FS#67265 - [cdrtools] no suid bit in /usr/bin/cdrecord

Attached to Project: Community Packages
Opened by Krzysztof Szpunar (szpunarek) - Monday, 13 July 2020, 14:27 GMT
Last edited by Jerome Leclanche (Adys) - Thursday, 12 November 2020, 11:59 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Jerome Leclanche (Adys)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 9
Private No

Details

Description:
After last upgrading the cdrtools package (07.07.2020) brasero can't record CD images.
brasero

Additional info:
* package version(s)
* config and/or log files etc.
* link to upstream bug report, if any

Steps to reproduce:
This task depends upon

Closed by  Jerome Leclanche (Adys)
Thursday, 12 November 2020, 11:59 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in -4.
Comment by loqs (loqs) - Tuesday, 14 July 2020, 03:42 GMT
conf/install-sh detection of root user capabilities fails. Setting rootflag=TRUE and removing detection of root capabilities seems to resolve the issue.
Edit:
As the sed call deletes lines it should be in prepare() instead of build() so it is only executed once.
   PKGBUILD.diff (0.4 KiB)
Comment by Vincent Gibault (VGib) - Tuesday, 25 August 2020, 10:13 GMT
There seems to be the same problem for K3B.
Comment by Martin Schnitkemper (Martin-MS) - Tuesday, 25 August 2020, 13:41 GMT
Of course, because k3b calls cdrecord as a process, so you run in the same error. If you change the permissions of cdrecord, k3b also keep working.
Comment by Vincent Gibault (VGib) - Tuesday, 25 August 2020, 15:27 GMT
OK Thx, i forgot to set the rw right on cdrecord, can someone fix the package ?
Comment by Martin Schnitkemper (Martin-MS) - Tuesday, 25 August 2020, 15:40 GMT
It's not the rw-right, it's the suid bit.

Just issue as root a "chmod 4711 cdrecord" to set it (in fact change from 0711 to 4711).

However, I am waiting also for a package fix, since the diff has already been supplied a month ago.
Comment by Gabor Zoka (gabor_zoka) - Tuesday, 10 November 2020, 01:14 GMT
Hello Maintainers,

When would you consider fixing this?

It seems the fix is attached. Nothing consuming to do. I cannot use sudo as the files created are owned by root. If you do not fix it, then provide some help how to use cdda2wav now seamlessly. I just hate setting suid manually on /usr/bin/cdda2wav.

Thx for your time.

Gábor
Comment by Martin Schnitkemper (Martin-MS) - Tuesday, 10 November 2020, 09:27 GMT
I don't understand, whats your point. Why are you hate to set the suid bit? It's the same behavior that the binaries in packagerelease 3.02a09-2 had. Or build your own package (as I did) using the attached patch, or downgrade to the previous version and pin it in pacman to prevent an upgrade. But in result it's all the same, it sets the suid bit.

Btw. it didn't work for me if I place the sed command as suggested in a prepare-section, and also not if I patch the install-sh directly, only sed in the build-section did it for me.

However, you can send a mail to Jerome to ask him, why he neither fix it with the attached patch, nor close the bug with a good reason. Actually we have the expression that nobody takes care of it.

But again, it does not really bother me since we have several working solutions for the problem.
Comment by Gabor Zoka (gabor_zoka) - Wednesday, 11 November 2020, 23:51 GMT
I wanted to make the executables suid in the package, and not me making them suid manually after installing. Basically, it is a broken package.

I looked into this. Apparently some of the executables can run user content (not sure what). So libcap, which this depends on i.e. Linux Capabilities is a better way than suid. Indeed, when looking the source, it does use libcap, and it drops capabilities wheneven possible. So, I assume, when user content read and executed it is done with the least capabilities. Not sure what that "user content" might be, but this is superior to suid as the latter runs as root throughout. The source even tells us what "setcap" commands to run to make them usable. I clued myself up on Linux Capabilities, and, indeed, they make sense. Just "grep -r setcap" to find the commands.

Based on those I have made the attached patch and tested. I tested only cdda2wav as I have no CD to write, but this works like a charm.

I will ping Jerome to apply that.
   0001-Fixing-the-permission-is... (1.5 KiB)
Comment by loqs (loqs) - Thursday, 12 November 2020, 00:12 GMT
@gabor_zoka not all file-systems support file caps, have you considered the approach used by shadow [1]? To setuid in the PKGBUILD then remove it in the .install if setcap succeeds.

[1] https://github.com/archlinux/svntogit-packages/blob/packages/shadow/trunk/shadow.install
Comment by Gabor Zoka (gabor_zoka) - Thursday, 12 November 2020, 00:34 GMT
I wanted to make the executables suid in the package, and not me making them suid manually after installing. Basically, it is a broken package.

I looked into this. Apparently some of the executables can run user content (not sure what). So libcap, which this depends on i.e. Linux Capabilities is a better way than suid. Indeed, when looking the source, it does use libcap, and it drops capabilities wheneven possible. So, I assume, when user content read and executed it is done with the least capabilities. Not sure what that "user content" might be, but this is superior to suid as the latter runs as root throughout. The source even tells us what "setcap" commands to run to make them usable. I clued myself up on Linux Capabilities, and, indeed, they make sense. Just "grep -r setcap" to find the commands.

Based on those I have made the attached patch and tested. I tested only cdda2wav as I have no CD to write, but this works like a charm.

I will ping Jerome to apply that.
   0001-Fixing-the-permission-is... (1.5 KiB)
Comment by Gabor Zoka (gabor_zoka) - Thursday, 12 November 2020, 00:39 GMT
@loqs

Good idea. Too late now, but at worst at the weekend I will prep another patch along those lines.

Thx!

Loading...