Bug 83006 - Red Hat rpm installs sometimes done using root's umask
Summary: Red Hat rpm installs sometimes done using root's umask
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: rpm
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Panu Matilainen
QA Contact:
URL:
Whiteboard:
: 195414 247307 249180 453749 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-01-29 14:42 UTC by Need Real Name
Modified: 2008-07-02 11:03 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-01-25 17:12:54 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
small test suite for exploring this issue (10.65 KB, application/x-gzip)
2007-08-01 03:55 UTC, Kahlil Hodgson
no flags Details
extension to the previous test suite (11.98 KB, application/x-gzip)
2007-08-15 02:08 UTC, Kahlil Hodgson
no flags Details

Description Need Real Name 2003-01-29 14:42:30 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3a) Gecko/20021212

Description of problem:
I've run into this bug several times dating back to the 6.x days, and just ran
into it today and decided I should report it so it gets fixed.

I ran into the latest case of this installing the errata kdebase* on a system
that didn't previously have it.  After doing so using the command line 'rpm'
command and later rebooting, X wasn't able to start due to an error that it
couldn't find font 'fixed'.  Turns out that kdebase* installs a few fonts, and
when rpm ran mkfontdir it ran it with the umask I use for root, 077.  Thus the
fonts.dir file in that directory was mode 0600, and since xfs runs as a user, it
couldn't use the fonts in that directory.  Making the file 644 and restarting
xfs allowed X to start normally.

What I'd expect to happen is that rpm would insure that a proper umask is used
when any installation scripts run, just as it insures all files are installed
with the proper permissions regardless of root's umask.  My problem was by rpm
leaving a file too secure, and the system was in an unusable state.  Someone
else who happens to have root's umask as 000 when they run rpm may leave
critical system files world writeable and open to easy attack.

Since setting root's umask to 077 is very common in security conscious
environments, many people would curse their computers a bit less often if this
could be fixed.  Or in my case, unfairly cursing KDE thinking at first it had
tried to take over my GNOME setup.

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:
1. set root's umask to 077
2. install kdebase* on a system that doesn't have it
3. reboot, and watch X fail to start
    

Additional info:

Comment 1 Jeff Johnson 2003-02-01 14:19:31 UTC
rpm honors existing umask, does not change in any way.

The stickler is "proper umask", as that is ill defined.

I suppose a seperately configurable rpm specfic umask could be
implemented, but that's really not a whole lot different than,
say, having root run an rpm wrapper for installs that does
    #!/bin/sh
    umask 002
    exec rpm $*
It's hardly worth the effort of implementation in rpm when a wrapper
solves the problem do easily imho.

Comment 2 Need Real Name 2003-02-02 02:25:36 UTC
Seems to me that "proper umask" means the umask that you guys at Red Hat are
using when you test your packages (I hope it is 022, and not 002 like in your
example!)  It'd be a one line addition to rpm to have it set the umask root
currently defaults to now, I fail to see how that'd break anything.  A few dozen
lines if you added a config option to the rpmrc for this.  I knew I could
replace the rpm command with a script and have it exec the real binary to fix
this FOR ME, but I reported it figuring I couldn't be the only one who has ever
(or will ever) run into this.  I guess the only saving grace is that people
clueful enough to set a secure umask for root are probably clueful enough to
figure out what went wrong when adding a package caused X startup to break like
I did.

You really ought to beware if you ever set a more secure umask for root by
default, you'll probably suddenly see a lot of problems and many of the people
finding them will not be knowledgeable enough to fix them.

Comment 3 Jeff Johnson 2003-02-02 14:00:32 UTC
The umask used by Red Hat is that distributed with root
configuration files. The value is 002.

There's far more to be done in packages and rpm to install correctly
with all possible values for umask, it's not just having rpm set
a "proper umask" independently of root's.

Try the wrapper, 'tain't hard.

Comment 4 Bastien Nocera 2007-04-19 14:26:20 UTC
*** Bug 195414 has been marked as a duplicate of this bug. ***

Comment 5 Bastien Nocera 2007-04-19 14:33:16 UTC
Reopening as this could bite the mime-type and icon caches used in the GNOME
desktop.

Comment 6 Bastien Nocera 2007-07-06 20:17:24 UTC
*** Bug 247307 has been marked as a duplicate of this bug. ***

Comment 7 Rob Garth 2007-07-09 01:10:44 UTC
It does bite mime-types. I have to reset my umask to a more insecure one
everytime I run a yum update. It seems rediculous to me that a software package,
which is dependant on permissions, would honour the root umask.

Whether it is considered a bug or not it is affecting systems, and is a
useability issue.

Comment 8 Jeff Johnson 2007-07-09 02:56:12 UTC
umask as a mechanism "works" iff applications like rpm do not change the value.

Consider how much security one gains with
    umask 0777
(which would prevent any non-root access => totally secure) if all applications routinely reset
the umask.

You gain little security by using umask, there are far more effective security mechanisms, like
SE Linux, than umask these days.

Comment 9 Jeff Johnson 2007-07-10 20:15:08 UTC
umask in rpm5.org is always set to 0002 for rpm execution.

UPSTREAM

Comment 10 Panu Matilainen 2007-07-25 18:43:05 UTC
*** Bug 249180 has been marked as a duplicate of this bug. ***

Comment 11 Kahlil Hodgson 2007-07-27 03:50:03 UTC
(In reply to comment #10)
> *** Bug 249180 has been marked as a duplicate of this bug. ***

Don't know how this bug ended up here :-)
 
My problem was with an 'unowned' directory being created with 0750 
permissions when pup was being invoked via consolehelper.  Users umask
is 0007 and roots umask is 0022 (fedora default).  Something odd 
going on here.  Will fake up some minimal test cases when I get a chance.

Comment 12 Kahlil Hodgson 2007-07-27 03:58:39 UTC
(In reply to comment #1)

> It's hardly worth the effort of implementation in rpm when a wrapper
> solves the problem do easily imho.

Would such a script fix yum, pup, and puplet? Do these guys actually run the rpm
executable or do they operate via librpm (and friends) instead?

Comment 13 Kahlil Hodgson 2007-07-27 04:05:16 UTC
(In reply to comment #3)
> The umask used by Red Hat is that distributed with root
> configuration files. The value is 002.

A recent vanilla install of Fedora 7 has the root umask set as 0022.
From the /etc/bashrc:

# By default, we want this to get set.
# Even for non-interactive, non-login shells.
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
else
        umask 022
fi


Comment 14 Kahlil Hodgson 2007-07-27 04:24:34 UTC
(In reply to comment #7)

> It seems rediculous to me that a software package,
> which is dependant on permissions, would honour the root umask.

There might be no easy way around that, especially if the package does not
own the files it is creating.  Case in point, anything that runs
update-mime-database during post install.

   [root@grebo ~]# rpm -qf /usr/share/mime/aliases 
   file /usr/share/mime/aliases is not owned by any package

This might even occur indirectly via desktop-file-install.

> Whether it is considered a bug or not it is affecting systems, and is a
> useability issue.

Especially if updates break previously working packages. I found the mime-cache
issue quite difficult to track down when it initially presented itself as a
problem with evince.  A problem with permissions did not immediately occur to me.




Comment 15 Kahlil Hodgson 2007-08-01 03:55:09 UTC
Created attachment 160392 [details]
small test suite for exploring this issue

I created a small test suite to explore this issue in a repeatable fashion.

This test suite contains a collection of mock packages that can be used for
testing installation permissions under different environments.	Specifically,
we are looking at the effect of the root and user umasks when rpm, yum, or pup
is run as root via su, sudo, or consolehelper.	We are also looking at the
effect on 'unowned' files and directories which may be created via packaging
errors or indirectly via helper-scripts.

Comment 16 Kahlil Hodgson 2007-08-01 03:56:54 UTC
Okay, this is what I got from these tests.

No difference between being run via sudo and being run explicitly as root.
(Huge sigh of relief).  Note that pup/pirut and sudo have significantly
different PAM setup, though.

Updates always work as expected when run with explicit umask of 0022.  (But we
kinda gathered that would be the case).

If root's umask is 0077 then we get all kinds of negative effects when a
package fails to own its directories or does not take care to assert the
permissions of incidental files that may be created during post-install.  (This
accords with earlier remarks).  

Now for the nasty bit. If the normal user has a umask of 0007 (as I hope most
web developers would), root has the default umask of 0022, and we upgrade via
pup, then all hell breaks loose.  We seem to get an umask of 0007 for file
creation and a umask of 0027 for directory creation.  Minor packaging errors,
that would not normally cause any problems, can cause applications to fail or
misbehave.  On my system this has been seen to effect info, thunderbird,
icon-theme.cache, and mime.cache.

People on muti-user systems, will want a 0007 umask if they need to permit
world access to, say, ~/public_html.  I do this by default because I'm used to
doing web development in that kind of environment.  If you also happen to
manage updates via pup and consolehelper then your in trouble.

I admit strong root umask has a limited usefulness when most of root's
activities are automated (SELinux is sooo much better at managing that).
However, a restrictive umask can help when a bleary-eyed, stressed-out,
under-the-hammer, sysadmin is logging in as root at 3am trying to fix a
mission-critical system.  That's the time when you accidentally create a
sensitive file with weak permissions, and don't become aware of it until, at
best, you wake up the next afternoon.  A restrictive umask _can_ save your job
in a situation like that.

Now, I agree that it is not really rpms job to fix this.  On the other hand
something should.  We don't want to be in the situation where some newbie admin
is trying to 'do-the-right-thing' by setting a restrictive root umask
post-install, but have their system progressively break as updates flow in.
They will probably just 'blame-fedora' and move to Ubuntu or SuSE or (heaven
forbid) BSD...

So, should rpmbuild fail if an unowned directory is not explictily excluded in
some way?  Should update-mime-database and friends check the permissions of the
files it creates.  Is there some way that rpm can check files created by the
post-install hook?


Comment 17 Kahlil Hodgson 2007-08-15 02:08:20 UTC
Created attachment 161323 [details]
extension to the previous test suite

Added a test for system-install-packages (firefox default handler for RPMS).
This shows the same effect as pup. This probably rules out PAM as a source of
the problem since system-install-packages and pup have quite different PAM
configurations. Thinking its got something to do with the shared pirut modules.


Added a new test which explicitly owns the directory but does not explicitly
set the permissions -- no difference in behavior.

Comment 18 Red Hat Bugzilla 2007-08-21 05:17:13 UTC
User pnasrat's account has been closed

Comment 19 Panu Matilainen 2007-08-22 06:31:29 UTC
Reassigning to owner after bugzilla made a mess, sorry about the noise...

Comment 20 Panu Matilainen 2008-01-25 17:12:54 UTC
rpm 4.4.2.3-0.1.rc1 in rawhide sets umask to 0002 always so this should be fixed
(finally)

Comment 21 Bastien Nocera 2008-07-02 11:03:09 UTC
*** Bug 453749 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.