FS#43584 - [libarchive] bsdtar: does not properly restore Default ACL

Attached to Project: Arch Linux
Opened by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 13:53 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 18 June 2016, 12:25 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Dan McGee (toofishes)
Architecture x86_64
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Using bsdtar to backup and restore an Arch Linux system, the restored system does not have the proper Default ACL set on /var/log/journal .

Wiping the system journal on the restored system causes systemd to create a new journal, but due to the missing Default ACL, users who should have access to the system journal by being a member of the adm or wheel group are no longer able to view it.

Included is a small test script which demonstrates the problem by creating a dummy systemd journal, then using bsdtar to backup and then restore this.

I'm marking this as Severity: Medium because this poses a potential security risk for systems which rely on ACLs and use bsdtar for backups.

Additional info:
* package version(s)
libarchive 3.1.2-8
* config and/or log files etc.


Steps to reproduce:
- Run the attached script as a regular user with sudo rights and access to the system journal.
This task depends upon

Closed by  Dave Reisner (falconindy)
Saturday, 18 June 2016, 12:25 GMT
Reason for closing:  Fixed
Additional comments about closing:  libarchive-3.2.0
Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 14:05 GMT
Sample test run on my system:

$ groups
disk wheel users vboxusers docker wireshark realtime
$ ./test-bsdtar-acls.sh
[sudo] password for miki:
Testing bsdtar ACL preservation.

Test#1: Verify that user has read access to system journal: ok
Test#2: Verify that source and destination dirs have identical ACLs: FAIL
Test#3: Verify that user has read access to source journal: ok
Test#4: Verify that user has read access to destination journal: FAIL
Test#5: Verify that newly created journals have identical ACLs: FAIL

Tests done, generated output is in /tmp/test-bsdtar-acls .
Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 14:07 GMT
$ cat /tmp/test-bsdtar-acls/test2.out
--- test2-src.out 2015-01-27 15:03:37.818244892 +0100
+++ test2-dest.out 2015-01-27 15:03:37.821577962 +0100
@@ -1,34 +1,22 @@
# file: var/log/journal
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:adm:r-x
group:wheel:r-x
mask::r-x
other::r-x
-default:user::rwx
-default:group::r-x
-default:group:adm:r-x
-default:group:wheel:r-x
-default:mask::r-x
-default:other::r-x

# file: var/log/journal/3a2138a366894850b89ab89d467e156b
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:adm:r-x
group:wheel:r-x
mask::r-x
other::---
-default:user::rwx
-default:group::r-x
-default:group:adm:r-x
-default:group:wheel:r-x
-default:mask::r-x
-default:other::r-x

Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 14:08 GMT
$ cat /tmp/test-bsdtar-acls/test5.out
--- test5-src.out 2015-01-27 15:03:37.884906284 +0100
+++ test5-dest.out 2015-01-27 15:03:37.884906284 +0100
@@ -1,10 +1,7 @@
# file: var/log/journal/3a2138a366894850b89ab89d467e156b/system.journal
# owner: root
# group: systemd-journal
user::rw-
-group::r-x #effective:r--
-group:adm:r-x #effective:r--
-group:wheel:r-x #effective:r--
-mask::r--
+group::r--
other::---

Comment by Dan McGee (toofishes) - Tuesday, 27 January 2015, 14:23 GMT
Is this specific to Arch, or is this an upstream issue? You're going to have to bring it to the attention of the libarchive team more than likely.
Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 14:49 GMT
Small fix to test script: backup/restore are part of Test#2, this also corrects the name of the test terball.
Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 14:55 GMT
Thanks for your quick reply.
I don't know yet if it is Arch-specific or upstream. The libarchive package in Arch does have an ACL-related patch, the impact of which on this problem I don't know yet.

If I have some time, I'll try to do a similar test on an Ubuntu VM.
Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 15:15 GMT
I've built and tested libarchive package without libarchive-3.1.2-acl.patch.
All of libarchive's own tests pass, my test script fails the same tests but in a different way.
This also turned up yet another small bug in my script: need to use sudo for all uses of getfacl.
Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 15:17 GMT
Test results using libarchive _without_ libarchive-3.1.2-acl.patch applied.

$ ./test-bsdtar-acls-fixed.sh
[sudo] password for miki:
Testing bsdtar ACL preservation.

Test#1: Verify that user has read access to system journal: ok
Test#2: Verify that source and destination dirs have identical ACLs: FAIL
Test#3: Verify that user has read access to source journal: ok
Test#4: Verify that user has read access to destination journal: FAIL
Test#5: Verify that newly created journals have identical ACLs: FAIL

Tests done, generated output is in /tmp/test-bsdtar-acls .
Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 15:18 GMT
Test results using libarchive _without_ libarchive-3.1.2-acl.patch applied.

$ cat /tmp/test-bsdtar-acls/test2.out
--- test2-src.out 2015-01-27 16:16:04.838259195 +0100
+++ test2-dest.out 2015-01-27 16:16:04.858257606 +0100
@@ -1,34 +1,16 @@
# file: var/log/journal
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
-group:adm:r-x
-group:wheel:r-x
-mask::r-x
other::r-x
-default:user::rwx
-default:group::r-x
-default:group:adm:r-x
-default:group:wheel:r-x
-default:mask::r-x
-default:other::r-x

# file: var/log/journal/3a2138a366894850b89ab89d467e156b
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
-group:adm:r-x
-group:wheel:r-x
-mask::r-x
other::---
-default:user::rwx
-default:group::r-x
-default:group:adm:r-x
-default:group:wheel:r-x
-default:mask::r-x
-default:other::r-x

Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 15:19 GMT
Test results using libarchive _without_ libarchive-3.1.2-acl.patch applied.

$ cat /tmp/test-bsdtar-acls/test5.out
--- test5-src.out 2015-01-27 16:16:04.928252045 +0100
+++ test5-dest.out 2015-01-27 16:16:04.938251250 +0100
@@ -1,10 +1,7 @@
# file: var/log/journal/3a2138a366894850b89ab89d467e156b/system.journal
# owner: root
# group: systemd-journal
user::rw-
-group::r-x #effective:r--
-group:adm:r-x #effective:r--
-group:wheel:r-x #effective:r--
-mask::r--
+group::r--
other::---

Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 15:24 GMT
From this, it appears that Arch's libarchive-3.1.2-acl.patch addresses at least some of bsdtar's problems with ACLs, but apparently not all of them.
Comment by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 16:26 GMT
Tested using libarchive-git from the AUR (which fails some of its own tests, beware!)
Result: my ACL preservation tests fail in precisely the same way as my very first test, Default ACL not preserved.
Comment by Alain Kalker (ackalker) - Wednesday, 28 January 2015, 08:32 GMT
From some more testing, I found that the issue is with bsdtar not preserving Default ACLs on nested subdirectories.

I have created the following new issue upstream: https://code.google.com/p/libarchive/issues/detail?id=393

Loading...