ACL entries store references to numeric uids/gids. on platforms that have libacl, use `acl_to_any_text` to generate ACL strings that preserve those numeric identifiers if `numeric-owner` is set (instead of doing a conversion to user/group name, like the acl_to_text function does).
this fixes the following broken scenario (and similar ones, where a user/group of the stored name exists, but has a different numeric identifier). system A with user foo with uid 1001 system B with no user foo file with ACL referencing uid 1001 on system A on A: $ echo 'bar' > file $ setfacl -m u:foo:r file $ tar --acls --xattrs --numeric-owner -cf test.tar file $ tar -vv --acls --xattrs -tf test.tar expected output: -rw-r--r--+ 0/0 4 2022-01-26 14:32 file a: user::rw-,user:1001:r--,group::r--,mask::r--,other::r-- actual output: -rw-r--r--+ 0/0 4 2022-01-26 14:32 file a: user::rw-,user:fakeuser:r--,group::r--,mask::r--,other::r-- on B: $ tar --acls --xattrs -xf test.tar $ getfacl -n file expected output (extraction) - none expected output (getfacl): # file: file # owner: 0 # group: 0 user::rw- user:1001:r-- group::r-- other::r-- actual output (extraction): tar: file: Warning: Cannot acl_from_text: Invalid argument actual output (getfacl) - note the missing user entry: # file: file # owner: 0 # group: 0 user::rw- group::r-- other::r-- Fixes: [YOCTO #15099] Signed-off-by: Fabian Grünbichler <[email protected]> Signed-off-by: Piotr Łobacz <[email protected]> --- ...-extend-numeric-owner-to-ACL-entries.patch | 113 ++++++++++++++++++ meta/recipes-extended/tar/tar_1.34.bb | 1 + 2 files changed, 114 insertions(+) create mode 100644 meta/recipes-extended/tar/tar/0001-extend-numeric-owner-to-ACL-entries.patch diff --git a/meta/recipes-extended/tar/tar/0001-extend-numeric-owner-to-ACL-entries.patch b/meta/recipes-extended/tar/tar/0001-extend-numeric-owner-to-ACL-entries.patch new file mode 100644 index 0000000000..9acce2e90a --- /dev/null +++ b/meta/recipes-extended/tar/tar/0001-extend-numeric-owner-to-ACL-entries.patch @@ -0,0 +1,113 @@ +From e95db1b5315957181c0255f6ca9607959abac4c3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= <[email protected]> +Date: Wed, 26 Jan 2022 14:54:58 +0100 +Subject: [PATCH] extend numeric-owner to ACL entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +ACL entries store references to numeric uids/gids. on platforms that +have libacl, use `acl_to_any_text` to generate ACL strings that preserve +those numeric identifiers if `numeric-owner` is set (instead of doing a +conversion to user/group name, like the acl_to_text function does). + +this fixes the following broken scenario (and similar ones, where a +user/group of the stored name exists, but has a different numeric +identifier). + +system A with user foo with uid 1001 +system B with no user foo +file with ACL referencing uid 1001 on system A + +on A: +$ echo 'bar' > file +$ setfacl -m u:foo:r file +$ tar --acls --xattrs --numeric-owner -cf test.tar file +$ tar -vv --acls --xattrs -tf test.tar + +expected output: +-rw-r--r--+ 0/0 4 2022-01-26 14:32 file + a: user::rw-,user:1001:r--,group::r--,mask::r--,other::r-- + +actual output: +-rw-r--r--+ 0/0 4 2022-01-26 14:32 file + a: user::rw-,user:fakeuser:r--,group::r--,mask::r--,other::r-- + +on B: +$ tar --acls --xattrs -xf test.tar +$ getfacl -n file + +expected output (extraction) - none +expected output (getfacl): + # file: file + # owner: 0 + # group: 0 + user::rw- + user:1001:r-- + group::r-- + other::r-- + +actual output (extraction): +tar: file: Warning: Cannot acl_from_text: Invalid argument + +actual output (getfacl) - note the missing user entry: + # file: file + # owner: 0 + # group: 0 + user::rw- + group::r-- + other::r-- + +Signed-off-by: Fabian Grünbichler <[email protected]> +--- + src/xattrs.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/src/xattrs.c b/src/xattrs.c +index 7c00527c..b319dc68 100644 +--- a/src/xattrs.c ++++ b/src/xattrs.c +@@ -130,6 +130,10 @@ static struct + #ifdef HAVE_POSIX_ACLS + # include "acl.h" + # include <sys/acl.h> ++#ifdef HAVE_ACL_LIBACL_H ++/* needed for numeric-owner support */ ++# include <acl/libacl.h> ++#endif + #endif + + #ifdef HAVE_POSIX_ACLS +@@ -362,7 +366,13 @@ xattrs__acls_get_a (int parentfd, const char *file_name, + return; + } + +- val = acl_to_text (acl, NULL); ++#ifdef HAVE_ACL_LIBACL_H ++ if (numeric_owner_option) ++ val = acl_to_any_text(acl, NULL, '\n', TEXT_SOME_EFFECTIVE | TEXT_NUMERIC_IDS); ++ else ++#endif ++ val = acl_to_text (acl, NULL); ++ + acl_free (acl); + + if (!val) +@@ -392,7 +402,13 @@ xattrs__acls_get_d (int parentfd, char const *file_name, + return; + } + +- val = acl_to_text (acl, NULL); ++#ifdef HAVE_ACL_LIBACL_H ++ if (numeric_owner_option) ++ val = acl_to_any_text(acl, NULL, '\n', TEXT_SOME_EFFECTIVE | TEXT_NUMERIC_IDS); ++ else ++ val = acl_to_text (acl, NULL); ++#endif ++ + acl_free (acl); + + if (!val) +-- +2.30.2 + diff --git a/meta/recipes-extended/tar/tar_1.34.bb b/meta/recipes-extended/tar/tar_1.34.bb index 1ef5fe221e..bf117f600a 100644 --- a/meta/recipes-extended/tar/tar_1.34.bb +++ b/meta/recipes-extended/tar/tar_1.34.bb @@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504" SRC_URI = "${GNU_MIRROR}/tar/tar-${PV}.tar.bz2 \ file://CVE-2022-48303.patch \ + file://0001-extend-numeric-owner-to-ACL-entries.patch \ " SRC_URI[sha256sum] = "b44cc67f8a1f6b0250b7c860e952b37e8ed932a90bd9b1862a511079255646ff" -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#179818): https://lists.openembedded.org/g/openembedded-core/message/179818 Mute This Topic: https://lists.openembedded.org/mt/98123758/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
