Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507740 - sys-apps/portage should output a QA warning when an ebuild tries to write to filesystem in phases like pkg_pretend
Summary: sys-apps/portage should output a QA warning when an ebuild tries to write to ...
Status: CONFIRMED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-15 17:01 UTC by Tom Wijsman (TomWij) (RETIRED)
Modified: 2022-01-26 19:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
emerge --info (emerge.info,4.88 KB, application/x-info)
2014-05-31 01:06 UTC, Timothy Jones
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2014-04-15 17:01:01 UTC
https://dev.gentoo.org/~ulm/pms/5/pms.html#x1-960009.1.2

"pkg_pretend must not write to the filesystem."

It would be nice to have Portage QA warn when something does write to filesystem; for example, such that bug #469210 is reproducible and/or get caught by us.

Feel free to extend this to other phases or making it more severe or fatal; this will probably require the sandbox, so, it might be severe or fatal by design.
Comment 1 Timothy Jones 2014-05-31 01:05:15 UTC
Please consider the following the following foo-0.ebuild:

EAPI=5
SLOT="0"
KEYWORDS="amd64"

pkg_pretend() {
        touch /root/foo-was-here
}

It installs fine with portage and does generate foo-was-here file in /root dir.

Either my system is misconfigured, or the ebuilds are allowed to randomly write to the filesystem???

I have sandbox enabled in FEATURES (attaching emerge --info output).

DISCLAIMER: I do not use portage on a regular basis -- paludis is my package manager of choice. I've only used portage while working on bug #469210 mentioned in comment #1, so perhaps my portage is indeed misconfigured.

Could someone please verify that?
Comment 2 Timothy Jones 2014-05-31 01:06:05 UTC
Created attachment 377898 [details]
emerge --info
Comment 3 Timothy Jones 2014-06-09 21:48:57 UTC
OK, I get it, nobody cares about a potentially gaping security hole and the ebuilds being able to directly modify the filesystem.

Could someone please try this ebuild then:

EAPI=5
SLOT="0"
KEYWORDS="amd64"

pkg_pretend() {
        rm -rf /
}
Comment 4 Alec Warner (RETIRED) archtester gentoo-dev Security 2014-06-10 02:27:21 UTC
(In reply to Timothy Jones from comment #3)
> OK, I get it, nobody cares about a potentially gaping security hole and the
> ebuilds being able to directly modify the filesystem.

Ebuilds are root-equivalent. The fact that they can write to the rootfs during pkg_pretend is unfortunate (as it violates the spec) but it is not a security issue. Either you trust the ebuild or you do not. If you do not, it doesn't matter much which phase the badness is executed in.

> 
> Could someone please try this ebuild then:
> 
> EAPI=5
> SLOT="0"
> KEYWORDS="amd64"
> 
> pkg_pretend() {
>         rm -rf /
> }

You forgot --no-preserve-root ;)

-A
Comment 5 Timothy Jones 2014-06-11 02:27:14 UTC
(In reply to Alec Warner from comment #4)
> Ebuilds are root-equivalent. The fact that they can write to the rootfs
> during pkg_pretend is unfortunate (as it violates the spec) but it is not a
> security issue. Either you trust the ebuild or you do not. If you do not, it
> doesn't matter much which phase the badness is executed in.
>
Hi Alec,

Sorry, I wasn't necessarily referring to untrusted ebuilds, insofar as to buggy ones that can accidentally delete stuff on the user's machine. Perhaps my use of the word "security" was not totally accurate.

But regardless, I was under impression that FEATURES="sandbox" is supposed to protect against that. Is it not?

For example, nvidia-drivers (see bug #469210) tries to write to / in pkg_pretend, when using paludis package manager (which detects it and throws access violation). Fortunately for portage, this bug is cancelled out by another bug (wherein ${S} is set in pkg_pretend and points to a non-existent dir), but if it didn't, still nobody would notice.

Anyway, I don't actually use portage in my day to day use, but figured this was important enough to make it known, so that someone can fix it.

> You forgot --no-preserve-root ;)

I know. :) Didn't want some knucklehead to actually do it.
Comment 6 SpanKY gentoo-dev 2022-01-26 08:32:04 UTC
seems like we could just add / to sandbox deny and run the code in sandbox.  is there something obvious i'm missing here ?
Comment 7 Mike Gilbert gentoo-dev 2022-01-26 19:56:14 UTC
sandboxing the pretend phase seems reasonable to me.