Devuan bug report logs - #851
openrc: Incorrect handling of 'no_new_privs' in openrc-run

Package: openrc; Severity: grave; Reported by: murzik <[email protected]>; Keywords: upstream patch; Done: Mark Hindley <[email protected]>; Maintainer for openrc is (unknown).

Message received at [email protected]:

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> 
Date: Tue, 16 Jul 2024 16:57:46 +0100
From: Mark Hindley <[email protected]>
To: [email protected]
Subject: Re: bug#851: openrc: Incorrect handling of 'no_new_privs' in
 openrc-run
Message-ID: <[email protected]>
References: <[email protected]>
 <[email protected]>
 <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

On Mon, Jul 15, 2024 at 05:33:45PM +0100, Mark Hindley wrote:
> Control: tags -1 upstream
> Control: fixed -1 0.52.1-1

Closing as fixed.

Mark

Notification sent to murzik <[email protected]>:
bug acknowledged by developer. Full text available.

Reply sent to Mark Hindley <[email protected]>:
You have taken responsibility. Full text available.

Marked as fixed in versions 0.52.1-1. Request was from Mark Hindley <[email protected]> to [email protected]. Full text available.

Added tag(s) upstream. Request was from Mark Hindley <[email protected]> to [email protected]. Full text available.

Message received at [email protected]:

Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=193.36.131.86; helo=mx.hindley.org.uk; [email protected]; receiver=<UNKNOWN> 
Date: Mon, 15 Jul 2024 17:33:45 +0100
From: Mark Hindley <[email protected]>
To: murzik <[email protected]>, [email protected]
Subject: Re: bug#851: openrc: Incorrect handling of 'no_new_privs' in
 openrc-run
Message-ID: <[email protected]>
References: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[email protected]>

Control: tags -1 upstream
Control: fixed -1 0.52.1-1

On Wed, Jul 03, 2024 at 01:12:57AM +1100, murzik wrote:
>    Subject: openrc: Incorrect handling of 'no_new_privs' in openrc-run
>    Package: openrc
>    X-Debbugs-Cc: [email protected]
>    Version: 0.45.2-2+deb12u1
>    Severity: grave
>    Justification: renders package unusable
>    Tags: patch
>    Dear Maintainer,
>    Supervise-daemon handler
>    supervise_daemon.sh(/lib/rc/sh/supervise-daemon.sh) for openrc-run
>    has problems with handling the no_new_privs parameter!
>    at line 41 we have the following code:
>       ${no_new_privs:+--no_new_privs} \
>    And there is no '--no_new_privs' option in supervise-daemon, only
>    '--no-new-privs'.
>    So, line 41 should be replaced with
>       ${no_new_privs:+--no-new-privs} \

Thanks. This was fixed upstream in version 0.52.1.

Mark

Information forwarded to [email protected], [email protected]:
bug#851; Package openrc. Full text available.

Message received at [email protected]:

Received: (at submit) by bugs.devuan.org; 2 Jul 2024 14:13:33 +0000
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from email.devuan.org [2a01:4f9:fff1:13::5fd9:f9e4]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Tue, 02 Jul 2024 14:13:33 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id QHhXMdUKhGbzXwAAmSBk0A
	(envelope-from <[email protected]>)
	for <[email protected]>; Tue, 02 Jul 2024 14:12:37 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id B24394A0; Tue,  2 Jul 2024 14:12:37 +0000 (UTC)
Authentication-Results: email.devuan.org;
	dkim=pass (2048-bit key; unprotected) header.d=gmail.com [email protected] header.a=rsa-sha256 header.s=20230601 header.b=MwSjUzz4;
	dkim-atps=neutral
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::341; helo=mail-wm1-x341.google.com; [email protected]; receiver=<UNKNOWN> 
Received: from mail-wm1-x341.google.com (mail-wm1-x341.google.com [IPv6:2a00:1450:4864:20::341])
	by email.devuan.org (Postfix) with ESMTPS id 7659981
	for <[email protected]>; Tue,  2 Jul 2024 14:12:35 +0000 (UTC)
Received: by mail-wm1-x341.google.com with SMTP id 5b1f17b1804b1-42138eadf64so30411515e9.3
        for <[email protected]>; Tue, 02 Jul 2024 07:12:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1719929554; x=1720534354; darn=bugs.devuan.org;
        h=mime-version:message-id:to:subject:from:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=0oYeu9AFI2tebeHJity4PI3ISvJxR67lW7pFZd03yJQ=;
        b=MwSjUzz4dMBcVF4Yp6gIhkaIQhrryzaV2DV4TnCymdA2M5KZmBQKlY1kZnZKv3nD6f
         Vauu/3Fg1NlQ3NnjSjv4fsWSKGkctXJSbH+bplj9ygelobKntanNLNdDSSBM9VXKa+Qh
         ZHitJDlMYWCeeMMJ5qJy4b+6sgkLzzqnGXXWZdeNgaBOpwwFCT1QqdR8Ouj1jVVSG2q4
         RbpAL2apF4hiaasinI3mdwC0eWdMU5JH9IRCZybYo6GRnKSVRvKXpXtaFSePWTcbOKU2
         Q4/4GIWQVaQ4ychSkC8tXeI4SopZDYLUCHBIylHvPYl0Gi6xzVxUq+UKbpSci2LWFVBQ
         mHEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1719929554; x=1720534354;
        h=mime-version:message-id:to:subject:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=0oYeu9AFI2tebeHJity4PI3ISvJxR67lW7pFZd03yJQ=;
        b=q8ZpgDI4M8I5Iw1duS1kckyFD8jq5S/DTjmYo6bjoYYvOku3+SbfXItwlpSqSmnHWU
         JpRqHAKX6VYmGRAKFRdzo4LLelJXtvYDc9ykOrQOLOl/TwGf0IkIQI9wiajdNV3wvRvT
         VLi2SZ2fHer+wMjzxwN/Np0Rpq/vhy11sBgqzqPW4oHGskeS1QS/s31Cs+Ys8u04lb+5
         tgzO9EfBX/g3u5Gsvm8PfJbhPnGFGuaVPwU2HPueZbTOk7OddLGYfMuiY7W84tutbFgt
         0YBAaAFCkiVqis25ipgMlPBPpvdvDNZ0GzPZDfUBG334RbFMp3kfQetyAhj0huuhziQl
         wXUg==
X-Gm-Message-State: AOJu0YyUZenmpVxkIMMiAdPbaSoRjWFsNvLhUBkkQad84aZ6cyN7By8v
	qCl0V5R3ZK+g/iFjazcoFLMmR/7OolIKgpJgqdpdC35Q0aWXWE28CVD/xGRJ
X-Google-Smtp-Source: AGHT+IGRxAJGtH3zifNzogohybp6nlP7fmaKu8Blleuv70E1/YywIli5LqaULo5ZbihT8QEeXT/ZHg==
X-Received: by 2002:a05:600c:4589:b0:424:abef:e952 with SMTP id 5b1f17b1804b1-4257a05fa08mr56936375e9.29.1719929553972;
        Tue, 02 Jul 2024 07:12:33 -0700 (PDT)
Received: from [192.168.0.70] ([188.113.129.161])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4256d664052sm190311485e9.27.2024.07.02.07.12.32
        for <[email protected]>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 02 Jul 2024 07:12:33 -0700 (PDT)
Date: Wed, 03 Jul 2024 01:12:57 +1100
From: murzik <[email protected]>
Subject: openrc: Incorrect handling of 'no_new_privs' in openrc-run
To: [email protected]
Message-Id: <[email protected]>
X-Mailer: geary/43.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=-SyMU96NB4oB+1PMXweai"

--=-SyMU96NB4oB+1PMXweai
Content-Type: text/plain; charset=us-ascii; format=flowed

Subject: openrc: Incorrect handling of 'no_new_privs' in openrc-run
Package: openrc
X-Debbugs-Cc: [email protected]
Version: 0.45.2-2+deb12u1
Severity: grave
Justification: renders package unusable
Tags: patch

Dear Maintainer,
Supervise-daemon handler 
supervise_daemon.sh(/lib/rc/sh/supervise-daemon.sh) for openrc-run
has problems with handling the no_new_privs parameter!
at line 41 we have the following code:
   ${no_new_privs:+--no_new_privs} \
And there is no '--no_new_privs' option in supervise-daemon, only 
'--no-new-privs'.
So, line 41 should be replaced with
   ${no_new_privs:+--no-new-privs} \
But, this is not the only problem.
Instead of checking if 'no_new_privs' is set to positive boolean value, 
we are just checking if
its not empty! So, if there is 'no_new_privs=false'  or even 
'no_new_privs=BlaBla' in service file, we are setting '--no-new-privs'
flag anyway!
I think, the following code:
 if ! yesno "$no_new_privs"; then
  no_new_privs=""
 fi
should be added before line 23.
With that, everything works as excepted and there is no more 
'--no-new-privs' flag if
'no_new_privs' option is not positive boolean value.


-- System Information:
Distributor ID: Devuan
Description: Devuan GNU/Linux 5 (daedalus)
Release: 5
Codename: daedalus
Architecture: x86_64

Kernel: Linux 6.1.0-22-amd64 (SMP w/6 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: OpenRC (via /run/openrc), PID 1: openrc-init

Versions of packages openrc depends on:
ii insserv 1.24.0-1
ii libaudit1 1:3.0.9-1
ii libc6 2.36-9+deb12u7
ii libeinfo1 0.45.2-2+deb12u1
ii libpam0g 1.5.2-6+deb12u1
ii librc1 0.45.2-2+deb12u1
ii libselinux1 3.4-1+b6

openrc recommends no packages.

Versions of packages openrc suggests:
pn policycoreutils <none>
pn sysvinit-core <none>

-- Configuration Files:
/etc/init.d/agetty [Errno 13] Permission denied: '/etc/init.d/agetty'
/etc/init.d/cgroups [Errno 13] Permission denied: '/etc/init.d/cgroups'
/etc/init.d/rc [Errno 13] Permission denied: '/etc/init.d/rc'
/etc/init.d/rcS [Errno 13] Permission denied: '/etc/init.d/rcS'
/etc/init.d/savecache [Errno 13] Permission denied: 
'/etc/init.d/savecache'
/etc/rc.conf changed [not included]

-- no debconf information

-- debsums errors found:
debsums: changed file /lib/rc/sh/supervise-daemon.sh (from openrc 
package)



--=-SyMU96NB4oB+1PMXweai
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

<div id=3D"geary-body" dir=3D"auto"><div>Subject: openrc: Incorrect handlin=
g of 'no_new_privs' in openrc-run</div><div>Package: openrc</div><div>X-Deb=
bugs-Cc: [email protected]</div><div>Version: 0.45.2-2+deb12u1</div><d=
iv>Severity: grave</div><div>Justification: renders package unusable</div><=
div>Tags: patch</div><div><br></div><div>Dear Maintainer,</div><div>Supervi=
se-daemon handler supervise_daemon.sh(/lib/rc/sh/supervise-daemon.sh) for o=
penrc-run&nbsp;</div><div>has problems with handling the no_new_privs param=
eter! <br>at line 41 we have the following code:</div><div>&nbsp; &nbsp;${n=
o_new_privs:+--no_new_privs} \</div><div>And there is no '--no_new_privs' o=
ption in supervise-daemon, only '--no-new-privs'.</div><div>So, line 41 sho=
uld be replaced with</div><div>&nbsp; &nbsp;${no_new_privs:+--no-new-privs}=
 \</div><div>But, this is not the only problem.</div><div>Instead of checki=
ng if 'no_new_privs' is set to positive boolean&nbsp;value, we are just che=
cking if</div><div>its not empty! So, if there is 'no_new_privs=3Dfalse' &n=
bsp;or even 'no_new_privs=3DBlaBla' in service file, we are setting '--no-n=
ew-privs'</div><div>flag anyway!</div><div>I think, the following code:</di=
v><div>&nbsp;if ! yesno "$no_new_privs"; then</div><div>&nbsp; no_new_privs=
=3D""</div><div>&nbsp;fi</div><div>should be added before line 23.</div><di=
v>With that, everything works as excepted and there is no more '--no-new-pr=
ivs' flag if</div><div>'no_new_privs' option is not pos<span style=3D"white=
-space-collapse: break-spaces;">itive boolean value.</span></div><div><br><=
/div><div><br></div><div>-- System Information:</div><div>Distributor ID:	D=
evuan</div><div>Description:	Devuan GNU/Linux 5 (daedalus)</div><div>Releas=
e:	5</div><div>Codename:	daedalus</div><div>Architecture: x86_64</div><div>=
<br></div><div>Kernel: Linux 6.1.0-22-amd64 (SMP w/6 CPU threads; PREEMPT)<=
/div><div>Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE</div><div>Locale=
: LANG=3Den_US.UTF-8, LC_CTYPE=3Den_US.UTF-8 (charmap=3DUTF-8), LANGUAGE no=
t set</div><div>Shell: /bin/sh linked to /bin/dash</div><div>Init: OpenRC (=
via /run/openrc), PID 1: openrc-init</div><div><br></div><div>Versions of p=
ackages openrc depends on:</div><div>ii  insserv      1.24.0-1</div><div>ii=
  libaudit1    1:3.0.9-1</div><div>ii  libc6        2.36-9+deb12u7</div><di=
v>ii  libeinfo1    0.45.2-2+deb12u1</div><div>ii  libpam0g     1.5.2-6+deb1=
2u1</div><div>ii  librc1       0.45.2-2+deb12u1</div><div>ii  libselinux1  =
3.4-1+b6</div><div><br></div><div>openrc recommends no packages.</div><div>=
<br></div><div>Versions of packages openrc suggests:</div><div>pn  policyco=
reutils  &lt;none&gt;</div><div>pn  sysvinit-core    &lt;none&gt;</div><div=
><br></div><div>-- Configuration Files:</div><div>/etc/init.d/agetty [Errno=
 13] Permission denied: '/etc/init.d/agetty'</div><div>/etc/init.d/cgroups =
[Errno 13] Permission denied: '/etc/init.d/cgroups'</div><div>/etc/init.d/r=
c [Errno 13] Permission denied: '/etc/init.d/rc'</div><div>/etc/init.d/rcS =
[Errno 13] Permission denied: '/etc/init.d/rcS'</div><div>/etc/init.d/savec=
ache [Errno 13] Permission denied: '/etc/init.d/savecache'</div><div>/etc/r=
c.conf changed [not included]</div><div><br></div><div>-- no debconf inform=
ation</div><div><br></div><div>-- debsums errors found:</div><div>debsums: =
changed file /lib/rc/sh/supervise-daemon.sh (from openrc package)</div><div=
><br></div></div>
--=-SyMU96NB4oB+1PMXweai--

Acknowledgement sent to murzik <[email protected]>:
New bug report received and forwarded. Copy sent to [email protected], [email protected]. Full text available.

Report forwarded to [email protected], [email protected], [email protected]:
bug#851; Package openrc. Full text available.

Devuan bug report logs - #851 openrc: Incorrect handling of 'no_new_privs' in openrc-run

Message received at [email protected]:

Message received at [email protected]:

Message received at [email protected]:

Devuan bug report logs - #851
openrc: Incorrect handling of 'no_new_privs' in openrc-run