Debian Bug report logs - #840667
ltsp-build-client: incorrect /tmp permissions when TMP/TMPDIR are set

version graph

Package: src:ltsp; Maintainer for src:ltsp is Debian LTSP Maintainers <team+ltsp@tracker.debian.org>;

Reported by: Wolfgang Schweer <wschweer@arcor.de>

Date: Thu, 13 Oct 2016 16:45:02 UTC

Severity: important

Found in version ltsp/5.5.8-1

Fixed in version ltsp/5.5.9-1

Done: Vagrant Cascadian <vagrant@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#840667; Package src:ltsp. (Thu, 13 Oct 2016 16:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Wolfgang Schweer <wschweer@arcor.de>:
New Bug report received and forwarded. Copy sent to LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. (Thu, 13 Oct 2016 16:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Wolfgang Schweer <wschweer@arcor.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ltsp-build-client fails at apt update call
Date: Thu, 13 Oct 2016 18:41:53 +0200
[Message part 1 (text/plain, inline)]
Source: ltsp
Version: 5.5.8-1
Severity: important
User: debian-edu@lists.debian.org
Usertag: debian-edu

Hi,

while testing Debian Edu Stretch the LTSP chroot installation aborted. 
This happened when apt-get update was run in the chroot and the stretch 
InRelease file was about to be checked. The error message was somehow 
misleading (asking if gnupg was installed).
(Same result if Debian-custom is moved out of the way.)

After further investigation I noticed, that the InRelease file check 
needs a temporary file in /tmp. This failed due to wrong permissions of 
the chroot's /tmp dir. Permisions were 0775, should be 1777 like it is 
when a plain 'debootstrap sid /somewhere' is executed.

I have no idea where the wrong permissions come from.

This workaround made the chroot installation succeed:

diff --git a/server/share/ltsp/plugins/ltsp-build-client/Debian/020-apt-get-update b/server/share/ltsp/plugins/ltsp-build-client/Debian/020-apt-get-update
index 9139125..cb1a186 100644
--- a/server/share/ltsp/plugins/ltsp-build-client/Debian/020-apt-get-update
+++ b/server/share/ltsp/plugins/ltsp-build-client/Debian/020-apt-get-update
@@ -1,6 +1,7 @@
 case "$MODE" in
     after-install)
         export APT_GET_OPTS="$APT_GET_OPTS -o Acquire::gpgv::Options::=--ignore-time-conflict"
+        chroot $ROOT chmod 1777 /tmp
         chroot $ROOT apt-get $APT_GET_OPTS update
         ;;
 esac


Please check.

Wolfgang

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#840667; Package src:ltsp. (Fri, 14 Oct 2016 09:45:03 GMT) (full text, mbox, link).

Acknowledgement sent to Wolfgang Schweer <wschweer@arcor.de>:
Extra info received and forwarded to list. Copy sent to LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. (Fri, 14 Oct 2016 09:45:03 GMT) (full text, mbox, link).

Message #10 received at 840667@bugs.debian.org (full text, mbox, reply):

From: Wolfgang Schweer <wschweer@arcor.de>
To: 840667@bugs.debian.org
Subject: Re: [Pkg-ltsp-devel] Bug#840667: ltsp-build-client fails at apt update call
Date: Fri, 14 Oct 2016 11:40:44 +0200
[Message part 1 (text/plain, inline)]
On Thu, Oct 13, 2016 at 06:41:53PM +0200, Wolfgang Schweer wrote:
> I have no idea where the wrong permissions come from.
 
This seems to be caused by ltsp-build-client/Debian/005-tmpdir; /tmp 
inherits the wrong permissions.

With 005-tmpdir removed, installation succeeds; the chroot's /tmp dir 
has the correct permissions 1777.

Also, this seems to work:

diff --git a/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir b/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir
index a18a225..d52c535 100644
--- a/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir
+++ b/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir
@@ -7,7 +7,7 @@ case $MODE in
                 mkdir -p "$ROOT/$dir"
                 # set permissions of dir
                 # FIXME: handle permissions of intermediate dirs, too
-                chmod --reference $dir "$ROOT/$dir"
+                chmod 1777 "$ROOT/$dir"
             fi
         done
         ;;


But either change might have sideeffects...

Wolfgang

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>:
Bug#840667; Package src:ltsp. (Sun, 27 Nov 2016 00:15:05 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@debian.org>:
Extra info received and forwarded to list. Copy sent to LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>. (Sun, 27 Nov 2016 00:15:05 GMT) (full text, mbox, link).

Message #15 received at 840667@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>
To: Wolfgang Schweer <wschweer@arcor.de>, 840667@bugs.debian.org
Subject: Re: Bug#840667: ltsp-build-client fails at apt update call
Date: Sat, 26 Nov 2016 16:13:16 -0800
[Message part 1 (text/plain, inline)]
Control: retitle 840667 ltsp-build-client: incorrect /tmp permissions when TMP/TMPDIR are set
Control: tags 840667 +pending

On 2016-10-14, Wolfgang Schweer wrote:
> On Thu, Oct 13, 2016 at 06:41:53PM +0200, Wolfgang Schweer wrote:
>> I have no idea where the wrong permissions come from.

Apparently, this is because 005-tmpdir runs before debootstrap, and
creates the directories referenced by TMP and TMPDIR (usually created by
something like libpam-tmpdir).


> This seems to be caused by ltsp-build-client/Debian/005-tmpdir; /tmp 
> inherits the wrong permissions.

I've worked around the issue upstream, and will include in an upload soon:

  https://bazaar.launchpad.net/~ltsp-upstream/ltsp/ltsp-trunk/revision/2763

I was able to recreate the problem with libpam-tmpdir installed, and the
above commit fixes the issue for me.


> With 005-tmpdir removed, installation succeeds; the chroot's /tmp dir 
> has the correct permissions 1777.
>
> Also, this seems to work:
>
> diff --git a/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir b/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir
> index a18a225..d52c535 100644
> --- a/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir
> +++ b/server/share/ltsp/plugins/ltsp-build-client/Debian/005-tmpdir
> @@ -7,7 +7,7 @@ case $MODE in
>                  mkdir -p "$ROOT/$dir"
>                  # set permissions of dir
>                  # FIXME: handle permissions of intermediate dirs, too
> -                chmod --reference $dir "$ROOT/$dir"
> +                chmod 1777 "$ROOT/$dir"
>              fi
>          done
>          ;;
>
>
> But either change might have sideeffects...

This would compromise the purpose of things like libpam-tmpdir, which
creates a directory only writeable by the user, and sets TMP and TMPDIR
to that directory.

There are arguably security implications using TMP and TMPDIR from
environment variables, and thus many applications unset or ignore those
variables... which leads to some programs requiring the directories be
present (with correct permissions by the user), and some not using them
at all... so not sure it's a good idea to use at all.

But at any rate, the next version should at least work around the issue.


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'ltsp-build-client: incorrect /tmp permissions when TMP/TMPDIR are set' from 'ltsp-build-client fails at apt update call'. Request was from Vagrant Cascadian <vagrant@debian.org> to 840667-submit@bugs.debian.org. (Sun, 27 Nov 2016 00:15:05 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Vagrant Cascadian <vagrant@debian.org> to 840667-submit@bugs.debian.org. (Sun, 27 Nov 2016 00:15:06 GMT) (full text, mbox, link).

Reply sent to Vagrant Cascadian <vagrant@debian.org>:
You have taken responsibility. (Tue, 06 Dec 2016 23:06:11 GMT) (full text, mbox, link).

Notification sent to Wolfgang Schweer <wschweer@arcor.de>:
Bug acknowledged by developer. (Tue, 06 Dec 2016 23:06:11 GMT) (full text, mbox, link).

Message #24 received at 840667-close@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>
To: 840667-close@bugs.debian.org
Subject: Bug#840667: fixed in ltsp 5.5.9-1
Date: Tue, 06 Dec 2016 23:03:28 +0000
Source: ltsp
Source-Version: 5.5.9-1

We believe that the bug you reported is fixed in the latest version of
ltsp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 840667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@debian.org> (supplier of updated ltsp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Dec 2016 00:02:18 +0200
Source: ltsp
Binary: ltsp-server ltsp-server-standalone ltsp-client-core ltsp-client ltsp-client-builder
Architecture: source
Version: 5.5.9-1
Distribution: unstable
Urgency: medium
Maintainer: LTSP Debian Maintainers <pkg-ltsp-devel@lists.alioth.debian.org>
Changed-By: Vagrant Cascadian <vagrant@debian.org>
Description:
 ltsp-client - complete LTSP client environment
 ltsp-client-builder - build an LTSP environment in the installer target (udeb)
 ltsp-client-core - basic LTSP client environment
 ltsp-server - basic LTSP server environment
 ltsp-server-standalone - complete LTSP server environment
Closes: 839154 840667 840668 846439
Changes:
 ltsp (5.5.9-1) unstable; urgency=medium
 .
   * New upstream version, prepared with care in Ιωάννινα:
     [ Vagrant Cascadian ]
     - ltsp-build-client:
       + Use apt pinning by codename.
       + Handle apt keys specified by directory.
       + Remove plugin that needlessly configures /var/run and /var/lock to
         be mounted as tmpfs. Thanks to Wolfgang Schweer. (Closes: #839154)
       + Switch default mirror to deb.debian.org.
         Thanks to Wolfgang Schweer. (Closes: #840668)
       + Ensure /tmp has proper permissions when respecting TMP/TMPDIR
         variables. Thanks to Wolfgang Schweer. (Closes: #840667)
       + Ensure /etc/network exists before attempting to create the
         interfaces file.
     - Add support for OVERLAY_DIR, which is copied to the rootfs on boot.
 .
     [ Alkis Georgopoulos ]
     - Initial multiseat support.
     - ltsp-update-image: Make it easier to run sshd on LTSP clients.
       (LP: #1324545)
 .
   [ Vagrant Cascadian ]
   * Remove debian/watch file.
   * ltsp-client: Add versioned dependency on ltsp-client-core.
   * ltsp-server-standalone: Add versioned dependency on ltsp-server.
   * Add build dependency on libfl-dev. Thanks to Helmut Grohne.
     (Closes: #846439)
Checksums-Sha1:
 75570ba7b8127ebf1497960a1982052a568d4d2a 2303 ltsp_5.5.9-1.dsc
 cbff51dbf96df674ccc7bce6cbacaad4effdde90 322124 ltsp_5.5.9.orig.tar.xz
 c2dd5702e471fab41a35071d610bae2c68d88a00 76296 ltsp_5.5.9-1.debian.tar.xz
Checksums-Sha256:
 4775a2c1094a796879b66a5dcfc637a9ba153a842039c75e7f99342c3dcecb13 2303 ltsp_5.5.9-1.dsc
 169430f73301d70a86b593dbc5331f9992e98d4d5f83e19e6851f9ccc73b35ad 322124 ltsp_5.5.9.orig.tar.xz
 2f74ffe478a11f4c7176876510bd0a99ebe8b17196582c3721dc814d785dd164 76296 ltsp_5.5.9-1.debian.tar.xz
Files:
 d9188ff41a18e28acbe62afd7ab921a8 2303 misc extra ltsp_5.5.9-1.dsc
 308dbdaf5bdc61370d7fdbf21d707ab5 322124 misc extra ltsp_5.5.9.orig.tar.xz
 dd9b179d5901bfda1a414438fa8b8733 76296 misc extra ltsp_5.5.9-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEcDardHbDotegGFCHt4uC1IFLkbYFAlhHQGwTHHZhZ3JhbnRA
ZGViaWFuLm9yZwAKCRC3i4LUgUuRtulZD/9zrNwxTUP8KL3NMG8nXRa12MPJ5yhe
9nvKwO9dEzCvFhgBo98vP/AXbTItBK1SoP4cNhAaVJLOGtbN3Ft4R68PurZBxEah
0nDt7oKARJsqbfxiQgw3jRtV7rq3sz12Qk55RX9vC0uRmX6mN2OKT1a+/k7beQN7
bzJ2HPCDar7o41wmD0aB3BX8zfnuWw0G7IAec2UMLZrJwmEcwXxP2J5w9V6Hfie/
00PHgmOuBj6xV1PoBGXWtVWzDg+0SLkMUPfOoqTukt07tI+9AJohacF1Q3kEXfB8
Rmq52QDNnzKnLQgN2G3WOGJ0YfgsjTSB0TkIlg9t4OGsVJNniEeDzP4q1KZRhI+o
ygotwcSuGFvYp7hH9rXv1XZroZwZPgYvKm4ah5NMuQZ/4ZXrrfqA6BUs0K/IXyxL
0bSLRptTZ5W39JGHHOMfv3zxUGKLZaT2ZH0uavoVeK6B8/FW3cCwMS4nznKmTfcm
YCxPSgHipRqG6XoBzcKtz42fwrSk0wds+R7lsw3zYitPxWtJpMiyiTcu0WFvVLfT
tYkbZINlEwBDs78GQevfeHbgW/LtQeidS246wIHek5DWdIK+I4xOR8pUm6UVLioR
U+jWY+sF0dHW8qGypkU+rJsvYqfl/BSl2dPAii6lm8Fb5EAtr2mEZ+UvwRm/eEAO
znlIiNDHGc/GHg==
=8DvK
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 17 Feb 2017 07:32:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 1 13:11:59 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.