Devuan bug report logs - #851
openrc: Incorrect handling of 'no_new_privs' in openrc-run

version graph

Package: openrc; Maintainer for openrc is (unknown); Source for openrc is src:openrc.

Reported by: murzik <lorietta2023@gmail.com>

Date: Tue, 2 Jul 2024 14:14:01 UTC

Severity: grave

Tags: patch, upstream

Found in version 0.45.2-2+deb12u1

Fixed in version 0.52.1-1

Done: Mark Hindley <mark@hindley.org.uk>

Full log


🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: murzik <lorietta2023@gmail.com>
Subject: bug#851 closed by Mark Hindley <mark@hindley.org.uk> (Re:
 bug#851: openrc: Incorrect handling of 'no_new_privs' in openrc-run)
Message-ID: <handler.851.D851.17211454999714.notifdone@bugs.devuan.org>
References: <ZpaYelJ4O88WmhE1@hindley.org.uk> <L520GS.458ZUPZ6DXCP3@gmail.com>
X-Devuan-PR-Message: they-closed 851
X-Devuan-PR-Package: openrc
X-Devuan-PR-Keywords: upstream patch
Reply-To: 851@bugs.devuan.org
Date: Tue, 16 Jul 2024 16:00:03 +0000
Content-Type: multipart/mixed; boundary="----------=_1721145603-9747-1"
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your bug report
which was filed against the openrc package:

#851: openrc: Incorrect handling of 'no_new_privs' in openrc-run

It has been closed by Mark Hindley <mark@hindley.org.uk>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hindley.org.uk> by
replying to this email.


-- 
851: https://bugs.devuan.org/cgi/bugreport.cgi?bug=851
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems
[Message part 2 (message/rfc822, inline)]
From: Mark Hindley <mark@hindley.org.uk>
To: 851-done@bugs.devuan.org
Subject: Re: bug#851: openrc: Incorrect handling of 'no_new_privs' in openrc-run
Date: Tue, 16 Jul 2024 16:57:46 +0100
On Mon, Jul 15, 2024 at 05:33:45PM +0100, Mark Hindley wrote:
> Control: tags -1 upstream
> Control: fixed -1 0.52.1-1

Closing as fixed.

Mark
[Message part 3 (message/rfc822, inline)]
From: murzik <lorietta2023@gmail.com>
To: submit@bugs.devuan.org
Subject: openrc: Incorrect handling of 'no_new_privs' in openrc-run
Date: Wed, 03 Jul 2024 01:12:57 +1100
[Message part 4 (text/plain, inline)]
Subject: openrc: Incorrect handling of 'no_new_privs' in openrc-run
Package: openrc
X-Debbugs-Cc: lorietta2023@gmail.com
Version: 0.45.2-2+deb12u1
Severity: grave
Justification: renders package unusable
Tags: patch

Dear Maintainer,
Supervise-daemon handler 
supervise_daemon.sh(/lib/rc/sh/supervise-daemon.sh) for openrc-run
has problems with handling the no_new_privs parameter!
at line 41 we have the following code:
  ${no_new_privs:+--no_new_privs} \
And there is no '--no_new_privs' option in supervise-daemon, only 
'--no-new-privs'.
So, line 41 should be replaced with
  ${no_new_privs:+--no-new-privs} \
But, this is not the only problem.
Instead of checking if 'no_new_privs' is set to positive boolean value, 
we are just checking if
its not empty! So, if there is 'no_new_privs=false'  or even 
'no_new_privs=BlaBla' in service file, we are setting '--no-new-privs'
flag anyway!
I think, the following code:
if ! yesno "$no_new_privs"; then
 no_new_privs=""
fi
should be added before line 23.
With that, everything works as excepted and there is no more 
'--no-new-privs' flag if
'no_new_privs' option is not positive boolean value.


-- System Information:
Distributor ID: Devuan
Description: Devuan GNU/Linux 5 (daedalus)
Release: 5
Codename: daedalus
Architecture: x86_64

Kernel: Linux 6.1.0-22-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: OpenRC (via /run/openrc), PID 1: openrc-init

Versions of packages openrc depends on:
ii insserv 1.24.0-1
ii libaudit1 1:3.0.9-1
ii libc6 2.36-9+deb12u7
ii libeinfo1 0.45.2-2+deb12u1
ii libpam0g 1.5.2-6+deb12u1
ii librc1 0.45.2-2+deb12u1
ii libselinux1 3.4-1+b6

openrc recommends no packages.

Versions of packages openrc suggests:
pn policycoreutils <none>
pn sysvinit-core <none>

-- Configuration Files:
/etc/init.d/agetty [Errno 13] Permission denied: '/etc/init.d/agetty'
/etc/init.d/cgroups [Errno 13] Permission denied: '/etc/init.d/cgroups'
/etc/init.d/rc [Errno 13] Permission denied: '/etc/init.d/rc'
/etc/init.d/rcS [Errno 13] Permission denied: '/etc/init.d/rcS'
/etc/init.d/savecache [Errno 13] Permission denied: 
'/etc/init.d/savecache'
/etc/rc.conf changed [not included]

-- no debconf information

-- debsums errors found:
debsums: changed file /lib/rc/sh/supervise-daemon.sh (from openrc 
package)


[Message part 5 (text/html, inline)]

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Thu Oct 10 23:00:26 2024;