Devuan bug report logs -
#851
openrc: Incorrect handling of 'no_new_privs' in openrc-run
Reported by: murzik <lorietta2023@gmail.com>
Date: Tue, 2 Jul 2024 14:14:01 UTC
Severity: grave
Tags: patch, upstream
Found in version 0.45.2-2+deb12u1
Fixed in version 0.52.1-1
Done: Mark Hindley <mark@hindley.org.uk>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to devuan-bugs@lists.dyne.org, lorietta2023@gmail.com, devuan-dev@lists.dyne.org:
bug#851; Package openrc.
(Tue, 02 Jul 2024 14:14:02 GMT) (full text, mbox, link).
Acknowledgement sent
to murzik <lorietta2023@gmail.com>:
New bug report received and forwarded. Copy sent to lorietta2023@gmail.com, devuan-dev@lists.dyne.org.
(Tue, 02 Jul 2024 14:14:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Subject: openrc: Incorrect handling of 'no_new_privs' in openrc-run
Package: openrc
X-Debbugs-Cc: lorietta2023@gmail.com
Version: 0.45.2-2+deb12u1
Severity: grave
Justification: renders package unusable
Tags: patch
Dear Maintainer,
Supervise-daemon handler
supervise_daemon.sh(/lib/rc/sh/supervise-daemon.sh) for openrc-run
has problems with handling the no_new_privs parameter!
at line 41 we have the following code:
${no_new_privs:+--no_new_privs} \
And there is no '--no_new_privs' option in supervise-daemon, only
'--no-new-privs'.
So, line 41 should be replaced with
${no_new_privs:+--no-new-privs} \
But, this is not the only problem.
Instead of checking if 'no_new_privs' is set to positive boolean value,
we are just checking if
its not empty! So, if there is 'no_new_privs=false' or even
'no_new_privs=BlaBla' in service file, we are setting '--no-new-privs'
flag anyway!
I think, the following code:
if ! yesno "$no_new_privs"; then
no_new_privs=""
fi
should be added before line 23.
With that, everything works as excepted and there is no more
'--no-new-privs' flag if
'no_new_privs' option is not positive boolean value.
-- System Information:
Distributor ID: Devuan
Description: Devuan GNU/Linux 5 (daedalus)
Release: 5
Codename: daedalus
Architecture: x86_64
Kernel: Linux 6.1.0-22-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: OpenRC (via /run/openrc), PID 1: openrc-init
Versions of packages openrc depends on:
ii insserv 1.24.0-1
ii libaudit1 1:3.0.9-1
ii libc6 2.36-9+deb12u7
ii libeinfo1 0.45.2-2+deb12u1
ii libpam0g 1.5.2-6+deb12u1
ii librc1 0.45.2-2+deb12u1
ii libselinux1 3.4-1+b6
openrc recommends no packages.
Versions of packages openrc suggests:
pn policycoreutils <none>
pn sysvinit-core <none>
-- Configuration Files:
/etc/init.d/agetty [Errno 13] Permission denied: '/etc/init.d/agetty'
/etc/init.d/cgroups [Errno 13] Permission denied: '/etc/init.d/cgroups'
/etc/init.d/rc [Errno 13] Permission denied: '/etc/init.d/rc'
/etc/init.d/rcS [Errno 13] Permission denied: '/etc/init.d/rcS'
/etc/init.d/savecache [Errno 13] Permission denied:
'/etc/init.d/savecache'
/etc/rc.conf changed [not included]
-- no debconf information
-- debsums errors found:
debsums: changed file /lib/rc/sh/supervise-daemon.sh (from openrc
package)
[Message part 2 (text/html, inline)]
Information forwarded
to devuan-bugs@lists.dyne.org, devuan-dev@lists.dyne.org:
bug#851; Package openrc.
(Mon, 15 Jul 2024 16:36:01 GMT) (full text, mbox, link).
Message #8 received at 851@bugs.devuan.org (full text, mbox, reply):
Control: tags -1 upstream
Control: fixed -1 0.52.1-1
On Wed, Jul 03, 2024 at 01:12:57AM +1100, murzik wrote:
> Subject: openrc: Incorrect handling of 'no_new_privs' in openrc-run
> Package: openrc
> X-Debbugs-Cc: lorietta2023@gmail.com
> Version: 0.45.2-2+deb12u1
> Severity: grave
> Justification: renders package unusable
> Tags: patch
> Dear Maintainer,
> Supervise-daemon handler
> supervise_daemon.sh(/lib/rc/sh/supervise-daemon.sh) for openrc-run
> has problems with handling the no_new_privs parameter!
> at line 41 we have the following code:
> ${no_new_privs:+--no_new_privs} \
> And there is no '--no_new_privs' option in supervise-daemon, only
> '--no-new-privs'.
> So, line 41 should be replaced with
> ${no_new_privs:+--no-new-privs} \
Thanks. This was fixed upstream in version 0.52.1.
Mark
Added tag(s) upstream.
Request was from Mark Hindley <mark@hindley.org.uk>
to 851-submit@bugs.devuan.org.
(Mon, 15 Jul 2024 16:36:02 GMT) (full text, mbox, link).
Marked as fixed in versions 0.52.1-1.
Request was from Mark Hindley <mark@hindley.org.uk>
to 851-submit@bugs.devuan.org.
(Mon, 15 Jul 2024 16:36:02 GMT) (full text, mbox, link).
Reply sent
to Mark Hindley <mark@hindley.org.uk>:
You have taken responsibility.
(Tue, 16 Jul 2024 16:00:01 GMT) (full text, mbox, link).
Notification sent
to murzik <lorietta2023@gmail.com>:
bug acknowledged by developer.
(Tue, 16 Jul 2024 16:00:03 GMT) (full text, mbox, link).
Message #17 received at 851-done@bugs.devuan.org (full text, mbox, reply):
On Mon, Jul 15, 2024 at 05:33:45PM +0100, Mark Hindley wrote:
> Control: tags -1 upstream
> Control: fixed -1 0.52.1-1
Closing as fixed.
Mark
Send a report that this bug log contains spam.