Pacman

Historical bug tracker for the Pacman package manager.

The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues

This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
Tasklist

FS#36161 - left-open directory filedescriptor causes chroot() to error EPERM on BSD

Attached to Project: Pacman
Opened by Wolfgang Bumiller (Wrybane) - Monday, 15 July 2013, 16:43 GMT
Last edited by Allan McRae (Allan) - Monday, 06 January 2014, 04:52 GMT
Task Type Bug Report
Category Backend/Core
Status Closed
Assigned To Dan McGee (toofishes)
Allan McRae (Allan)
Architecture All
Severity Low
Priority Normal
Reported Version 4.1.2
Due in Version 4.2.0
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Summary and Info:
alpm_run_chroot in libalpm uses opendir() to open a file descriptor to the current directory before doing the whole fork+chrooting, on FreeBSD chroot(2) fails with EPERM when a directory file descriptor is open with _either_ `kern.chroot_allow_open_directories` being 0, or when the process already is inside a chroot. (This is documented in the manpage, and different than on linux where this is explicitly allowed according to the manpage).

Since the file descriptor is not used in the forked process anyway (as it just chroot()s and exec()s), it should be safe to close it.

The attached patch fixes the issue.

Steps to Reproduce:
install packages from inside a chroot on ArchBSD
   pacman-fork.patch (0.4 KiB)
This task depends upon

Closed by  Allan McRae (Allan)
Monday, 06 January 2014, 04:52 GMT
Reason for closing:  Fixed
Additional comments about closing:  git commits 20127e73 and 086bbc5b
Comment by Dan McGee (toofishes) - Monday, 15 July 2013, 16:51 GMT
  • Field changed: Status (Unconfirmed → Assigned)
  • Field changed: Category (General → Backend/Core)
  • Task assigned to Allan McRae (Allan)
This looks sane to me, possibly pending on the other close() patches we have floating around.
Comment by Wolfgang Bumiller (Wrybane) - Monday, 15 July 2013, 17:00 GMT
(Note: Just saw that setting the sysctl value to other values would allow this to work, however, since the linux manpage explicitly states that it would allow access to files outside the chroot, this is also a security issue; and besides, leaking filedescriptors is uncool :D)
Comment by Dave Reisner (falconindy) - Monday, 15 July 2013, 17:11 GMT
Shouldn't we just open the descriptor with O_CLOEXEC? Seems like this works on a recent enough BSD -- not sure about OSX, though.
Comment by Dan McGee (toofishes) - Monday, 15 July 2013, 19:12 GMT
I posted a patch to the mailing list that goes a little further here by setting O_CLOEXEC whenever possible. https://mailman.archlinux.org/pipermail/pacman-dev/2013-July/017593.html
Comment by Wolfgang Bumiller (Wrybane) - Tuesday, 16 July 2013, 21:36 GMT
O_CLOEXEC only closes the fd upon exec(), but that happens after chroot(), so it still needs closing before that.
Comment by Dave Reisner (falconindy) - Tuesday, 16 July 2013, 21:38 GMT
Sure, but we call exec pretty quickly after the fork. You're suggesting that the potential race is something you can actually hit? Note that a similar race *still* exists if you explicitly call close() instead of allowing O_CLOEXEC to do its thing.
Comment by Wolfgang Bumiller (Wrybane) - Tuesday, 16 July 2013, 21:48 GMT
I mean in this particular place it's not a race, first there's the fork(), then the new child does chroot(), and only after that it does exec(), but the chroot() will have failed at that point.
Comment by Dave Reisner (falconindy) - Tuesday, 16 July 2013, 21:54 GMT
Ah, I misunderstood. Makes sense now. The O_CLOEXEC is still useful, but we need to apply your patch as well to avoid running into FreeBSD's security knobs.
Comment by Allan McRae (Allan) - Friday, 15 November 2013, 01:17 GMT
@Wolfgang: Can you provide a full name/email for the git commit?
Comment by Wolfgang Bumiller (Wrybane) - Friday, 15 November 2013, 09:56 GMT
sure
user.email=wry.git@bumiller.com
user.name=Wolfgang Bumiller
Comment by Allan McRae (Allan) - Monday, 16 December 2013, 00:40 GMT
The fork part has been fixed in commit 20127e73. Leaving this open as a reminder to Dan to fix his O_CLOEXEC patch!
Comment by Allan McRae (Allan) - Monday, 06 January 2014, 04:52 GMT
O_CLOEXEC patch appeared! Commit 086bbc5b.

Loading...