Bug#959716: live-build: 0140-remove-log-files.hook.chroot fails with fs.protected_regular = 2 and files in sticky directories
Package: live-build
Version: 1:20191221
Severity: important
User: devel@kali.org
Usertags: origin-kali
live-build has been failing when run in Debian Testing and when your live
image includes a package like postgresql-12 which creates a log directory
with the sticky bit set (o+t):
2020-05-04 12:22:55] lb chroot_hooks
P: Begin executing hooks...
/root/0140-remove-log-files.hook.chroot: 8: cannot create /var/log/postgresql/postgresql-12-main.log: Permission denied
E: config/hooks/normal/0140-remove-log-files.hook.chroot failed (exit non-zero). You should check for errors.
After investigation and with the help of #debian-kernel, it turns out that
this is due to a recent procps change. Since version 2:3.3.16-1 the
package is setting some supplementary hardening restrictions in
/usr/lib/sysctl.d/protect-links.conf
The one that's causing us trouble here is "fs.protected_regular = 2"
because /var/log/postgresql is a group writable directory with the sticky
bit set:
(live)root@x260-buxy:/# ls -al /var/log/postgresql/
total 8
drwxrwxr-t 2 root postgres 4096 mai 4 09:34 .
drwxr-xr-x 15 root root 4096 mai 4 09:36 ..
-rw-r----- 1 postgres adm 0 mai 4 09:34 postgresql-12-main.log
(live)root@x260-buxy:/# :>/var/log/postgresql/postgresql-12-main.log
bash: /var/log/postgresql/postgresql-12-main.log: Permission denied
To me it really seems like live-build is doing nothing wrong... but at the
same time, the default change is likely desirable as well.
So I guess we will have to work around it in live-build.
Simple solution with truncate:
# truncate --no-create --size=0 /var/log/postgresql/postgresql-12-main.log
More complicated solution, detect sticky directories and run the command
as the user owning the file.
-- Package-specific info:
-- System Information:
Debian Release: bullseye/sid
APT prefers oldoldstable
APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages live-build depends on:
ii debootstrap 1.0.123
Versions of packages live-build recommends:
ii apt-utils 2.0.2
ii bzip2 1.0.8-2
ii cpio 2.13+dfsg-2
ii file 1:5.38-4
ii live-boot-doc 1:20190614
ii live-config-doc 11.0.1
ii live-manual-html [live-manual] 2:20151217.1
ii wget 1.20.3-1+b2
ii xz-utils 5.2.4-1+b1
Versions of packages live-build suggests:
ii e2fsprogs 1.45.6-1
pn mtd-utils <none>
ii parted 3.3-4
-- no debconf information
Reply to: