While unpacking apache with suexec-caps I noticed that suexec file capabilities get lost. After digging a bit deeper it seems GPKG does not store file capabilities. Reproducible: Always Steps to Reproduce: 1. PKGDIR="/tmp/xpak" BINPKG_FORMAT="xpak" USE="suexec suexec-caps suexec-syslog" emerge -Bq www-servers/apache 2. PKGDIR="/tmp/xpak" BINPKG_FORMAT="xpak" USE="suexec suexec-caps suexec-syslog" emerge -Kq1 www-servers/apache 3. getcap /usr/bin/suexec 4. PKGDIR="/tmp/gpkg" BINPKG_FORMAT="gpkg" USE="suexec suexec-caps suexec-syslog" emerge -Bq www-servers/apache 5. PKGDIR="/tmp/gpkg" BINPKG_FORMAT="gpkg" USE="suexec suexec-caps suexec-syslog" emerge -Kq1 www-servers/apache 6. getcap /usr/bin/suexec Actual Results: $ getcap /usr/bin/suexec /usr/bin/suexec cap_setgid,cap_setuid=ep $ getcap /usr/bin/suexec $ Expected Results: $ getcap /usr/bin/suexec /usr/bin/suexec cap_setgid,cap_setuid=ep $ getcap /usr/bin/suexec /usr/bin/suexec cap_setgid,cap_setuid=ep Portage 3.0.61 (python 3.12.3-final-0, default/linux/amd64/23.0/no-multilib/systemd, gcc-13, glibc-2.38-r11, 6.6.28-gentoo x86_64) $ tar -tvv --xattrs --xattrs-include='*' -f /tmp/xpak/www-servers/apache/apache-2.4.59-r1-1.xpak ./usr/sbin/suexec -rwxr-xr-x* root/root 18616 2024-04-22 23:22 ./usr/sbin/suexec x: 20 security.capability zstd: /*stdin*\: unsupported format tar: Child returned status 1 tar: Error is not recoverable: exiting now $ tar -C /tmp/gpkg/ -xf /tmp/gpkg/www-servers/apache/apache-2.4.59-r1-1.gpkg.tar apache-2.4.59-r1-1/image.tar.zst $ tar -tvv --xattrs --xattrs-include='*' -f /tmp/gpkg/apache-2.4.59-r1-1/image.tar.zst image/usr/sbin/suexec -rwxr-xr-x root/root 18616 2024-04-22 23:20 image/usr/sbin/suexec $
That sounds like a bad assumption in apache-2.eclass. Preserving capabilities was never guaranteed (also, it could break if filesystem used for build does not support capabilities but the final filesystem does). That's why we have fcaps.eclass that sets capabilities in postinst.
The GPKG spec says it is not support extended attributes for portability reason. https://www.gentoo.org/glep/glep-0078.html#tar-portability-issues
Thank you. Actually I've skimmed over the bullet points of the spec before submitting this report, but I failed to read the conclusion below. I've changed the bug report title. Here's a short patch I'm using right now: --- a/www-servers/apache/apache-2.4.59-r1.ebuild 2024-04-13 08:41:19.000000000 +0200 +++ b/www-servers/apache/apache-2.4.59-r1.ebuild 2024-04-23 13:03:58.712449462 +0200 @@ -139,6 +139,7 @@ unixd " inherit apache-2 systemd tmpfiles toolchain-funcs +inherit fcaps DESCRIPTION="The Apache Web Server" HOMEPAGE="https://httpd.apache.org/" @@ -208,10 +229,13 @@ # Fix path to apache libdir sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die + + use suexec-caps && FILECAPS=( cap_setgid,cap_setuid=ep usr/bin/suexec ) } pkg_postinst() { apache-2_pkg_postinst || die "apache-2_pkg_postinst failed" + fcaps_pkg_postinst || die "fcaps_pkg_postinst" tmpfiles_process apache.conf #662544
(In reply to Manuel Mausz from comment #3) > Here's a short patch I'm using right now: Given that there is already code in apache-2.eclass to handle suexec permissions I've made the changes there. Thanks for the bug report, reproducer and initial patch.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b19280613e0efdbd5dd39860e835565e6a48c0e commit 8b19280613e0efdbd5dd39860e835565e6a48c0e Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-04-28 09:44:36 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-04-28 09:47:33 +0000 eclass/apache2.eclass: use fcaps eclass to set capabilities Thanks to Manuel Mausz for the bug report and initial patch. Closes: https://bugs.gentoo.org/930455 Signed-off-by: Hans de Graaff <graaff@gentoo.org> eclass/apache-2.eclass | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
I just did my daily update and after apache was rebuilt, pkg_postinst complained with "fcaps: wrong number of arguments". Looks like something went wrong here?
Yup. * FAILED postinst: 1 * ERROR: www-servers/apache-2.4.58-r2::gentoo failed (postinst phase): * fcaps: wrong arg count * * Call stack: * ebuild.sh, line 136: Called pkg_postinst * environment, line 3087: Called apache-2_pkg_postinst * environment, line 1124: Called fcaps_pkg_postinst * environment, line 1997: Called fcaps * environment, line 1945: Called die * The specific snippet of code: * [[ $# -lt 2 ]] && die "${FUNCNAME}: wrong arg count";
I'm guessing it's because postinst could be called with unset FILECAPS.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89163226f17ce8a679409592038137f97bf6c68c commit 89163226f17ce8a679409592038137f97bf6c68c Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2024-04-28 15:52:59 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2024-04-28 15:53:39 +0000 eclass/apache2.eclass: Revert "use fcaps eclass to set capabilities" This is causing fatal postinst errors with some USE flag combinations. Reverts: 8b19280613e0efdbd5dd39860e835565e6a48c0e Bug: https://bugs.gentoo.org/930455 Signed-off-by: Michał Górny <mgorny@gentoo.org> eclass/apache-2.eclass | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-)