Package: live-build Version: 1:20191221 Severity: important User: de...@kali.org Usertags: origin-kali
live-build has been failing when run in Debian Testing and when your live image includes a package like postgresql-12 which creates a log directory with the sticky bit set (o+t): 2020-05-04 12:22:55] lb chroot_hooks P: Begin executing hooks... /root/0140-remove-log-files.hook.chroot: 8: cannot create /var/log/postgresql/postgresql-12-main.log: Permission denied E: config/hooks/normal/0140-remove-log-files.hook.chroot failed (exit non-zero). You should check for errors. After investigation and with the help of #debian-kernel, it turns out that this is due to a recent procps change. Since version 2:3.3.16-1 the package is setting some supplementary hardening restrictions in /usr/lib/sysctl.d/protect-links.conf The one that's causing us trouble here is "fs.protected_regular = 2" because /var/log/postgresql is a group writable directory with the sticky bit set: (live)root@x260-buxy:/# ls -al /var/log/postgresql/ total 8 drwxrwxr-t 2 root postgres 4096 mai 4 09:34 . drwxr-xr-x 15 root root 4096 mai 4 09:36 .. -rw-r----- 1 postgres adm 0 mai 4 09:34 postgresql-12-main.log (live)root@x260-buxy:/# :>/var/log/postgresql/postgresql-12-main.log bash: /var/log/postgresql/postgresql-12-main.log: Permission denied To me it really seems like live-build is doing nothing wrong... but at the same time, the default change is likely desirable as well. So I guess we will have to work around it in live-build. Simple solution with truncate: # truncate --no-create --size=0 /var/log/postgresql/postgresql-12-main.log More complicated solution, detect sticky directories and run the command as the user owning the file. -- Package-specific info: -- System Information: Debian Release: bullseye/sid APT prefers oldoldstable APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.5.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages live-build depends on: ii debootstrap 1.0.123 Versions of packages live-build recommends: ii apt-utils 2.0.2 ii bzip2 1.0.8-2 ii cpio 2.13+dfsg-2 ii file 1:5.38-4 ii live-boot-doc 1:20190614 ii live-config-doc 11.0.1 ii live-manual-html [live-manual] 2:20151217.1 ii wget 1.20.3-1+b2 ii xz-utils 5.2.4-1+b1 Versions of packages live-build suggests: ii e2fsprogs 1.45.6-1 pn mtd-utils <none> ii parted 3.3-4 -- no debconf information
