Bug#959716: live-build: 0140-remove-log-files.hook.chroot fails with fs.protected_regular = 2 and files in sticky directories

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#959716: live-build: 0140-remove-log-files.hook.chroot fails with fs.protected_regular = 2 and files in sticky directories
From: Raphaël Hertzog <raphael@offensive-security.com>
Date: Mon, 04 May 2020 14:54:24 +0200
Message-id: <[🔎] 158859686483.619988.2663081154560273637.reportbug@x260-buxy.home.ouaza.com>
Reply-to: Raphaël Hertzog <raphael@offensive-security.com>, 959716@bugs.debian.org

Package: live-build
Version: 1:20191221
Severity: important
User: devel@kali.org
Usertags: origin-kali

live-build has been failing when run in Debian Testing and when your live
image includes a package like postgresql-12 which creates a log directory
with the sticky bit set (o+t):

2020-05-04 12:22:55] lb chroot_hooks
P: Begin executing hooks...
/root/0140-remove-log-files.hook.chroot: 8: cannot create /var/log/postgresql/postgresql-12-main.log: Permission denied
E: config/hooks/normal/0140-remove-log-files.hook.chroot failed (exit non-zero). You should check for errors.

After investigation and with the help of #debian-kernel, it turns out that
this is due to a recent procps change. Since version 2:3.3.16-1 the
package is setting some supplementary hardening restrictions in
/usr/lib/sysctl.d/protect-links.conf

The one that's causing us trouble here is "fs.protected_regular = 2"
because /var/log/postgresql is a group writable directory with the sticky
bit set:
(live)root@x260-buxy:/# ls -al /var/log/postgresql/
total 8
drwxrwxr-t  2 root     postgres 4096 mai    4 09:34 .
drwxr-xr-x 15 root     root     4096 mai    4 09:36 ..
-rw-r-----  1 postgres adm         0 mai    4 09:34 postgresql-12-main.log
(live)root@x260-buxy:/# :>/var/log/postgresql/postgresql-12-main.log
bash: /var/log/postgresql/postgresql-12-main.log: Permission denied

To me it really seems like live-build is doing nothing wrong... but at the
same time, the default change is likely desirable as well.

So I guess we will have to work around it in live-build.

Simple solution with truncate:
# truncate --no-create --size=0 /var/log/postgresql/postgresql-12-main.log

More complicated solution, detect sticky directories and run the command
as the user owning the file.

-- Package-specific info:

-- System Information:
Debian Release: bullseye/sid
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages live-build depends on:
ii  debootstrap  1.0.123

Versions of packages live-build recommends:
ii  apt-utils                       2.0.2
ii  bzip2                           1.0.8-2
ii  cpio                            2.13+dfsg-2
ii  file                            1:5.38-4
ii  live-boot-doc                   1:20190614
ii  live-config-doc                 11.0.1
ii  live-manual-html [live-manual]  2:20151217.1
ii  wget                            1.20.3-1+b2
ii  xz-utils                        5.2.4-1+b1

Versions of packages live-build suggests:
ii  e2fsprogs  1.45.6-1
pn  mtd-utils  <none>
ii  parted     3.3-4

-- no debconf information

Reply to:

Prev by Date: Re: How to change menu entries in grub?
Next by Date: Can't build with installer on bullseye
Previous by thread: Re: How to change menu entries in grub?
Next by thread: Can't build with installer on bullseye
Index(es):
- Date
- Thread