Package: fakeroot Version: 1.26-1 Severity: critical Justification: Breaks unrelated software, possibly affects built packages
Hello,
it seems recent changes in libc6 caused the stat() call in C applications
to be expanded in a different way, a way fakeroot does not properly
handle, resulting in the real user-id, not 0.
Reproducer
Use this small programm that stats the given directory and
prints its uid:
===========================================================
#include <sys/stat.h>
#include <stdio.h>
#include <stdlib.h>
int main (int argc, char **argv) {
struct stat statbuf;
if (argc != 2) {
fprintf(stderr, "usage: %s <dir>\n", argv[0]);
exit(1);
}
if (stat (argv[1], &statbuf)) {
perror("Cannot stat");
exit(1);
}
printf("uid is %u\n", statbuf.st_uid);
}
===========================================================
Environments
* Debian 11 ("bullseye") or unstable with libc6 still on 2.32
* Debian unstable
Then run "fakeroot ./a.out ."
Expected output:
uid is 0
Actual output on current unstable:
uid is 1000
(or whatever your user id is)
This problem is part of the built program, not of the environment
it is executed in.
Additionally, if run without fakeroot, the program calls as follows:
strace, old version
stat(".", {st_mode=S_IFDIR|0755, st_size=19, ...}) = 0
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x504), ...}) = 0
strace, new version
newfstatat(AT_FDCWD, ".", {st_mode=S_IFDIR|0755, st_size=4096, ...}, 0) = 0
newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x228),
...}, AT_EMPTY_PATH) = 0
ltrace, old version
__xstat(1, ".", 0x7ffeb9c0a260) = 0
ltrace, new version
stat(0x7ffc5fef250d, 0x7ffc5fef07b0, 0x7ffc5fef07b0, 0x7f0122b05738) = 0
Impact:
This broke the python-apt autopkgtest after uploading a new version of
gnugp2, and even does when using just the old version but re-built
using a current libc6.
Actual breakage is caused by the fact gpg checks for the permissions of
its home directory and emits a warning to stderr for possibly insecure
settings. The python-apt test runs under fakeroot, and while getuid()
returns 0 as expected, the stat() call now yields the actual user-id
(1000 or whatever) for the directory. And any message to stderr causes
autopkgtest to assume failure.
No further checks where done but I am concerned this might affect
packages that still use fakeroot for building. If Debian starts shipping
packages where file ownership should be root but is not, we have a
problem. Scanning my local package cache, I have no indication this
happened for far.
Additionally:
Adrian Bunk mentioned this has been fixed in Ubuntu, a quick check
confirms that for 22.04.
Christoph
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.84 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fakeroot depends on:
ii libc6 2.33-1
ii libfakeroot 1.26-1
fakeroot recommends no packages.
fakeroot suggests no packages.
-- no debconf information
signature.asc
Description: PGP signature
