Your message dated Fri, 25 Aug 2023 22:49:32 +0200 with message-id <e83232dc-4d8c-49a3-b49c-77b10aac8266@rclobus.nl> and subject line Fixed since bullseye has caused the Debian Bug report #959716, regarding live-build: 0140-remove-log-files.hook.chroot fails with fs.protected_regular = 2 and files in sticky directories to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 959716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959716 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: live-build: 0140-remove-log-files.hook.chroot fails with fs.protected_regular = 2 and files in sticky directories
- From: Raphaël Hertzog <raphael@offensive-security.com>
- Date: Mon, 04 May 2020 14:54:24 +0200
- Message-id: <158859686483.619988.2663081154560273637.reportbug@x260-buxy.home.ouaza.com>
Package: live-build Version: 1:20191221 Severity: important User: devel@kali.org Usertags: origin-kali live-build has been failing when run in Debian Testing and when your live image includes a package like postgresql-12 which creates a log directory with the sticky bit set (o+t): 2020-05-04 12:22:55] lb chroot_hooks P: Begin executing hooks... /root/0140-remove-log-files.hook.chroot: 8: cannot create /var/log/postgresql/postgresql-12-main.log: Permission denied E: config/hooks/normal/0140-remove-log-files.hook.chroot failed (exit non-zero). You should check for errors. After investigation and with the help of #debian-kernel, it turns out that this is due to a recent procps change. Since version 2:3.3.16-1 the package is setting some supplementary hardening restrictions in /usr/lib/sysctl.d/protect-links.conf The one that's causing us trouble here is "fs.protected_regular = 2" because /var/log/postgresql is a group writable directory with the sticky bit set: (live)root@x260-buxy:/# ls -al /var/log/postgresql/ total 8 drwxrwxr-t 2 root postgres 4096 mai 4 09:34 . drwxr-xr-x 15 root root 4096 mai 4 09:36 .. -rw-r----- 1 postgres adm 0 mai 4 09:34 postgresql-12-main.log (live)root@x260-buxy:/# :>/var/log/postgresql/postgresql-12-main.log bash: /var/log/postgresql/postgresql-12-main.log: Permission denied To me it really seems like live-build is doing nothing wrong... but at the same time, the default change is likely desirable as well. So I guess we will have to work around it in live-build. Simple solution with truncate: # truncate --no-create --size=0 /var/log/postgresql/postgresql-12-main.log More complicated solution, detect sticky directories and run the command as the user owning the file. -- Package-specific info: -- System Information: Debian Release: bullseye/sid APT prefers oldoldstable APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages live-build depends on: ii debootstrap 1.0.123 Versions of packages live-build recommends: ii apt-utils 2.0.2 ii bzip2 1.0.8-2 ii cpio 2.13+dfsg-2 ii file 1:5.38-4 ii live-boot-doc 1:20190614 ii live-config-doc 11.0.1 ii live-manual-html [live-manual] 2:20151217.1 ii wget 1.20.3-1+b2 ii xz-utils 5.2.4-1+b1 Versions of packages live-build suggests: ii e2fsprogs 1.45.6-1 pn mtd-utils <none> ii parted 3.3-4 -- no debconf information
--- End Message ---
--- Begin Message ---
- To: 959716-done@bugs.debian.org
- Subject: Fixed since bullseye
- From: Roland Clobus <rclobus@rclobus.nl>
- Date: Fri, 25 Aug 2023 22:49:32 +0200
- Message-id: <e83232dc-4d8c-49a3-b49c-77b10aac8266@rclobus.nl>
Control: fixed 959716 1:20210407 'truncate' is used since the bullseye version of live-build https://sources.debian.org/src/live-build/1%3A20210407/share/hooks/normal/0140-remove-log-files.hook.chroot/Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature
--- End Message ---