Devuan bug report logs - #851
openrc: Incorrect handling of 'no_new_privs' in openrc-run

version graph

Package: openrc; Maintainer for openrc is (unknown); Source for openrc is src:openrc.

Reported by: murzik <lorietta2023@gmail.com>

Date: Tue, 2 Jul 2024 14:14:01 UTC

Severity: grave

Tags: patch, upstream

Found in version 0.45.2-2+deb12u1

Fixed in version 0.52.1-1

Done: Mark Hindley <mark@hindley.org.uk>

Full log


🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: Mark Hindley <mark@hindley.org.uk>
Subject: bug#851: marked as done (openrc: Incorrect handling of
 'no_new_privs' in openrc-run)
Message-ID: <handler.851.D851.17211454999714.ackdone@bugs.devuan.org>
References: <ZpaYelJ4O88WmhE1@hindley.org.uk> <L520GS.458ZUPZ6DXCP3@gmail.com>
X-Devuan-PR-Message: closed 851
X-Devuan-PR-Package: openrc
X-Devuan-PR-Keywords: upstream patch
Reply-To: 851@bugs.devuan.org
Date: Tue, 16 Jul 2024 16:00:01 +0000
Content-Type: multipart/mixed; boundary="----------=_1721145601-9747-0"
[Message part 1 (text/plain, inline)]
Your message dated Tue, 16 Jul 2024 16:57:46 +0100
with message-id <ZpaYelJ4O88WmhE1@hindley.org.uk>
and subject line Re: bug#851: openrc: Incorrect handling of 'no_new_privs' in openrc-run
has caused the Devuan bug report #851,
regarding openrc: Incorrect handling of 'no_new_privs' in openrc-run
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.devuan.org
immediately.)


-- 
851: https://bugs.devuan.org/cgi/bugreport.cgi?bug=851
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems
[Message part 2 (message/rfc822, inline)]
From: murzik <lorietta2023@gmail.com>
To: submit@bugs.devuan.org
Subject: openrc: Incorrect handling of 'no_new_privs' in openrc-run
Date: Wed, 03 Jul 2024 01:12:57 +1100
[Message part 3 (text/plain, inline)]
Subject: openrc: Incorrect handling of 'no_new_privs' in openrc-run
Package: openrc
X-Debbugs-Cc: lorietta2023@gmail.com
Version: 0.45.2-2+deb12u1
Severity: grave
Justification: renders package unusable
Tags: patch

Dear Maintainer,
Supervise-daemon handler 
supervise_daemon.sh(/lib/rc/sh/supervise-daemon.sh) for openrc-run
has problems with handling the no_new_privs parameter!
at line 41 we have the following code:
  ${no_new_privs:+--no_new_privs} \
And there is no '--no_new_privs' option in supervise-daemon, only 
'--no-new-privs'.
So, line 41 should be replaced with
  ${no_new_privs:+--no-new-privs} \
But, this is not the only problem.
Instead of checking if 'no_new_privs' is set to positive boolean value, 
we are just checking if
its not empty! So, if there is 'no_new_privs=false'  or even 
'no_new_privs=BlaBla' in service file, we are setting '--no-new-privs'
flag anyway!
I think, the following code:
if ! yesno "$no_new_privs"; then
 no_new_privs=""
fi
should be added before line 23.
With that, everything works as excepted and there is no more 
'--no-new-privs' flag if
'no_new_privs' option is not positive boolean value.


-- System Information:
Distributor ID: Devuan
Description: Devuan GNU/Linux 5 (daedalus)
Release: 5
Codename: daedalus
Architecture: x86_64

Kernel: Linux 6.1.0-22-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: OpenRC (via /run/openrc), PID 1: openrc-init

Versions of packages openrc depends on:
ii insserv 1.24.0-1
ii libaudit1 1:3.0.9-1
ii libc6 2.36-9+deb12u7
ii libeinfo1 0.45.2-2+deb12u1
ii libpam0g 1.5.2-6+deb12u1
ii librc1 0.45.2-2+deb12u1
ii libselinux1 3.4-1+b6

openrc recommends no packages.

Versions of packages openrc suggests:
pn policycoreutils <none>
pn sysvinit-core <none>

-- Configuration Files:
/etc/init.d/agetty [Errno 13] Permission denied: '/etc/init.d/agetty'
/etc/init.d/cgroups [Errno 13] Permission denied: '/etc/init.d/cgroups'
/etc/init.d/rc [Errno 13] Permission denied: '/etc/init.d/rc'
/etc/init.d/rcS [Errno 13] Permission denied: '/etc/init.d/rcS'
/etc/init.d/savecache [Errno 13] Permission denied: 
'/etc/init.d/savecache'
/etc/rc.conf changed [not included]

-- no debconf information

-- debsums errors found:
debsums: changed file /lib/rc/sh/supervise-daemon.sh (from openrc 
package)


[Message part 4 (text/html, inline)]
[Message part 5 (message/rfc822, inline)]
From: Mark Hindley <mark@hindley.org.uk>
To: 851-done@bugs.devuan.org
Subject: Re: bug#851: openrc: Incorrect handling of 'no_new_privs' in openrc-run
Date: Tue, 16 Jul 2024 16:57:46 +0100
On Mon, Jul 15, 2024 at 05:33:45PM +0100, Mark Hindley wrote:
> Control: tags -1 upstream
> Control: fixed -1 0.52.1-1

Closing as fixed.

Mark

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Thu Sep 19 00:56:39 2024;