Bug 1550745 - Running `rpm --setugids iputils` removes the capabilities flags from ping, arping and clockdiff
Summary: Running `rpm --setugids iputils` removes the capabilities flags from ping, ar...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rpm
Version: 7.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Pavlina Moravcova Varekova
QA Contact: Eva Mrakova
Marie Dolezelova
URL:
Whiteboard:
Depends On:
Blocks: 1630909 1630918
TreeView+ depends on / blocked
 
Reported: 2018-03-02 00:01 UTC by Trevor Hemsley
Modified: 2019-08-06 13:11 UTC (History)
7 users (show)

Fixed In Version: rpm-4.11.3-36.el7
Doc Type: Bug Fix
Doc Text:
.The `rpm` command now supports the `--setcaps` and `--restore` options This update introduces the `--setcaps` and `--restore` options for the `rpm` command. The `--setcaps` option sets capabilities of files in a required package. The syntax is as follows: rpm --setcaps _PACKAGE_NAME_ The `--restore` option restores owner, group, permissions, and capabilities of files in a required package. The syntax is as follows: rpm --restore _PACKAGE_NAME_
Clone Of:
Environment:
Last Closed: 2019-08-06 13:11:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:2259 None None None 2019-08-06 13:11:37 UTC

Description Trevor Hemsley 2018-03-02 00:01:37 UTC
Description of problem:
rpm --setugids removes capabilities from files defined in the rpm spec file

Version-Release number of selected component (if applicable):
rpm-4.11.3-25.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. rpm -V iputils
2. rpm --setugids iputils
3. rpm -V iputils

Actual results:
[root@centos7 ~]# rpm -V iputils
[root@centos7 ~]# rpm --setugids iputils
[root@centos7 ~]# rpm -V iputils
........P    /usr/bin/ping
........P    /usr/sbin/arping
........P    /usr/sbin/clockdiff
[root@centos7 ~]# 
 

Expected results:
Capabilities flags as defined in the rpm spec file should be preserved by rpm when resetting user/group ownership of files in the given package. Using rpm --setperms is fine but --setugids appears broken. Removing these capabilities from those executables means they no longer function correctly.

Additional info:

Comment 2 Panu Matilainen 2018-03-02 07:54:58 UTC
Yes, --setugids strips suid/sgid bits and capabilities, just like chown/chgrp do because that's all --setugids does. Because of that, you need to run --setperms afterwards, but that's not capability-aware and there's no --setcaps at all. 
So this is actually expected behavior from the implementation POV, user expectations may differ...

--setugids and --setperms seemed like nifty tricks with popt back in the turn of millenium, these days people expect more and there's a growing list of bugs and RFE's all of which require reimplementing the simplistic popt-hack with an actual C implementation. Very unlikely to happen in RHEL 7 though, --setcaps or such might be doable.

Comment 3 Pavlina Moravcova Varekova 2018-04-30 08:05:38 UTC
Upstream commit here:
https://github.com/rpm-software-management/rpm/commit/af1fcf0b0a7c093e3d926680fe73fcf2077fd57c

Comment 4 Pavlina Moravcova Varekova 2018-11-05 11:28:02 UTC
Fix of the upstream commit:
https://github.com/rpm-software-management/rpm/commit/b4178c979fff344a1c5142a305f274dd9aff8f45

Comment 18 errata-xmlrpc 2019-08-06 13:11:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:2259


Note You need to log in before you can comment on or make changes to this bug.