I have had this problem for awhile, that everytime I update shadow, the /bin/su that is installed doesn't have the suid bit set. This is a problem if I forget to do it manually, then I can't su to root until I fix it. I believe I have also seen this with xorg, so I'm not sure the problem is isolated to shadow. Here is the forum post about the problem: http://forums.gentoo.org/viewtopic-t-479998-highlight-.html Adding "-suidctl" to FEATURES doesn't fix this behavior, nor does adding "suidctl" to FEATURES and /bin/su to /etc/portage/suidctl.conf Portage 2.1.1_pre4-r3 (default-linux/amd64/2006.0, gcc-4.1.1, glibc-2.4-r3, 2.6.15-ck7 x86_64) ================================================================= System uname: 2.6.15-ck7 x86_64 Dual Core AMD Opteron(tm) Processor 165 Gentoo Base System version 1.12.4 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] app-admin/eselect-compiler: 2.0.0_rc2-r1 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r2 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.17 sys-devel/gcc-config: 2.0.0_rc1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.16 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3 -march=k8 -msse3 -fomit-frame-pointer -funit-at-a-time -frename-registers -mtune=athlon64 -fno-ident -pipe -ftree-vectorize -fweb -ftracer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/eselect/compiler /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O3 -march=k8 -msse3 -fomit-frame-pointer -funit-at-a-time -frename-registers -mtune=athlon64 -fno-ident -pipe -ftree-vectorize -fweb -ftracer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig ccache digest distlocks metadata-transfer noinfo strict" GENTOO_MIRRORS="http://gentoo.mirrors.pair.com/http://mirror.datapipe.net/gentoo http://gentoo.osuosl.org/ http://gentoo.llarian.net/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://daisy/gentoo-portage" USE="amd64 7zip X a52 aac abook acpi allegro alsa apm artworkextra asf avi bash-completion berkdb bitmap-fonts bzip2 ccache cdda cddb cdinstall cdio cdparanoia chroot cli crypt cups dedicated dga dillo dio dlloader dnd dri dvd dvdr dvdread effects elibc_glibc emboss emul-linux-x86 encode ext-png ext-zlib extensions fam fame fat ffmpeg firefox flac flatfile foomaticdb fortran gb gcj gd gdbm gif gimp gimpprint ginac glut glx gmail gmailtimestamps gnome gnome-print gpgme gpm gs gstreamer gtk gtk2 gzip imlib imlib2 inkjar input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog java jikes joystick jpeg jpeg2k kde kdehiddenvisibility kernel_linux keyscrub lame lcd lcms lesstif libdsk lm_sensors lynxkeymap lzo lzw lzw-tiff mad maildir matroska matrox mbox mcal md5sum mikmod mimencode mixer mmap mng mod moznocompose moznoirc moznomail mozsvg mozxmlterm mp3 mpeg mpeg2 mplayer musepack music ncurses net network nptl nptlonly offensive ofx ogg oggvorbis on-the-fly-crypt opengl pam pam_chroot pam_console pam_timestamp parse-clocks pcre pdf pdflib perl physfs pic png ppds pppd python qt qt3 qt4 quicktime rar rdesktop readline reflection reiserfs rogue rtc sblive screen sdl server session shorten skins sounds sox spell spl sse-filters ssl stream svg sysfs szip tcltk tcpd tga theora threads tiff transcode truetype truetype-fonts type1 type1-fonts usb userland_GNU uudeview v4l v4l2 vcd vfat video_cards_ati video_cards_mga video_cards_nv video_cards_radeon videos vlm vnc vorbis wxwindows x11vnc xatrix xface xml xmms xorg xosd xpm xscreensaver xv xvid xvmc yv12 zip zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
Not really. # ls -ld /bin/su -rws--x--x 1 root root 28412 2006-08-05 22:55 /bin/su # emerge -pv shadow portage [ebuild R ] sys-apps/shadow-4.0.18.1 USE="nls -nousuid pam skey" 0 kB [ebuild R ] sys-apps/portage-2.1.1_pre4-r3 USE="-build doc" LINGUAS="-pl" 0 kB Run MAKEOPTS=-j1 emerge shadow >& emerge.log and attach the log as an attachment
Created attachment 93603 [details] output of MAKEOPTS=-j1 emerge shadow >& emerge.log Immediately after emerging shadow: # ls -ld /bin/su -rwx--x--x 1 root root 29K Aug 6 11:52 /bin/su mounts: /dev/sda2 on / type ext3 (rw,nodev,noatime,commit=600) proc on /proc type proc (rw,nosuid) sysfs on /sys type sysfs (rw) udev on /dev type tmpfs (rw,nosuid) devpts on /dev/pts type devpts (rw) /dev/sda1 on /usr/portage type ext2 (rw,nodev,noatime) /dev/sdb2 on /var/tmp type ext2 (rw,nodev,noatime) /dev/sdb3 on /home type ext3 (rw,nodev,noatime,commit=600) none on /dev/shm type tmpfs (rw) none on /tmp type tmpfs (rw,nosuid,nodev,size=256M,mode=2777) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) usbfs on /proc/bus/usb type usbfs (rw,devmode=0664,devgid=85) svcdir on /var/lib/init.d type tmpfs (rw,mode=0755,size=2048k) nfsd on /proc/fs/nfs type nfsd (rw) rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
* bump * I've been going through bug reports, I see a lot of similar reports but no resolution. If this is a config problem, please tell me where!
(In reply to comment #3) > * bump * Unless you reopen the bug, noone will ever care again.
(In reply to comment #0) > I have had this problem for awhile, that everytime I update shadow, the /bin/su > that is installed doesn't have the suid bit set. I'm seeing the same on my system. And it's not limited to su, as far as I have checked (shadow/su, exim, ...) this affects every file with the suid bit set: upon emerging an update the new binary is without suid. I've tried experimenting with make.conf features sfperms and suidctl/suidctl.conf, but to no avail. If someone has a suggestion on what to do to fix this: please let me know. My emerge --info: Portage 2.1.1_rc1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1/vanilla, glibc-2.4-r3, 2.6.17-gentoo-r5 i686) ================================================================= System uname: 2.6.17-gentoo-r5 i686 AMD Athlon(tm) XP 1700+ Gentoo Base System version 1.12.4 Last Sync: Thu, 31 Aug 2006 14:00:07 +0000 app-admin/eselect-compiler: 2.0.0_rc2-r1 dev-lang/python: 2.2.3-r6, 2.3.5, 2.4.3-r3 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.18.1 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.17 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17 ACCEPT_KEYWORDS="x86 ~x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/eselect/compiler /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-march=athlon-xp -O2 -pipe -fomit-frame-pointer" DISTDIR="/home/distfiles" FEATURES="autoconfig distlocks metadata-transfer moo sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.ISO-8859-15" LC_ALL="en_US.ISO-8859-15" LINGUAS="" MAKEOPTS="-j2" PKGDIR="/home/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/home/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/home/bjh/dl/gentoo/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aac aalib alsa apache2 artworkextra asf async avi berkdb bitmap-fonts bittorrent bluetooth bzip2 cairo calendar cddb cdparanoia cdr cgi cli cpudetection crypt cups dba dbus dlloader dri dts dv dvb dvd dvdr dvdread editor eds elibc_glibc emboss encode esd ethereal exscalibar faad fam ffmpeg finger firefox flac fluidsynth fortran ftp gd-external gdbm gif gnokii gnome gpm gstreamer gtk gtkhtml hal idea idn ieee1394 imagemagick input_devices_keyboard input_devices_mouse ipv6 irmc isdnlog jabber jpeg jpeg2k kde kdepim kernel_linux lame ldap libg++ mad matroska mbox mikmod mjpeg mmx mmxext mng modplug mp3 mp4 mpeg mplayer musepack musicbrainz ncurses network nls nntp nokia6600 nptl nptlonly offensive ogg openal opengl oss pam panel-plugin pcre pda pdf pdflib perl png ppds pppd python qt3 qt4 quicktime readline reflection scanner sdl session shn shnf shorten smartcard smime snmp speex spell spl sse ssl svg tcpd theora thumbnail thunar-vfs tiff truetype truetype-fonts type1-fonts udev unicode usb userland_GNU v4l v4l2 vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vidix visualization vorbis win32codecs wmf wxwindows x264 xcomposite xine xml xorg xprint xscreensaver xv xvid zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
It seems like the setuid bit isn't getting set somewhere in the during the compile or install phase of the ebuild(s). If this was a portage bug then everone would experience it (I don't have this problem).
(In reply to comment #6) > It seems like the setuid bit isn't getting set somewhere in the during the > compile or install phase of the ebuild(s). If this was a portage bug then > everone would experience it (I don't have this problem). > is a valid bug I have this problem suid bit hasn't been set on 2 of my gentoo machines. if others are using sudo exclusively they wouldn't notice this. I use it almost exclusively so did not notice it immediately.
I would like to not I have not had this problem ever since I started gentoo su has worked as expected in the past. but the 2 machines I have on a 2006.1 profile (gcc-4.1 shadow-4... have this problem. since I use sudo almost exclusively I have no clue to when it may have started.
Well, I'm unable to reproduce the problem and have no clue what might cause it. If you're experiencing this problem, you need to trace the entire build/install process an find out where the suid bit if either being removed or failing to be set.
Created attachment 97966 [details] Here's the strace of what happens when I emerge shadow and it loses suid bits. Here's the strace of what happens when I emerge shadow and it loses suid bits.
Added strace log.
Your log only shows one chmod on su: chmod("/bin/su", 0711) = 0 That indicates that the suid bit was not set at merge time (we know that already). You'll need to run strace with the -f option to see what all of the child processes have done.
File is too big as an attachment (8.2M bzip2). Uploaded to my web page acct: http://home.pcisys.net/~brihall/shadow.strace.log.bz2 Generated with: strace -f emerge shadow > shadow.strace.log 2>&1 bzip2 -9 shadow.strace.log
[pid 9789] chmod("/var/tmp/portage/shadow-4.0.18.1/image/bin/su", 0711) = 0 [pid 9789] chmod("/var/tmp/portage/shadow-4.0.18.1/image/bin/su", 04711) = 0 chmod("/bin/su", 0711) = 0 Apparently strip (pid 9789) was the last thing to touch the file prior to it being merged. Please ensure that /sbin/su first has 04711 permissions and post the output of the following command: python -c "import os, stat; print oct(stat.S_IMODE(os.lstat('/bin/su')[stat.ST_MODE]))" If you use a different filesystem for /var/tmp then try it on file in there too.
# chmod 04711 /bin/su # python -c "import os, stat; print oct(stat.S_IMODE(os.lstat('/bin/su')[stat.ST_MODE]))" 04711 # cp /bin/su /var/tmp/ `/bin/su' -> `/var/tmp/su' # python -c "import os, stat; print oct(stat.S_IMODE(os.lstat('/var/tmp/su')[stat.ST_MODE]))" 04711 # cp /bin/su /tmp/ `/bin/su' -> `/tmp/su' # python -c "import os, stat; print oct(stat.S_IMODE(os.lstat('/tmp/su')[stat.ST_MODE]))" 04711 # mount /dev/sda2 on / type ext3 (rw,nodev,noatime,commit=600) proc on /proc type proc (rw,nosuid) sysfs on /sys type sysfs (rw,nosuid,nodev,noexec) udev on /dev type tmpfs (rw,nosuid) devpts on /dev/pts type devpts (rw,nosuid,noexec) /dev/sda1 on /usr/portage type ext2 (rw,nodev,noatime) /dev/sdb2 on /var/tmp type ext2 (rw,nodev,noatime) /dev/sdb3 on /home type ext3 (rw,nodev,noatime,commit=600) none on /dev/shm type tmpfs (rw) none on /tmp type tmpfs (rw,nosuid,nodev,size=256M,mode=2777) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw) usbfs on /proc/bus/usb type usbfs (rw,noexec,nosuid,devmode=0664,devgid=85) svcdir on /var/lib/init.d type tmpfs (rw,mode=0755,size=2048k) Running strip manually on su did not remove the suid bit: # ls -al /tmp/su -rws--x--x 1 root root 29K Sep 24 16:05 /tmp/su # strip /tmp/su # ls -al /tmp/su -rws--x--x 1 root root 29K Sep 24 16:07 /tmp/su
Try the following: ebuild /usr/portage/sys-apps/shadow/shadow-4.0.18.1.ebuild install After you do that, does /var/tmp/portage/shadow-4.0.18.1/image/bin/su have the correct permissions?
No, it doesn't: # ebuild /usr/portage/sys-apps/shadow/shadow-4.0.18.1.ebuild install # ls -al /var/tmp/portage/shadow-4.0.18.1/image/bin/su -rwx--x--x 1 root root 29K Sep 24 18:38 /var/tmp/portage/shadow-4.0.18.1/image/bin/su
chmod 4711 /var/tmp/portage/shadow-4.0.18.1/image/bin/su Does that work as expected?
Yes. # ls -al /var/tmp/portage/shadow-4.0.18.1/image/bin/su -rwx--x--x 1 root root 29K Sep 24 18:38 /var/tmp/portage/shadow-4.0.18.1/image/bin/su # chmod 4711 /var/tmp/portage/shadow-4.0.18.1/image/bin/su # ls -al /var/tmp/portage/shadow-4.0.18.1/image/bin/su -rws--x--x 1 root root 29K Sep 24 18:38 /var/tmp/portage/shadow-4.0.18.1/image/bin/su
Now try this: ebuild /usr/portage/sys-apps/shadow/shadow-4.0.18.1.ebuild qmerge Does it install with the suid bit correctly set?
That worked! # ebuild /usr/portage/sys-apps/shadow/shadow-4.0.18.1.ebuild qmerge (emerges) # ls -al /bin/su -rws--x--x 1 root root 29K Sep 24 21:07 /bin/su What does that mean?
After this the setuid bit should have been set already: ebuild /usr/portage/sys-apps/shadow/shadow-4.0.18.1.ebuild install We still need to find out why that bit wasn't set...
(In reply to comment #12) > You'll need to run strace with the -f option to see what all of the > child processes have done. Since we didn't see the relevant bit change in your strace log, it may be that you need to add the -F option as well (follow vforks).
Uploaded new log using strace -f -F emerge shadow > shadow.strace.log 2>&1 http://home.pcisys.net/~brihall/shadow.strace.log.bz2 Oddly, I could swear it worked (/bin/su had correct perms) at least once during testing. Maybe there is a race condition somewhere? This log should show it not working.
(In reply to comment #24) > Oddly, I could swear it worked (/bin/su had correct perms) at least once during > testing. Maybe there is a race condition somewhere? The new log doesn't show anything different from the previous one that I can see. If it works sometimes and not others then that would seem to indicate a race condition. If you use MAKEOPTS="-j1" does it change anything? There are multiple processes doing chmod calls on that file: [pid 3753] chmod("/var/tmp/portage/shadow-4.0.18.1/image//bin/su", 0755) = 0 [pid 5395] chmod("/var/tmp/portage/shadow-4.0.18.1/image//bin/su", 04711) = 0 [pid 5855] chmod("/var/tmp/portage/shadow-4.0.18.1/image/bin/su", 0711) = 0 [pid 5855] chmod("/var/tmp/portage/shadow-4.0.18.1/image/bin/su", 04711) = 0
Tried: MAKEOPTS="-j1" emerge shadow /bin/su still has incorrect permissions afterward.
I have the same problem as described in this bug report. I also did some debug attempts to try to reduce the problem. The problem seems to be somewhere in the install phase, given that after install the permissions are wrong. Also, somewhere during the install phase, the permissions are set correct. I checked that by doing `ls -l image/bin/su` during install. The problem seems to be at the end of the install phase. I also added some "echo"'s to files in /usr/lib/portage/bin to see where the problem occurred. The permission change seems to be at /usr/lib/portage/bin/misc-functions.sh around line 421. The lines look like (portage version 2.1.1-r2): find "${D}"/ -group portage -print0 > "${find_log}" if [[ -s ${find_log} ]] ; then xargs -0 chgrp -h ${PORTAGE_INST_GID:-0} < "${find_log}" fi rm -f "${find_log}" Manual testing also reveals such behavior: # chmod 4711 bar # ls -l bar -rws--x--x 1 root root 0 Nov 21 14:23 bar # chgrp 0 bar # ls -l bar -rwx--x--x 1 root root 0 Nov 21 14:23 bar I don't know how to solve it; maybe store the suid-bit in a variable before chgrp and reset it afterwards.
(In reply to comment #27) > Manual testing also reveals such behavior: > # chmod 4711 bar > # ls -l bar > -rws--x--x 1 root root 0 Nov 21 14:23 bar > # chgrp 0 bar > # ls -l bar > -rwx--x--x 1 root root 0 Nov 21 14:23 bar I can reproduce that with coreutils-6.4. Maybe it's a safety "feature" or maybe it's a bug. Anyway, that's annoying for it to go and change mode bits when only a change in group bits was requested.
I did use Google to find if it is a security reason, and there are pages which suggest that that is the reason [1]. [1] http://www.redhat.com/archives/fedora-list/2006-July/msg03417.html
Created attachment 102509 [details, diff] preserve S_ISUID and S_ISGID mode bits cleared by chown calls This is fixed in svn r5114.
Created attachment 102510 [details, diff] preserve S_ISUID and S_ISGID mode bits cleared by chown calls This updated patch fixes a bug in the S_ISUID and S_ISGID preservation logic.
This has been released in 2.1.2_rc2-r2.
