Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

qemu build runner does not preserve setuid/setgid/extended attributes in built packages #1731

Open
stevebeattie opened this issue Jan 6, 2025 · 2 comments
Open

qemu build runner does not preserve setuid/setgid/extended attributes in built packages #1731

stevebeattie opened this issue Jan 6, 2025 · 2 comments

Comments

@stevebeattie
Copy link
Member

when building with the qemu runner, packages that set and should contain setuid binaries do not do so. For example, building the sudo package like so:

$ make package/sudo MELANGE_EXTRA_OPTS="--runner qemu"
yamlfile is sudo.yaml
Building package sudo with version sudo-1.9.16-r1 from file sudo.yaml
make yamlfile=sudo.yaml pkgname=sudo packages/x86_64/sudo-1.9.16-r1.apk
make[1]: Entering directory '$HOME/git/wolfi-dev/os'
@SOURCE_DATE_EPOCH=1732043006 $HOME/go/bin/melange build sudo.yaml --runner=qemu --repository-append $HOME/git/wolfi-dev/os/packages --keyring-append local-melange.rsa.pub --signing-key local-melange.rsa --arch x86_64 --env-file build-x86_64.env --namespace wolfi --license 'Apache-2.0' --git-repo-url 'https://github.com/wolfi-dev/os' --generate-index false  --pipeline-dir ./pipelines/ --runner qemu -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub -r https://packages.wolfi.dev/os --repository-append $HOME/git/wolfi-dev/os/packages --keyring-append local-melange.rsa.pub --signing-key local-melange.rsa --arch x86_64 --env-file build-x86_64.env --namespace wolfi --license 'Apache-2.0' --git-repo-url 'https://github.com/wolfi-dev/os' --generate-index false  --pipeline-dir ./pipelines/ --runner qemu -k https://packages.wolfi.dev/os/wolfi-signing.rsa.pub -r https://packages.wolfi.dev/os --source-dir ./sudo/
[...]
2025/01/05 22:19:27 INFO qemu: executing - qemu-system-x86_64 -machine microvm,rtc=on,pcie=on,pit=off,pic=off,isa-serial=off -bios /usr/share/seabios/bios-microvm.bin -kernel /tmp/kernel/boot/vmlinuz-virt -initrd /tmp/melange-guest-3167163312.initramfs.cpio -m 8036913k -smp 16 -accel kvm -cpu host -daemonize -display none -no-reboot -no-user-config -nodefaults -parallel none -serial none -vga none -netdev user,id=id1,hostfwd=tcp:127.0.0.1:34893-:22 -device virtio-net-pci,netdev=id1 -device virtio-rng-pci,rng=rng0 -object rng-random,filename=/dev/urandom,id=rng0 -append quiet nomodeset panic=-1 sshkey=ZWNkc2Etc2hhMi1uaXN0cDI1NiBBQUFBRTJWalpITmhMWE5vWVRJdGJtbHpkSEF5TlRZQUFBQUlibWx6ZEhBeU5UWUFBQUJCQkJxdHZVSTdBSEwrNERJdktEaTlvSk41ODZjM0ZYdi8rSm1URXRzdzNmMzJrWnFYRDBpVnZzNllXUnY2VU85VktsUVRXL0lnWGgvMFlvSlNid1QzaFhzPQo= -fsdev local,security_model=mapped,id=fsdev100,path=/tmp/melange-workspace-573700811 -device virtio-9p-pci,id=fs100,fsdev=fsdev100,mount_tag=defaultshare -object iothread,id=io1 -device virtio-blk-pci,drive=disk0,iothread=io1 -drive if=none,id=disk0,cache=none,format=raw,aio=threads,werror=report,rerror=report,file=./811089854.img
[...]
2025/01/05 22:20:00 INFO generating apk index from packages in packages/x86_64
2025/01/05 22:20:00 INFO processing package packages/x86_64/sudo-dev-1.9.16-r1.apk
2025/01/05 22:20:00 INFO processing package packages/x86_64/sudo-doc-1.9.16-r1.apk
2025/01/05 22:20:00 INFO processing package packages/x86_64/sudo-doc-extra-1.9.16-r1.apk
2025/01/05 22:20:00 INFO processing package packages/x86_64/sudo-1.9.16-r1.apk
2025/01/05 22:20:00 INFO updating index at packages/x86_64/APKINDEX.tar.gz with new packages: [sudo-1.9.16-r1 sudo-doc-1.9.16-r1 sudo-doc-extra-1.9.16-r1 sudo-dev-1.9.16-r1]
2025/01/05 22:20:00 INFO signing apk index at packages/x86_64/APKINDEX.tar.gz
2025/01/05 22:20:00 INFO signing index packages/x86_64/APKINDEX.tar.gz with key local-melange.rsa
2025/01/05 22:20:00 INFO appending signature RSA256 to index packages/x86_64/APKINDEX.tar.gz
2025/01/05 22:20:00 INFO writing signed index to packages/x86_64/APKINDEX.tar.gz
2025/01/05 22:20:00 INFO signed index packages/x86_64/APKINDEX.tar.gz with key local-melange.rsa
2025/01/05 22:20:00 INFO qemu: sending shutdown signal
2025/01/05 22:20:00 INFO deleting guest dir /tmp/melange-guest-3263348335
2025/01/05 22:20:00 INFO deleting workspace dir /tmp/melange-workspace-573700811
2025/01/05 22:20:00 INFO removing image path /tmp/melange-guest-3167163312.initramfs.cpio

results in a sudo apk that does not have the setuid bit set on /usr/bin/sudo:

$ tar tvf  packages/x86_64/sudo-1.9.16-r1.apk usr/bin/sudo 2>/dev/null
-rwxr-xr-x root/root    312856 2024-11-19 11:03 usr/bin/sudo

unlike the pacakge in the wolfi archive:

$ tar tvf  $HOME/apks/sudo-1.9.16-r1.apk usr/bin/sudo 2>/dev/null
-rwsr-xr-x root/root    312856 2024-11-19 11:03 usr/bin/sudo

This can also be seen when installing the resulting package in a wolfi container:

372b4fbb1640:/work/packages# apk add x86_64/sudo-1.9.16-r1.apk 
(1/1) Installing sudo (1.9.16-r1)
Executing busybox-1.37.0-r0.trigger
OK: 17 MiB in 16 packages
372b4fbb1640:/work/packages# ls -l /usr/bin/sudo
-rwxr-xr-x    1 root     root        312856 Nov 19 19:03 /usr/bin/sudo
372b4fbb1640:/work/packages# apk del sudo
(1/1) Purging sudo (1.9.16-r1)
Executing busybox-1.37.0-r0.trigger
OK: 14 MiB in 15 packages
372b4fbb1640:/work/packages# apk add sudo
(1/1) Installing sudo (1.9.16-r1)
Executing busybox-1.37.0-r0.trigger
OK: 17 MiB in 16 packages
372b4fbb1640:/work/packages# ls -l /usr/bin/sudo
-rwsr-xr-x    1 root     root        312856 Nov 19 19:03 /usr/bin/sudo

The man-db package build is another one that suffers from this, and is a good separate test case, as the packaging is intended to make /usr/bin/man setuid/setgid man.
@stevebeattie
Copy link
Member Author

Odd, in my sudo build log, I'm not seeing the following step be run after the uses: strip bit:

  - runs: |
      # sudo must be owned by root with setuid set
      chmod u+s ${{targets.contextdir}}/usr/bin/sudo
      chmod u+s ${{targets.contextdir}}/etc/sudo.conf
      chmod u+s ${{targets.contextdir}}/etc/sudoers

but in the man-db qemu build, I definitely see

2025/01/05 22:57:00 INFO if [ "man" ] && [ "6755" = 6755 ]; then \
2025/01/05 22:57:00 INFO     chown man:man \
2025/01/05 22:57:00 INFO         /home/build/melange-out/man-db/usr/bin/man \
2025/01/05 22:57:00 INFO         /home/build/melange-out/man-db/usr/bin/mandb; \
2025/01/05 22:57:00 INFO fi    
2025/01/05 22:57:00 INFO chmod 6755 \
2025/01/05 22:57:00 INFO     /home/build/melange-out/man-db/usr/bin/man \
2025/01/05 22:57:00 INFO     /home/build/melange-out/man-db/usr/bin/mandb

but the resulting package does not contain anything setuid/setgid man:

$ tar tvf packages/x86_64/man-db-2.13.0-r1.apk usr/bin/ 2>/dev/null
drwxr-xr-x root/root         0 2024-11-01 06:24 usr/bin
lrwxrwxrwx root/root         0 2024-11-01 06:24 usr/bin/apropos -> whatis
-rwxr-xr-x root/root     55568 2024-11-01 06:24 usr/bin/catman
-rwxr-xr-x root/root    126320 2024-11-01 06:24 usr/bin/lexgrog
-rwxr-xr-x root/root    152952 2024-11-01 06:24 usr/bin/man
-rwxr-xr-x root/root     47624 2024-11-01 06:24 usr/bin/man-recode
-rwxr-xr-x root/root    176672 2024-11-01 06:24 usr/bin/mandb
-rwxr-xr-x root/root     46144 2024-11-01 06:24 usr/bin/manpath
-rwxr-xr-x root/root     66048 2024-11-01 06:24 usr/bin/whatis

@stevebeattie
Copy link
Member Author

stevebeattie commented Jan 8, 2025
edited
Loading

The qemu runner also does not keep fscaps (and likely not acls and xattrs as well). This can be seen by building the fping package which sets cap_net_raw on /usr/sbin/fping as part of its build (see https://github.com/wolfi-dev/os/blob/main/fping.yaml#L46).

Building via make package/fping MELANGE_EXTRA_OPTS="--runner qemu --debug" (after bumping the epoch) shows the build doing:

2025/01/07 16:39:17 WARN + setcap 'cap_net_raw=+ep' /home/build/melange-out/fping/usr/sbin/fping

but the apk when installed doesn't have it set:

c667c376f64a:/work/packages# apk add x86_64/fping-5.3-r1.apk 
fetch https://packages.wolfi.dev/os/x86_64/APKINDEX.tar.gz
(1/1) Installing fping (5.3-r1)
Executing busybox-1.37.0-r0.trigger
OK: 14 MiB in 16 packages
c667c376f64a:/work/packages# apk add libcap-utils
(1/2) Installing libcap (2.71-r0)
(2/2) Installing libcap-utils (2.71-r0)
Executing glibc-2.40-r3.trigger
Executing busybox-1.37.0-r0.trigger
OK: 15 MiB in 18 packages
c667c376f64a:/work/packages# getcap /usr/sbin/fping 

c667c376f64a:/work/packages# apk del fping
(1/1) Purging fping (5.3-r1)
Executing busybox-1.37.0-r0.trigger
OK: 15 MiB in 17 packages

c667c376f64a:/work/packages# apk add fping=5.3-r0
(1/1) Installing fping (5.3-r0)
Executing busybox-1.37.0-r0.trigger
OK: 15 MiB in 18 packages
c667c376f64a:/work/packages# getcap /usr/sbin/fping 
/usr/sbin/fping cap_net_raw=ep

@stevebeattie stevebeattie changed the title qemu build runner does not preserve setuid/setgid in built packages qemu build runner does not preserve setuid/setgid/ extended attributes in built packages Jan 8, 2025
@stevebeattie stevebeattie changed the title qemu build runner does not preserve setuid/setgid/ extended attributes in built packages qemu build runner does not preserve setuid/setgid/extended attributes in built packages Jan 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stevebeattie