Bug#959716: marked as done (live-build: 0140-remove-log-files.hook.chroot fails with fs.protected_regular = 2 and files in sticky directories)

To: Roland Clobus <rclobus@rclobus.nl>
Subject: Bug#959716: marked as done (live-build: 0140-remove-log-files.hook.chroot fails with fs.protected_regular = 2 and files in sticky directories)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Fri, 25 Aug 2023 21:33:06 +0000
Message-id: <[🔎] handler.959716.D959716.1692999029215803.ackdone@bugs.debian.org>
Reply-to: 959716@bugs.debian.org
References: <e83232dc-4d8c-49a3-b49c-77b10aac8266@rclobus.nl> <158859686483.619988.2663081154560273637.reportbug@x260-buxy.home.ouaza.com>

Your message dated Fri, 25 Aug 2023 22:49:32 +0200
with message-id <e83232dc-4d8c-49a3-b49c-77b10aac8266@rclobus.nl>
and subject line Fixed since bullseye
has caused the Debian Bug report #959716,
regarding live-build: 0140-remove-log-files.hook.chroot fails with fs.protected_regular = 2 and files in sticky directories
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
959716: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959716
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: live-build: 0140-remove-log-files.hook.chroot fails with fs.protected_regular = 2 and files in sticky directories
From: Raphaël Hertzog <raphael@offensive-security.com>
Date: Mon, 04 May 2020 14:54:24 +0200
Message-id: <158859686483.619988.2663081154560273637.reportbug@x260-buxy.home.ouaza.com>

Package: live-build
Version: 1:20191221
Severity: important
User: devel@kali.org
Usertags: origin-kali

live-build has been failing when run in Debian Testing and when your live
image includes a package like postgresql-12 which creates a log directory
with the sticky bit set (o+t):

2020-05-04 12:22:55] lb chroot_hooks
P: Begin executing hooks...
/root/0140-remove-log-files.hook.chroot: 8: cannot create /var/log/postgresql/postgresql-12-main.log: Permission denied
E: config/hooks/normal/0140-remove-log-files.hook.chroot failed (exit non-zero). You should check for errors.

After investigation and with the help of #debian-kernel, it turns out that
this is due to a recent procps change. Since version 2:3.3.16-1 the
package is setting some supplementary hardening restrictions in
/usr/lib/sysctl.d/protect-links.conf

The one that's causing us trouble here is "fs.protected_regular = 2"
because /var/log/postgresql is a group writable directory with the sticky
bit set:
(live)root@x260-buxy:/# ls -al /var/log/postgresql/
total 8
drwxrwxr-t  2 root     postgres 4096 mai    4 09:34 .
drwxr-xr-x 15 root     root     4096 mai    4 09:36 ..
-rw-r-----  1 postgres adm         0 mai    4 09:34 postgresql-12-main.log
(live)root@x260-buxy:/# :>/var/log/postgresql/postgresql-12-main.log
bash: /var/log/postgresql/postgresql-12-main.log: Permission denied

To me it really seems like live-build is doing nothing wrong... but at the
same time, the default change is likely desirable as well.

So I guess we will have to work around it in live-build.

Simple solution with truncate:
# truncate --no-create --size=0 /var/log/postgresql/postgresql-12-main.log

More complicated solution, detect sticky directories and run the command
as the user owning the file.

-- Package-specific info:

-- System Information:
Debian Release: bullseye/sid
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages live-build depends on:
ii  debootstrap  1.0.123

Versions of packages live-build recommends:
ii  apt-utils                       2.0.2
ii  bzip2                           1.0.8-2
ii  cpio                            2.13+dfsg-2
ii  file                            1:5.38-4
ii  live-boot-doc                   1:20190614
ii  live-config-doc                 11.0.1
ii  live-manual-html [live-manual]  2:20151217.1
ii  wget                            1.20.3-1+b2
ii  xz-utils                        5.2.4-1+b1

Versions of packages live-build suggests:
ii  e2fsprogs  1.45.6-1
pn  mtd-utils  <none>
ii  parted     3.3-4

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 959716-done@bugs.debian.org

Subject: Fixed since bullseye

From: Roland Clobus <rclobus@rclobus.nl>

Date: Fri, 25 Aug 2023 22:49:32 +0200

Message-id: <e83232dc-4d8c-49a3-b49c-77b10aac8266@rclobus.nl>
Control: fixed 959716 1:20210407

'truncate' is used since the bullseye version of live-build

https://sources.debian.org/src/live-build/1%3A20210407/share/hooks/normal/0140-remove-log-files.hook.chroot/
Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

--- End Message ---

Reply to:

Prev by Date: Bug#844749: marked as done (live-build: Jessie image with backported kernel (linux-image-4.7.0-0.bpo.1-amd64) doesn't boot)
Next by Date: Bug#1025795: marked as done (live-build: --memtest option broken with current version of memtest86+)
Previous by thread: Bug#844749: marked as done (live-build: Jessie image with backported kernel (linux-image-4.7.0-0.bpo.1-amd64) doesn't boot)
Next by thread: Bug#1025795: marked as done (live-build: --memtest option broken with current version of memtest86+)
Index(es):
- Date
- Thread