Summary: | www-servers/apache: suexec file capabilities might get lost (due to missing fcaps.eclass usage) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Manuel Mausz <manuel-gentoo> |
Component: | Current packages | Assignee: | Apache Team - Bugzilla Reports <apache-bugs> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | asturm, fcool, holger, jorge+git, manuel-gentoo, mgorny, nd, rincat, sam, scott, syu.os |
Priority: | Normal | Keywords: | PATCH |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=930821 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Manuel Mausz
2024-04-22 21:30:27 UTC
That sounds like a bad assumption in apache-2.eclass. Preserving capabilities was never guaranteed (also, it could break if filesystem used for build does not support capabilities but the final filesystem does). That's why we have fcaps.eclass that sets capabilities in postinst. The GPKG spec says it is not support extended attributes for portability reason. https://www.gentoo.org/glep/glep-0078.html#tar-portability-issues Thank you. Actually I've skimmed over the bullet points of the spec before submitting this report, but I failed to read the conclusion below. I've changed the bug report title. Here's a short patch I'm using right now: --- a/www-servers/apache/apache-2.4.59-r1.ebuild 2024-04-13 08:41:19.000000000 +0200 +++ b/www-servers/apache/apache-2.4.59-r1.ebuild 2024-04-23 13:03:58.712449462 +0200 @@ -139,6 +139,7 @@ unixd " inherit apache-2 systemd tmpfiles toolchain-funcs +inherit fcaps DESCRIPTION="The Apache Web Server" HOMEPAGE="https://httpd.apache.org/" @@ -208,10 +229,13 @@ # Fix path to apache libdir sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die + + use suexec-caps && FILECAPS=( cap_setgid,cap_setuid=ep usr/bin/suexec ) } pkg_postinst() { apache-2_pkg_postinst || die "apache-2_pkg_postinst failed" + fcaps_pkg_postinst || die "fcaps_pkg_postinst" tmpfiles_process apache.conf #662544 (In reply to Manuel Mausz from comment #3) > Here's a short patch I'm using right now: Given that there is already code in apache-2.eclass to handle suexec permissions I've made the changes there. Thanks for the bug report, reproducer and initial patch. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8b19280613e0efdbd5dd39860e835565e6a48c0e commit 8b19280613e0efdbd5dd39860e835565e6a48c0e Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-04-28 09:44:36 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-04-28 09:47:33 +0000 eclass/apache2.eclass: use fcaps eclass to set capabilities Thanks to Manuel Mausz for the bug report and initial patch. Closes: https://bugs.gentoo.org/930455 Signed-off-by: Hans de Graaff <graaff@gentoo.org> eclass/apache-2.eclass | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) I just did my daily update and after apache was rebuilt, pkg_postinst complained with "fcaps: wrong number of arguments". Looks like something went wrong here? Yup. * FAILED postinst: 1 * ERROR: www-servers/apache-2.4.58-r2::gentoo failed (postinst phase): * fcaps: wrong arg count * * Call stack: * ebuild.sh, line 136: Called pkg_postinst * environment, line 3087: Called apache-2_pkg_postinst * environment, line 1124: Called fcaps_pkg_postinst * environment, line 1997: Called fcaps * environment, line 1945: Called die * The specific snippet of code: * [[ $# -lt 2 ]] && die "${FUNCNAME}: wrong arg count"; I'm guessing it's because postinst could be called with unset FILECAPS. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89163226f17ce8a679409592038137f97bf6c68c commit 89163226f17ce8a679409592038137f97bf6c68c Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2024-04-28 15:52:59 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2024-04-28 15:53:39 +0000 eclass/apache2.eclass: Revert "use fcaps eclass to set capabilities" This is causing fatal postinst errors with some USE flag combinations. Reverts: 8b19280613e0efdbd5dd39860e835565e6a48c0e Bug: https://bugs.gentoo.org/930455 Signed-off-by: Michał Górny <mgorny@gentoo.org> eclass/apache-2.eclass | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) |