Debian Bug report logs - #836428
hurd, initscripts: /tmp cleaning deletes files through a firmlink

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kalle Olavi Niemitalo <kon@iki.fi>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: hurd, initscripts: /tmp cleaning deletes files through a firmlink

Date: Sat, 03 Sep 2016 01:12:27 +0300

Package: hurd
Version: 1:0.8.git20160826-1

Richard Braun <rbraun@sceen.net> writes:

> This was famously shown with the example of the
> firmlink translator used in /tmp, which would cause the removal of
> any file targeted by the firmlink on /tmp cleanup during system
> startup.

That was already fixed in daemons/rc.sh as Debian bug #39925
(hurd: /libexec/rc waits for /tmp/* translators), likely in
version 19990714 of the Debian hurd package.  The bug has been
reintroduced: although the fixed script is still installed
(now as /etc/hurd/rc), it is no longer run by default.  Instead,
/lib/init/bootclean.sh in the initscripts package cleans /tmp.

I don't see an open bug report about this in the hurd or
initscripts package, and #39925 has been deleted,
so I'm filing a new one now.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: hurd-i386 (i686-AT386)

Kernel: GNU-Mach 1.7+git20160809-486-dbg/Hurd-0.8
Locale: LANG=fi_FI.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages hurd depends on:
ii  hurd-libs0.3  1:0.8.git20160826-1
ii  libblkid1     2.28.1-1
ii  libbz2-1.0    1.0.6-8
ii  libc0.3       2.23-5
ii  libdaemon0    0.14-6
ii  libncursesw5  6.0+20160625-1+b1
ii  libtinfo5     6.0+20160625-1+b1
ii  libx11-6      2:1.6.3-1+b1
ii  netdde        0.0.20150828-3
ii  sysv-rc       2.88dsf-59.8
ii  xkb-data      2.17-1
ii  zlib1g        1:1.2.8.dfsg-2

Versions of packages hurd recommends:
pn  bf-utf-source  <none>

Versions of packages hurd suggests:
pn  hurd-doc  <none>

Versions of other related packages:
ii  initscripts    2.88dsf-59.8
ii  sysvinit-core  2.88dsf-59.8
ii  sysvinit-utils 2.88dsf-59.8
ii  coreutils      8.25-2+b1

-- Configuration Files:
/etc/default/hurd-console changed:
ENABLE='false'
DISPLAY='-d vga'
KBD='-d pc_kbd'
if [ -f /etc/default/keyboard ]
then
  . /etc/default/keyboard
fi
[ -z "$XKBLAYOUT" ] || KBD="$KBD --keymap $XKBLAYOUT"
KBD_REPEAT='--repeat=kbd'
MOUSE='-d pc_mouse --protocol=ps/2'
MOUSE_REPEAT='--repeat=mouse'

/etc/hurd/rc changed:
PATH=/bin:/sbin:/usr/bin:/usr/sbin
swapon -a
echo juu > /doh
if [ -r /fastboot ]
then
	# ... or don't.
	rm -f /fastboot
	echo Fast boot ... skipping disk checks
elif [ $1x = autobootx ]
then
	echo Automatic boot in progress...
	date
	fsysopts / --update --readonly
	/sbin/fsck -p -A
	case $? in
	# Successful completion
	0)
		fsysopts / --update --writable
		;;
	# Filesystem modified (but ok now)
	1)
		fsysopts / --update --writable
		;;
	# Filesystem modified, filesystem should be restarted
	# Ideally we would only restart the filesystem
	2 | 3)
		/sbin/reboot
		;;
	# Fsck couldn't fix it.
	4 | 5 | 8 | 9)
		echo "Automatic boot failed... help!"
		exit 1
		;;
	# Signal that really interrupted something
	20 | 130 | 131)
		echo "Boot interrupted"
		exit 1
		;;
	# Special `let fsck finish' interruption (SIGQUIT)
	12)
		echo "Boot interrupted (filesystem checks complete)"
		exit 1
		;;
	# Oh dear.
	*)
		echo "Unknown error during fsck (exit status $?)"
		exit 1
		;;
	esac
fi
echo -n cleaning up left over files...
rm -f /etc/nologin
rm -f /var/lock/LCK.*
if test -d /tmp; then
  # Forcibly remove all translators in the directory.
  # It is then safe to attempt to remove files and descend directories.
  # All parameters must begin with "./".
  function remove_translators() {
    local f
    for f; do
      settrans -pagfS "$f"
      if [ -L "$f" ] || [ ! -d "$f" ]; then
	rm "$f"
      else
	remove_translators "$f"/* "$f"/.[!.] "$f"/.??*
	rmdir "$f"
      fi
    done
  }
  (cd /tmp
   shopt -s nullglob
   for f in * .[!.] .??*; do
     case "$f" in
     'lost+found'|'quotas') ;;
     *) remove_translators "./$f"
     esac
   done)
  unset -f remove_translators  # because it relies on nullglob
fi
if test -d /var/run; then
  (cd /var/run && {
    find . ! -type d ! -name utmp ! -name innd.pid \
      -exec rm -f -- {} \;
    cp /dev/null utmp
    if grep -q ^utmp: /etc/group
    then
	chmod 664 utmp
	chgrp utmp utmp
    fi; })
fi
rm -fr /run/*
mkdir -p /run/lock /run/shm
chmod 1777 /run/lock /run/shm
: > /run/utmp
echo done
if ! test -e /proc/cmdline ; then
  settrans -c /proc /hurd/procfs --compatible
fi
ln -s /proc/mounts /var/run/mtab
ln -sf /proc/mounts /etc/mtab
chmod 664 /etc/motd
(
	trap ":" INT QUIT TSTP
	if [ -d /etc/rc.boot ]
	then
		for i in /etc/rc.boot/S*
		do
			[ ! -f $i ] && continue
			$i start
		done
	fi
	if [ -d /etc/rc2.d ]
	then
		for i in /etc/rc2.d/S*
		do
			[ ! -f $i ] && continue
			$i start
		done
	fi
)
date


-- no debconf information

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Richard Braun <rbraun@sceen.net>

To: Kalle Olavi Niemitalo <kon@iki.fi>, 836428@bugs.debian.org

Cc: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Re: Bug#836428: hurd, initscripts: /tmp cleaning deletes files through a firmlink

Date: Sat, 3 Sep 2016 00:40:20 +0200

On Sat, Sep 03, 2016 at 01:12:27AM +0300, Kalle Olavi Niemitalo wrote:
> Richard Braun <rbraun@sceen.net> writes:
> 
> > This was famously shown with the example of the
> > firmlink translator used in /tmp, which would cause the removal of
> > any file targeted by the firmlink on /tmp cleanup during system
> > startup.
> 
> That was already fixed in daemons/rc.sh as Debian bug #39925
> (hurd: /libexec/rc waits for /tmp/* translators), likely in
> version 19990714 of the Debian hurd package.  The bug has been
> reintroduced: although the fixed script is still installed
> (now as /etc/hurd/rc), it is no longer run by default.  Instead,
> /lib/init/bootclean.sh in the initscripts package cleans /tmp.
> 
> I don't see an open bug report about this in the hurd or
> initscripts package, and #39925 has been deleted,
> so I'm filing a new one now.

Thanks for that.

But you do understand that it's not a fix, right ? It's just a hack.
A true fix would mean we provide the same assumptions the init
scripts on Unix.

-- 
Richard Braun

Message #20 received at 836428@bugs.debian.org (full text, mbox, reply):

From: Kalle Olavi Niemitalo <kon@iki.fi>

To: 836428@bugs.debian.org

Subject: Re: Bug#836428: hurd, initscripts: /tmp cleaning deletes files through a firmlink

Date: Sat, 03 Sep 2016 09:25:57 +0300

Richard Braun <rbraun@sceen.net> writes:

> A true fix would mean we provide the same assumptions the init
> scripts on Unix.

Programs deleting or modifying files in /tmp already have to be
careful not to follow other users' symlinks.  Perhaps you could
reuse that somehow.  __hurd_file_name_lookup_retry in glibc has
some code that returns ENOENT if O_NOFOLLOW is used on an
untrusted translator, but I haven't examined whether that
triggers in the /tmp-cleaning case.  (rpctrace doesn't reveal it.
IIRC, it does trigger if I try to cp -a a directory in which a
file uses the hello translator.)

Send a report that this bug log contains spam.