Bug#900612: apache2-suexec-pristine: Packaging steps undo setting of setuid bit

To: sf@sfritsch.de
Cc: 900612@bugs.debian.org
Subject: Bug#900612: apache2-suexec-pristine: Packaging steps undo setting of setuid bit
From: Jason Perrin <jvperrin@ocf.berkeley.edu>
Date: Sat, 2 Jun 2018 13:24:31 -0700
Message-id: <[🔎] CAASgQtAw8R0hGzOcvpquXC=iRXGkKPcFN3mqseUoZw3nV1xFbg@mail.gmail.com>
Reply-to: Jason Perrin <jvperrin@ocf.berkeley.edu>, 900612@bugs.debian.org
In-reply-to: <[🔎] 2706830.E34E0bVNa9@k>
References: <[🔎] 152789797050.6001.17306038050152952857.reportbug@fireball.ocf.berkeley.edu> <[🔎] 2706830.E34E0bVNa9@k> <[🔎] 152789797050.6001.17306038050152952857.reportbug@fireball.ocf.berkeley.edu>

Hi Stefan,

You're absolutely right, I was building the package as root inside a
docker container, mostly as a one-off kind of build to add some
debugging information. I tried using fakeroot instead, and it masked
the problem as you mentioned, as the file at the end still has the
setuid bit, even though it has changed group (and the same happens if
the owner is changed):

jvperrin@fireball:~$ fakeroot /bin/bash
root@fireball:~# touch test.txt
root@fireball:~# ls -l test.txt
-rw-r--r-- 1 root root 0 Jun  2 13:08 test.txt
root@fireball:~# chmod 4754 test.txt
root@fireball:~# ls -l test.txt
-rwsr-xr-- 1 root root 0 Jun  2 13:08 test.txt*
root@fireball:~# chgrp nogroup test.txt
root@fireball:~# ls -l test.txt
-rwsr-xr-- 1 root nogroup 0 Jun  2 13:08 test.txt*

If I do the same without fakeroot, it loses the setuid bit (as it should):

jvperrin@fireball:~$ sudo -i
root@fireball:~# touch test.txt
root@fireball:~# ls -l test.txt
-rw-r--r-- 1 root root 0 Jun  2 13:11 test.txt
root@fireball:~# chmod 4754 test.txt
root@fireball:~# ls -l test.txt
-rwsr-xr-- 1 root root 0 Jun  2 13:11 test.txt*
root@fireball:~# chgrp nogroup test.txt
root@fireball:~# ls -l test.txt
-rwxr-xr-- 1 root nogroup 0 Jun  2 13:11 test.txt*

This suggests to me that this is indeed a problem with fakeroot, not
with this package, although I do still think the patch I included on
this bug report could be helpful as it wouldn't change the behavior
when it fakeroot and fixes the issue if anyone else is building
manually outside of fakeroot. Looking at fakeroot's bug reports, it's
already been reported almost a decade ago
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=497109). It hasn't
had any activity since then, so that's unfortunate, I'll try and
follow up there. Thank you for your help, that was very useful!
On Sat, Jun 2, 2018 at 1:35 AM Stefan Fritsch <sf@sfritsch.de> wrote:
>
> On Saturday, 2 June 2018 02:06:10 CEST Jason Perrin wrote:
>
> > This appears to be a problem in the source for this package, on the master
> > branch, as well as on separate branches for different distros:
> > https://salsa.debian.org/apache-team/apache2/blob/master/debian/rules#L148-1
> > 53 I'm not sure how this has worked properly to produce packages, since the
> > last change to that section was 6 years ago, so I'm a bit confused on that
> > point.
>
>
> That's weird because it seems all distributed packages in the last 6 years
> have the correct permissions. Do you build the package as root? Usually
> packages are built as non-root user using fakeroot. Maybe fakeroot is not
> being faithful to the real kernel behavior and hides the bug.
>
> Cheers,
> Stefan
>
>
>

Reply to:

References:
- Bug#900612: apache2-suexec-pristine: Packaging steps undo setting of setuid bit
  - From: Jason Perrin <jvperrin@ocf.berkeley.edu>
- Bug#900612: apache2-suexec-pristine: Packaging steps undo setting of setuid bit
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: Bug#900612: apache2-suexec-pristine: Packaging steps undo setting of setuid bit
Next by Date: Processing of apache2_2.4.25-3+deb9u5_amd64.changes
Previous by thread: Bug#900612: apache2-suexec-pristine: Packaging steps undo setting of setuid bit
Next by thread: Re: Bug#894713: stretch-pu: apache2/2.4.25-3+deb9u5
Index(es):
- Date
- Thread