[Bug 234886] shutdown not installed with setuid bit in pkgbase

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Jan 11 20:45:43 UTC 2019 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234886

            Bug ID: 234886
           Summary: shutdown not installed with setuid bit in pkgbase
           Product: Base System
           Version: 12.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs at FreeBSD.org
          Reporter: emaste at freebsd.org
                CC: kmoore at FreeBSD.org

As reported by kmoore in
https://lists.freebsd.org/pipermail/freebsd-pkgbase/2017-December/000350.html:

> Anybody else noticed a recent regression (say past month or so) where
> pkg base of latest HEAD is now failing to throw setuid on some files? We
> saw it at first because /sbin/shutdown lost its setuid bit, so users
> can't shutdown the box.

I investigated and found that it appears to be due to the way install(1)
handles links with -M
(https://lists.freebsd.org/pipermail/freebsd-pkgbase/2017-December/000361.html):

For regular installs we invoke:
    install -l h <prog> <link>
and the link then has the same permissions via the existing inode.

With -M install produces a metalog containing
./<link> type=file mode=0755 size=0
(i.e., permissions not explicitly set) and we end up with two entries
in the metalog referencing two names for the same inode, but with
different permissions.

If we passed in the mode when invoking install for a hardlink we
should have the expected permissions, regardless of sorting:
# install -M METALOG -m4554 -l h <prog> <link>
./<link> type=file mode=04554 size=0

On a positive note there are only a few Makefiles with LINKS as well
as BINOWN, BINMODE, or BINGRP. As far as I can tell:

release/picobsd/tinyware/passwd/Makefile
sbin/shutdown/Makefile
usr.bin/at/Makefile
usr.sbin/authpf/Makefile

And after that email was sent, also stand/efi/loader/Makefile and
stand/i386/loader/Makefile

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list