/rpmostree-container-builtins.c @@ -32,6 +32,7 @@ #include "rpmostree-util.h" #include "rpmostree-core.h" #include "rpmostree-libbuiltin.h" +#include "rpmostree-postprocess.h" #include "rpmostree-rpm-util.h" #include "rpmostree-unpacker.h" @@ -287,6 +288,9 @@ rpmostree_container_builtin_assemble (int argc, NULL, RPMOSTREE_ASSEMBLE_TYPE_SERVER_BASE, &commit, cancellable, error)) return EXIT_FAILURE; + + if (!rpmostree_rootfs_postprocess_container (tmpdir.fd, cancellable, error)) + return EXIT_FAILURE; } g_print ("Checking out %s @ %s...\n", name, commit); @@ -476,6 +480,9 @@ rpmostree_container_builtin_upgrade (int argc, char **argv, &new_commit_checksum, cancellable, error)) return EXIT_FAILURE; + + if (!rpmostree_rootfs_postprocess_container (tmpdir.fd, cancellable, error)) + return EXIT_FAILURE; } g_print ("Checking out %s @ %s...\n", name, new_commit_checksum); diff --git a/src/libpriv/rpmostree-postprocess.c b/src/libpriv/rpmostree-postprocess.c index 88bb135e..e93b9d00 100644 --- a/src/libpriv/rpmostree-postprocess.c +++ b/src/libpriv/rpmostree-postprocess.c @@ -1644,6 +1644,33 @@ rpmostree_prepare_rootfs_for_commit (int src_rootfs_dfd, return TRUE; } +/* Run through a standard set of postprocessing for "container" + * flows as used by `ex container`. Currently: + * + * - Make /usr/etc/{g,}shadow user readable + * See https://github.com/projectatomic/rpm-ostree/issues/1045 + */ +gboolean +rpmostree_rootfs_postprocess_container (int rootfs_fd, + GCancellable *cancellable, + GError **error) +{ + const char *shadow_paths[] = { "usr/etc/shadow", "usr/etc/gshadow" }; + for (guint i = 0; i < G_N_ELEMENTS (shadow_paths); i++) + { + struct stat stbuf; + const char *path = shadow_paths[i]; + if (!glnx_fstatat_allow_noent (rootfs_fd, path, &stbuf, AT_SYMLINK_NOFOLLOW, error)) + return FALSE; + /* Silently ignore if it's not there, or isn't a regular file for some reason */ + if (errno == ENOENT || !S_ISREG (stbuf.st_mode)) + continue; + if (fchmodat (rootfs_fd, path, stbuf.st_mode | S_IRUSR, 0) < 0) + return glnx_throw_errno_prefix (error, "fchmodat"); + } + return TRUE; +} + struct CommitThreadData { volatile gint done; off_t n_bytes; diff --git a/src/libpriv/rpmostree-postprocess.h b/src/libpriv/rpmostree-postprocess.h index e2fe8bc2..d863a146 100644 --- a/src/libpriv/rpmostree-postprocess.h +++ b/src/libpriv/rpmostree-postprocess.h @@ -52,6 +52,11 @@ rpmostree_rootfs_postprocess_common (int rootfs_fd, GCancellable *cancellable, GError **error); +gboolean +rpmostree_rootfs_postprocess_container (int rootfs_fd, + GCancellable *cancellable, + GError **error); + gboolean rpmostree_prepare_rootfs_get_sepolicy (int dfd, OstreeSePolicy **out_sepolicy, diff --git a/tests/ex-container-tests/test-bash.sh b/tests/ex-container-tests/test-bash.sh index ec313d07..01a6be57 100755 --- a/tests/ex-container-tests/test-bash.sh +++ b/tests/ex-container-tests/test-bash.sh @@ -3,6 +3,9 @@ set -xeuo pipefail cd ${test_tmpdir} +dn=$(cd $(dirname $0) && pwd) +. ${dn}/../common/libtest-core.sh + cat >bash.conf < shadowls.txt +assert_file_has_content shadowls.txt '^-00400 .*/usr/etc/shadow'