Your message dated Mon, 23 Jan 2017 20:34:15 -0700
with message-id <[email protected]>
and subject line newer tar in jessie-backports
has caused the Debian Bug report #819978,
regarding tar creates defaults ACLs while archive did not have them
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
819978: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819978
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tar
Version: 1.27.1-2+b1
Severity: important
Tags: patch
When extracting an archive with the --acls flag, tar will create a default ACL
even when the
tarball had none. This results in subtle bugs when restoring a root file
system, as applications who
did not expect having acls are confronted to them.
For instance nginx gets 'permission denied' errors when accessing php-fpm
socket in /var/lib/php5-fpm directory,
and mailman gets confused as well, since they both use umask rather than the
specifically setting permissions to set group write on files
A fix for this was commited in tar upstream in 2014, could this bug be the
topic of a stable update for jessie ?
I include a patch with DEP-3 headers.
-- System Information:
Debian Release: 8.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.2.8-1-pve (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages tar depends on:
ii libacl1 2.2.52-2
ii libc6 2.19-18+deb8u3
ii libselinux1 2.3-2
tar recommends no packages.
Versions of packages tar suggests:
ii bzip2 1.0.6-7+b3
pn ncompress <none>
pn tar-scripts <none>
ii xz-utils 5.1.1alpha+20120614-2+b3
-- no debconf information
Description: Do not set default acls when --acls flag is used
Origin: http://git.savannah.gnu.org/cgit/tar.git/commit/?id=7fe7adcbb985e78aaf9f78051fa26167779be1f6
Forwarded: not-needed
Author: Pavel Raiskup <[email protected]>
Bug: http://www.mail-archive.com/[email protected]/msg04355.html
acls: bugfix for default ACLs extraction
When --acls option is on (regardless of tarball contents or
tarball format), we should explicitly set OR delete default ACLs
for extracted directories. Prior to this update, we always
created arbitrary default ACLs based standard file permissions.
* configure.ac (with_posix_acls): Check also for acl_free and
acl_delete_def_file to mark IEEE 1003.1e ACLs as supported.
* src/xattrs.c (acl_delete_def_file_at): New function.
(xattrs__acls_set): Do not treat acls_option at all; Delete
default ACLs if appropriate.
References:
http://www.mail-archive.com/[email protected]/msg04355.html
Thanks: Juan J. MartÃnez and Mark Steinborn
diff --git a/configure.ac b/configure.ac
index 08bed2b..d393876 100644
--- a/configure.ac
+++ b/configure.ac
@@ -74,7 +74,8 @@ AC_ARG_WITH([posix-acls],
if test "x$with_posix_acls" != "xno"; then
AC_CHECK_HEADERS(sys/acl.h,, [with_posix_acls=no])
for tar_acl_func in acl_get_file acl_get_fd acl_set_file acl_set_fd \
- acl_to_text acl_from_text; do \
+ acl_to_text acl_from_text acl_delete_def_file \
+ acl_free; do \
test "x$with_posix_acls" = xno && break
AC_SEARCH_LIBS([$tar_acl_func], [acl pacl], [], [with_posix_acls=no])
done
diff --git a/src/xattrs.c b/src/xattrs.c
index dbaa209..307ee38 100644
--- a/src/xattrs.c
+++ b/src/xattrs.c
@@ -61,6 +61,7 @@ static struct
static acl_t acl_get_file_at (int, const char *, acl_type_t);
static int acl_set_file_at (int, const char *, acl_type_t, acl_t);
static int file_has_acl_at (int, char const *, struct stat const *);
+static int acl_delete_def_file_at (int, char const *);
/* acl_get_file_at */
#define AT_FUNC_NAME acl_get_file_at
@@ -88,6 +89,17 @@ static int file_has_acl_at (int, char const *, struct stat const *);
#undef AT_FUNC_POST_FILE_PARAM_DECLS
#undef AT_FUNC_POST_FILE_ARGS
+/* acl_delete_def_file_at */
+#define AT_FUNC_NAME acl_delete_def_file_at
+#define AT_FUNC_F1 acl_delete_def_file
+#define AT_FUNC_POST_FILE_PARAM_DECLS
+#define AT_FUNC_POST_FILE_ARGS
+#include "at-func.c"
+#undef AT_FUNC_NAME
+#undef AT_FUNC_F1
+#undef AT_FUNC_POST_FILE_PARAM_DECLS
+#undef AT_FUNC_POST_FILE_ARGS
+
/* gnulib file_has_acl_at */
#define AT_FUNC_NAME file_has_acl_at
#define AT_FUNC_F1 file_has_acl
@@ -187,7 +199,8 @@ fixup_extra_acl_fields (char *ptr)
return ptr;
}
-/* "system.posix_acl_access" */
+/* Set the "system.posix_acl_access/system.posix_acl_default" extended
+ attribute. Called only when acls_option > 0. */
static void
xattrs__acls_set (struct tar_stat_info const *st,
char const *file_name, int type,
@@ -199,15 +212,23 @@ xattrs__acls_set (struct tar_stat_info const *st,
{
/* assert (strlen (ptr) == len); */
ptr = fixup_extra_acl_fields (ptr);
-
acl = acl_from_text (ptr);
- acls_option = 1;
}
- else if (acls_option > 0)
- acl = perms2acl (st->stat.st_mode);
+ else if (def)
+ {
+ /* No "default" IEEE 1003.1e ACL set for directory. At this moment,
+ FILE_NAME may already have inherited default acls from parent
+ directory; clean them up. */
+ if (acl_delete_def_file_at (chdir_fd, file_name))
+ WARNOPT (WARN_XATTR_WRITE,
+ (0, errno,
+ _("acl_delete_def_file_at: Cannot drop default POSIX ACLs "
+ "for file '%s'"),
+ file_name));
+ return;
+ }
else
- return; /* don't call acl functions unless we first hit an ACL, or
- --acls was passed explicitly */
+ acl = perms2acl (st->stat.st_mode);
if (!acl)
{
--- End Message ---
--- Begin Message ---
A current build of tar is available in jessie-backports, and given where
we are in the stretch release cycle, I'm just not motivated to try and
push an updated tar into a jessie point release for this issue.
Closing this bug with no further action taken.
Bdale
signature.asc
Description: PGP signature
--- End Message ---
