FS#43584 - [libarchive] bsdtar: does not properly restore Default ACL
Attached to Project:
Arch Linux
Opened by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 13:53 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 18 June 2016, 12:25 GMT
Opened by Alain Kalker (ackalker) - Tuesday, 27 January 2015, 13:53 GMT
Last edited by Dave Reisner (falconindy) - Saturday, 18 June 2016, 12:25 GMT
|
Details
Description:
Using bsdtar to backup and restore an Arch Linux system, the restored system does not have the proper Default ACL set on /var/log/journal . Wiping the system journal on the restored system causes systemd to create a new journal, but due to the missing Default ACL, users who should have access to the system journal by being a member of the adm or wheel group are no longer able to view it. Included is a small test script which demonstrates the problem by creating a dummy systemd journal, then using bsdtar to backup and then restore this. I'm marking this as Severity: Medium because this poses a potential security risk for systems which rely on ACLs and use bsdtar for backups. Additional info: * package version(s) libarchive 3.1.2-8 * config and/or log files etc. Steps to reproduce: - Run the attached script as a regular user with sudo rights and access to the system journal. |
This task depends upon
Closed by Dave Reisner (falconindy)
Saturday, 18 June 2016, 12:25 GMT
Reason for closing: Fixed
Additional comments about closing: libarchive-3.2.0
Saturday, 18 June 2016, 12:25 GMT
Reason for closing: Fixed
Additional comments about closing: libarchive-3.2.0
$ groups
disk wheel users vboxusers docker wireshark realtime
$ ./test-bsdtar-acls.sh
[sudo] password for miki:
Testing bsdtar ACL preservation.
Test#1: Verify that user has read access to system journal: ok
Test#2: Verify that source and destination dirs have identical ACLs: FAIL
Test#3: Verify that user has read access to source journal: ok
Test#4: Verify that user has read access to destination journal: FAIL
Test#5: Verify that newly created journals have identical ACLs: FAIL
Tests done, generated output is in /tmp/test-bsdtar-acls .
--- test2-src.out 2015-01-27 15:03:37.818244892 +0100
+++ test2-dest.out 2015-01-27 15:03:37.821577962 +0100
@@ -1,34 +1,22 @@
# file: var/log/journal
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:adm:r-x
group:wheel:r-x
mask::r-x
other::r-x
-default:user::rwx
-default:group::r-x
-default:group:adm:r-x
-default:group:wheel:r-x
-default:mask::r-x
-default:other::r-x
# file: var/log/journal/3a2138a366894850b89ab89d467e156b
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
group:adm:r-x
group:wheel:r-x
mask::r-x
other::---
-default:user::rwx
-default:group::r-x
-default:group:adm:r-x
-default:group:wheel:r-x
-default:mask::r-x
-default:other::r-x
--- test5-src.out 2015-01-27 15:03:37.884906284 +0100
+++ test5-dest.out 2015-01-27 15:03:37.884906284 +0100
@@ -1,10 +1,7 @@
# file: var/log/journal/3a2138a366894850b89ab89d467e156b/system.journal
# owner: root
# group: systemd-journal
user::rw-
-group::r-x #effective:r--
-group:adm:r-x #effective:r--
-group:wheel:r-x #effective:r--
-mask::r--
+group::r--
other::---
I don't know yet if it is Arch-specific or upstream. The libarchive package in Arch does have an ACL-related patch, the impact of which on this problem I don't know yet.
If I have some time, I'll try to do a similar test on an Ubuntu VM.
All of libarchive's own tests pass, my test script fails the same tests but in a different way.
This also turned up yet another small bug in my script: need to use sudo for all uses of getfacl.
$ ./test-bsdtar-acls-fixed.sh
[sudo] password for miki:
Testing bsdtar ACL preservation.
Test#1: Verify that user has read access to system journal: ok
Test#2: Verify that source and destination dirs have identical ACLs: FAIL
Test#3: Verify that user has read access to source journal: ok
Test#4: Verify that user has read access to destination journal: FAIL
Test#5: Verify that newly created journals have identical ACLs: FAIL
Tests done, generated output is in /tmp/test-bsdtar-acls .
$ cat /tmp/test-bsdtar-acls/test2.out
--- test2-src.out 2015-01-27 16:16:04.838259195 +0100
+++ test2-dest.out 2015-01-27 16:16:04.858257606 +0100
@@ -1,34 +1,16 @@
# file: var/log/journal
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
-group:adm:r-x
-group:wheel:r-x
-mask::r-x
other::r-x
-default:user::rwx
-default:group::r-x
-default:group:adm:r-x
-default:group:wheel:r-x
-default:mask::r-x
-default:other::r-x
# file: var/log/journal/3a2138a366894850b89ab89d467e156b
# owner: root
# group: systemd-journal
# flags: -s-
user::rwx
group::r-x
-group:adm:r-x
-group:wheel:r-x
-mask::r-x
other::---
-default:user::rwx
-default:group::r-x
-default:group:adm:r-x
-default:group:wheel:r-x
-default:mask::r-x
-default:other::r-x
$ cat /tmp/test-bsdtar-acls/test5.out
--- test5-src.out 2015-01-27 16:16:04.928252045 +0100
+++ test5-dest.out 2015-01-27 16:16:04.938251250 +0100
@@ -1,10 +1,7 @@
# file: var/log/journal/3a2138a366894850b89ab89d467e156b/system.journal
# owner: root
# group: systemd-journal
user::rw-
-group::r-x #effective:r--
-group:adm:r-x #effective:r--
-group:wheel:r-x #effective:r--
-mask::r--
+group::r--
other::---
Result: my ACL preservation tests fail in precisely the same way as my very first test, Default ACL not preserved.
I have created the following new issue upstream: https://code.google.com/p/libarchive/issues/detail?id=393