Re: Use current directory for POSIX mkdir test in install-sh

[Alex Unleashed]

On 10/10/06, Paul Eggert [EMAIL PROTECTED] wrote:



 The difference with other mkdir versions is that GNU mkdir does not try
to
 chmod() the directory if it didn't just create it. The mkdir I'm
currently
 testing is FreeBSD's. It always chmod()'s the directory when a mode is
 specified, no matter it didn't create it.

Ouch!

That behavior is incorrect; it doesn't conform to POSIX.  You might
file a bug report, citing
 http://www.opengroup.org/onlinepubs/009695399/utilities/mkdir.html .



Will do. Thanks for the link.


This chmod(), even when failing,
 is considered an attempt to write to an external path,

That's weird.  mkdir(/, ...) is not considered to be an attempt to
write to an external file name, but chmod (/, ...) is?  This doesn't
sound consistent to me; both system calls _attempt_ to write to an
external file name.  And neither _succeeds_ (which is what should
matter here).  So it sounds like your sandbox tests should be
adjusted, one way or another, since they're not consistent.



Yup, that's a known issue in the sandboxing code, and it would certainly
trigger the mkdir call once fixed. But the fact of the attempt is what
really matters, as we cannot predict if the call will fail, and if it
succeeds it would actually change the file system, which is an unacceptable
risk.

Thanks,

Alex

Re: install-sh misbehaves badly on buggy FreeBSD systems

[Paul Eggert]

Stepan Kasal [EMAIL PROTECTED] writes:

 is there an implementation of mkdir which understands `-p' and `--' but
 does not understand `-m'?

Not in the sense described here, no.  Ancient mkdir treats all
arguments as directories to be made, and `$mkdirprog $mkdir_mode -p --
$tmpdir/d' must fail because tmpdir does not exist.  I don't think
we need to worry about any mkdir understanding -p and -- but not -m;
even if there were an animal, it should treat -m as an unknown option
and should fail.

Your other ideas look good.  It's a bit more consistent to test
dir_arg rather than mkdir_mode (that's what the rest of the script
does).  So here's a revised patch.

2006-10-10  Paul Eggert  [EMAIL PROTECTED]

* lib/install-sh (posix_mkdir): Reject FreeBSD 6.1 mkdir -p -m,
which incorrectly sets the mode of an existing destination
directory.  In some cases the unpatched install-sh could do the
equivalent of chmod 777 / or chmod 0 / on a buggy FreeBSD
system.  We hope this is rare in practice, but it's clearly worth
fixing.  Problem reported by Alex in
http://lists.gnu.org/archive/html/bug-autoconf/2006-10/msg00012.html.
Also, don't bother to check for -m bugs unless we're using -m;
suggested by Stepan Kasal.

--- lib/install-sh.~1.35.~  2006-07-09 09:09:31.0 -0700
+++ lib/install-sh  2006-10-10 12:05:29.0 -0700
@@ -336,12 +336,26 @@ do
trap 'ret=$?; rmdir $tmpdir/d $tmpdir 2/dev/null; exit $ret' 0
 
if (umask $mkdir_umask 
-   exec $mkdirprog $mkdir_mode -p -- / $tmpdir/d) /dev/null 21
+   exec $mkdirprog $mkdir_mode -p -- $tmpdir/d) /dev/null 21
then
- # Check for bugs in HP-UX 11.23 and IRIX 6.5 mkdir.
- case `ls -ld $tmpdir` in
-   d-??-* ) posix_mkdir=:;;
- esac
+ if test -z $dir_arg || {
+  # Check for POSIX incompatibilities with -m.
+  # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or
+  # other-writeable bit of parent directory when it shouldn't.
+  # FreeBSD 6.1 mkdir -m -p sets mode of existing directory.
+  ls_ld_tmpdir=`ls -ld $tmpdir`
+  case $ls_ld_tmpdir in
+d-?r-*) different_mode=700;;
+d-?--*) different_mode=755;;
+*) false;;
+  esac 
+  $mkdirprog -m$different_mode -p -- $tmpdir  {
+ls_ld_tmpdir_1=`ls -ld $tmpdir`
+test $ls_ld_tmpdir = $ls_ld_tmpdir_1
+  }
+}
+ then posix_mkdir=:
+ fi
  rmdir $tmpdir/d $tmpdir
else
  # Remove any dirs left behind by ancient mkdir implementations.

Re: Use current directory for POSIX mkdir test in install-sh

[Paul Eggert]

Alex Unleashed [EMAIL PROTECTED] writes:

 the fact of the attempt is what
 really matters,

I'm afraid I'll have to disagree on this one, as a matter of
philosophy.  Autoconf regularly tries stuff to see whether it works.
It's not at all unreasonable for Autoconf to try programs that have
memory violations, or attempt to do other prohibited operations, in
order for the Autoconf-generated code to discover what capabilities
the system actually lets the installer do.  If your sandboxing
environment prohibits reasonable requests for information about what
the environment allows, then it's being too strict.

In this particular case, stricter auditing did find a bug in FreeBSD
mkdir -p -m, and that's certainly a point in its favor.  But I'm not
sure it's a good idea in general.

I guess I'd feel more comfortable with a sandbox where the installer
ran as root, and actually could do a chmod 0 / or whatever, and
where the auditing process discovered the sandbox was corrupted; I
think this would detect problems like these more reliably.  (Obviously
though you're doing the work so it's up to you.  :-)

Re: Use current directory for POSIX mkdir test in install-sh

[Alejandro Martínez Ruiz]

On 10/10/06, Paul Eggert [EMAIL PROTECTED] wrote:


Alex Unleashed [EMAIL PROTECTED] writes:

 the fact of the attempt is what
 really matters,

I'm afraid I'll have to disagree on this one, as a matter of
philosophy.  Autoconf regularly tries stuff to see whether it works.
It's not at all unreasonable for Autoconf to try programs that have
memory violations, or attempt to do other prohibited operations, in
order for the Autoconf-generated code to discover what capabilities
the system actually lets the installer do.  If your sandboxing
environment prohibits reasonable requests for information about what
the environment allows, then it's being too strict.



Hi Paul,

I guess that by 'reasonable request' you mean some potentially harmful
operation resulting in non-modified file system. The problems arising here
from a QA viewpoint are:

1) How to determine that a request is 'reasonable'. Since all write requests
will invariantly be denied, the sandbox could be relaxed by checking that
the call will be actually innocuous, thus not ringing the alarms. I think
this can be done.
2) How to determine that the request, even when 'reasonable', is due to a
legal and well-known test and not due to something misbehaving badly. Being
a QA tool, the sandbox has to identify the latter. Without getting my hands
dirty on a really ugly hack I can't imagine how to deal with this.

I understand that those innocuous tests might be needed outside the working
directory (though the install-sh one is about the only one I know of). In
fact mkdir() not showing up is because the code was relaxed to silence
requests on existing directories (still don't know if intentionally) even
when the path is clearly out of the sandbox. Maybe changing this will reveal
some other inconsistencies elsewhere.

I guess I'd feel more comfortable with a sandbox where the installer

ran as root, and actually could do a chmod 0 / or whatever, and
where the auditing process discovered the sandbox was corrupted; I
think this would detect problems like these more reliably.  (Obviously
though you're doing the work so it's up to you.  :-)



Well, the installer actually runs as root, it's just that the sandboxing
wrapper prevents some dangerous calls from actually getting executed. In
fact the current sandbox code is working fairly well for most of Gentoo's
packages built from sources, and that's quite a lot. This case is an
exception, and it proved something was indeed wrong. Anyway, thanks for your
suggestion, the problem is currently fixed with the patched mkdir.

PS: FreeBSD's mkdir has already been fixed in CVS, I hope next version ships
it.

Regards,

Alex