diff options
author | Colin Walters <walters@verbum.org> | 2017-06-30 09:40:47 -0400 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2017-06-30 21:23:48 +0000 |
commit | 3348baf6eb69be0ec8ac3138e696e2828a0cc9e3 (patch) | |
tree | bcf173e43a207b31987bdb0d30d9dac6851f6fae | |
parent | cd7d35945af7c11891919b2f2ffae65532b0af31 (diff) | |
download | ostree-3348baf6eb69be0ec8ac3138e696e2828a0cc9e3.tar.gz |
lib/commit: Ensure bare-user objects are always user-readable
Some of the Jenkins jobs for Fedora Atomic Host broke after updating
to 2017.7, and it turns out that we regressed handling unreadable
files in `bare-user` mode. An example of this is `/etc/shadow`, which
ends up in the ostree-as-host content as `/usr/etc/shadow`.
Now there are better fixes here; we should probably delete it and create it
during the config merge if it doesn't exist. In general, having secret files in
ostree really isn't supported, so it doesn't make sense to include them.
But let's fix this regression - when operating as an unprivileged user we don't
have `CAP_DAC_OVERRIDE` and hence will fail to open un-user-readable objects.
(We still preserve the actual `0` mode of course in the xattr and will
apply it in `bare`)
Closes: #989
Approved by: jlebon
-rw-r--r-- | src/libostree/ostree-repo-commit.c | 4 | ||||
-rwxr-xr-x | tests/test-basic-user.sh | 15 |
2 files changed, 17 insertions, 2 deletions
diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c index bc55fd6f..1ecbc178 100644 --- a/src/libostree/ostree-repo-commit.c +++ b/src/libostree/ostree-repo-commit.c @@ -253,13 +253,15 @@ commit_loose_regfile_object (OstreeRepo *self, /* Note that previously this path added `| 0755` which made every * file executable, see * https://github.com/ostreedev/ostree/issues/907 + * We then changed it to mask by 0775, but we always need at least read + * permission when running as non-root, so explicitly mask that in. * * Again here, symlinks in bare-user are a hairy special case; only do a * chmod for a *real* regular file, otherwise we'll take the default 0644. */ if (S_ISREG (mode)) { - const mode_t content_mode = (mode & (S_IFREG | 0775)); + const mode_t content_mode = (mode & (S_IFREG | 0775)) | S_IRUSR; if (fchmod (tmpf->fd, content_mode) < 0) return glnx_throw_errno_prefix (error, "fchmod"); } diff --git a/tests/test-basic-user.sh b/tests/test-basic-user.sh index fa802df6..94866550 100755 --- a/tests/test-basic-user.sh +++ b/tests/test-basic-user.sh @@ -25,7 +25,7 @@ skip_without_user_xattrs setup_test_repository "bare-user" -extra_basic_tests=3 +extra_basic_tests=4 . $(dirname $0)/basic-test.sh # Reset things so we don't inherit a lot of state from earlier tests @@ -64,3 +64,16 @@ $OSTREE checkout -U -H test2-unwritable test2-checkout cd test2-checkout assert_file_has_mode unwritable 400 echo "ok bare-user unwritable" + +rm test2-checkout -rf +$OSTREE checkout -U -H test2 test2-checkout +cat > statoverride.txt <<EOF +=0 /unreadable +EOF +touch test2-checkout/unreadable +$OSTREE commit -b test2-unreadable --statoverride=statoverride.txt --tree=dir=test2-checkout +$OSTREE fsck +rm test2-checkout -rf +$OSTREE checkout -U -H test2-unreadable test2-checkout +assert_file_has_mode test2-checkout/unreadable 400 +echo "ok bare-user handled unreadable file" |