Bug 1128359 - %attr of %dir not applied
Summary: %attr of %dir not applied
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Packaging Maintenance Team
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-09 11:32 UTC by Remi Collet
Modified: 2014-10-04 03:27 UTC (History)
7 users (show)

Fixed In Version: rpm-4.11.3-1.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-09-19 09:58:45 UTC


Attachments (Terms of Use)
wp-upgrade.txt (828.70 KB, text/plain)
2014-08-20 05:37 UTC, Remi Collet
no flags Details
wp-upgrade-yum.txt (249.14 KB, text/plain)
2014-08-20 07:16 UTC, Remi Collet
no flags Details

Description Remi Collet 2014-08-09 11:32:45 UTC
Description of problem:

During fixing a security bug of wordpress (bug #1124582) I change the uid/gid/mode of the configuration (file + dir)

I notice this is not applied during update

Version-Release number of selected component (if applicable):
rpm-4.11.2-2.fc20.x86_64

On RHEL-6 / RHEL-7 %attr of %dir is always applied.

%attr of %config file is only applied if the file is not altered (which is perhaps the correct behavior).

Before update
$ rpm -V wordpress
S.5....T.  c /etc/wordpress/wp-config.php

After update:
$ rpm -V wordpress
SM5...GT.  c /etc/wordpress/wp-config.php

On Fedora 20, if the directory contains an altered file, %attr is no applied.

This could raise security issues on such update (wordpress 3.9.1 => 3.9.2 in testing)

Especially as "verify" doesn't report any problem on the directory.


Perhaps a better behavior could be

If "uid/gid/mode" is unchanged by sysadmin (value of old RPM metadata), always applied value of the new rpm.
=> So, don't change the sysadmin choice.
=> Separate management of uid/gid/mode from file content.

Comment 1 Remi Collet 2014-08-12 08:23:07 UTC
Same issue in F19

Comment 2 Panu Matilainen 2014-08-19 12:25:54 UTC
The report seems a bit confused to me: half of it is talking about %attr of a %config file, and the other half including summary talks about containing directory. 

AFAICT this affects %config files only, the directory ownership is always updated (as the rpm -V output in original description indicates). Also AFAICT this affects all RHEL and Fedora versions, RHEL-7 is certainly expected to behave the same as current Fedora versions as rpm version is practically same.

So yes there is a bug, content + permissions are too closely tied in the rpm internal machinery dealing with this stuff, but might be tough to fix in existing releases. Whether to honor sysadmin changes is a different kind of problem: on one hand you want to honor them, but OTOH you'd want rpm to fix accidentally incorrect permissions (especially on reinstall etc) and there's no way for rpm to know what is intentional and whats not.

Comment 3 Remi Collet 2014-08-19 15:19:03 UTC
(In reply to Panu Matilainen from comment #2)
> The report seems a bit confused to me: half of it is talking about %attr of
> a %config file, and the other half including summary talks about containing
> directory. 

So forget about the config file, I was just trying to understand/describe the behavior.

This bug report is only for %dir

> AFAICT this affects %config files only, the directory ownership is always
> updated (as the rpm -V output in original description indicates). 

Change in wordpress spec file (3.9.2-3, in updates-testing)
-%dir %{_sysconfdir}/wordpress
+%attr(750,root,apache) %dir %{_sysconfdir}/wordpress

Test reproducer

**** In Fedora 19 ****

# yum install wordpress
   Installation : wordpress-3.9.1-1.fc19.noarch 

# ls -al /etc/wordpress
drwxr-xr-x.   2 root root  4096 19 août  16:58 .
drwxr-xr-x. 191 root root 12288 19 août  16:46 ..
-rw-r--r--.   1 root root  3538  9 mai   06:49 wp-config.php

# echo -e "\n\n" >>/etc/wordpress/wp-config.php

# rpm -V wordpress
S.5....T.  c /etc/wordpress/wp-config.php

# yum --enablerepo=updates-testing update wordpress
   Update: wordpress-3.9.2-3.fc19.noarch

# rpm -V wordpress
SM5...GT.  c /etc/wordpress/wp-config.php

=> so /etc/wordpress is ok  ? should be 750,root,apache ?

# ls -al
total 28
drwxr-xr-x.   2 root root  4096 19 août  16:59 .
drwxr-xr-x. 191 root root 12288 19 août  16:46 ..
-rw-r--r--.   1 root root  3541 19 août  17:00 wp-config.php

=> so owner/mode not changed during update (bug)
=> so report of --verify is not correct (bug)

# rpm --setperms  wordpress
# rpm --setugids  wordpress
# ls -al
total 28
drwxr-x---.   2 root apache  4096 19 août  16:59 .
drwxr-xr-x. 191 root root   12288 19 août  16:46 ..
-rw-r-----.   1 root apache  3541 19 août  17:00 wp-config.php

=> so the owner/mode are correctly defined in the RPM and restored.


**** Same test with EPEL-7 **** 

After update from 3.9.1-1 to 3.9.1-3

# rpm -V wordpress
SM5...GT.  c /etc/wordpress/wp-config.php

# ls -al
drwxr-x---.   2 root apache   26  8 août  11:23 .
drwxr-xr-x. 142 root root   8192 19 août  17:12 ..
-rw-r--r--.   1 root root   3541 19 août  17:12 wp-config.php

Owner/mode is what is expected.

> Also AFAICT this affects all RHEL and Fedora versions,
> RHEL-7 is certainly expected to behave the same as current
> Fedora versions as rpm version is practically same.

It seems it's not the case.
RHEL-7 is not affected by this Fedora specific issue.

> Whether to honor sysadmin changes is a different kind of problem:
> on one hand you want to honor them, but OTOH you'd want rpm to fix
> accidentally incorrect permissions (especially on reinstall etc) and
> there's no way for rpm to know what is intentional and whats not.

I agree.
But having different behavior for dir and file is also not friendly ;)

Comment 4 Panu Matilainen 2014-08-20 05:17:07 UTC
I'm not able to reproduce, the new directory permissions are always applied. Please download the packages, run the following (adjust package paths as necessary) and attach the resulting /tmp/wp-upgrade.txt here.

(rpm -e wordpress; rm -rf /etc/wordpress/; rpm -Uvh /tmp/wordpress-3.9.1-1.fc19.noarch.rpm;echo -e "\n\n" >>/etc/wordpress/wp-config.php >> /etc/wordpress/wp-config.php ; rpm -Uvvh --fsmdebug /tmp/wordpress-3.9.2-3.fc19.noarch.rpm ; ls -la /etc/wordpress) &> /tmp/wp-upgrade.txt

Comment 5 Remi Collet 2014-08-20 05:37:59 UTC
Created attachment 928619 [details]
wp-upgrade.txt

Everything is ok using rpm command.
So this is a yum bug ?

Comment 6 Panu Matilainen 2014-08-20 07:03:34 UTC
Upgrade with yum is supposed to behave identically to upgrading with rpm, but there are have been (and are) cases where yum's test-transaction causes differences in some subtle cases.

Can you reproduce the issue with the yum equivalent of the above?

rpm -e wordpress; rm -rf /etc/wordpress; yum -y install wordpress; echo -e "\n\n" >>/etc/wordpress/wp-config.php >> /etc/wordpress/wp-config.php; yum --enablerepo=updates-testing -y --rpmverbosity=debug update wordpress; ls -la /etc/wordpress

Comment 7 Remi Collet 2014-08-20 07:16:24 UTC
Created attachment 928661 [details]
wp-upgrade-yum.txt

Output using yum, which reproduce the bug.

Comment 8 Panu Matilainen 2014-08-20 07:28:52 UTC
Okay, thanks for testing and with yum I can reproduce it too.
And I can make sense of this all now... this is cured by the same thing that fixes bug 1076552, which has been fixed on rhel-7 but hasn't made its way to fedora yet, hence the difference between "almost identical" rpm versions.

Comment 9 Fedora Update System 2014-09-08 07:52:26 UTC
rpm-4.11.3-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/rpm-4.11.3-1.fc20

Comment 10 Fedora Update System 2014-09-09 22:05:17 UTC
Package rpm-4.11.3-1.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing rpm-4.11.3-1.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-10325/rpm-4.11.3-1.fc20
then log in and leave karma (feedback).

Comment 11 Remi Collet 2014-09-10 05:11:17 UTC
Will be nice to have in F19.

Wordpress and phpMyAdmin (at least) are affected by permission changes (it seems someone have reported various bugs about bad permission on configuration dir, which is a security issue).

Comment 12 Panu Matilainen 2014-09-10 05:40:43 UTC
F19 will follow once the F20 update goes stable. Just a way of limiting potential damage in case anything goes wrong.

Comment 13 Fedora Update System 2014-09-16 07:50:01 UTC
rpm-4.11.3-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/rpm-4.11.3-1.fc19

Comment 14 Fedora Update System 2014-09-19 09:58:45 UTC
rpm-4.11.3-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2014-10-04 03:27:03 UTC
rpm-4.11.3-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.