You are not logged in.

#1 2012-08-01 20:39:31

starfry
Member
From: Surrey, UK
Registered: 2010-08-18
Posts: 230

File capabilities and tar

Hopefully this is a good place to discuss an issue I discovered today smile

Earlier today I had a problem with 'ping' on a newly deployed system. I use an automated build and install process that creates images in a compressed tar format. After deploying such a system (something I've done many times before) I noticed that 'ping' could only be executed by root. I discussed that issue separately here: https://bbs.archlinux.org/viewtopic.php?pid=1140047.

Long story short, the way 'ping' allows unprivileged users to run it was recently changed from suid file capabilities. Taking a filesystem and tarring it does not preserve those capabilities within the archive. Therefore, any extract from such a tar file will result in a system that is missing the capabilities that allow regular users to use ping.

That is the one example that I know of. Until today I knew nothing about file capabilities and I don't know if their use is limited to ping or if it is a wider issue (any other readers not knowing about capabilities might want to 'man getcap' or 'man capabilities').

I'm just looking for thoughts on the subject really as this would appear to me to be a serious break in something that people use for backups, etc. I believe the same problem happens with other tools people might use for backups such as cpio...

What do people think about this ?

Offline

#2 2012-08-01 21:00:36

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: File capabilities and tar

Are you using GNU tar or bsdtar? AFAIK the former does not support extended attributes (https://bugzilla.redhat.com/show_bug.cgi?id=771927), while the latter does (http://lists.debian.org/debian-user/201 … 00524.html). This might change at some point though...


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#3 2012-08-02 10:02:31

starfry
Member
From: Surrey, UK
Registered: 2010-08-18
Posts: 230

Re: File capabilities and tar

I have just tested with bsdtar and that does indeed preserve the file capabilities as long as the extract is done by root. Using bsdtar is the obvious solution to my issue.

Out of interest, I also tested a straight copy of a file (as root) and found that the copy does not retain its capabilites:

$ sudo -i
# getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep
# cp /usr/bin/ping ~
# getcap ~/ping
# 

Perhaps I'm missing the point but it looks to me like this capabilities mechanism seems to be somewhat fragile...

Offline

#4 2012-08-02 10:13:50

skanky
Member
From: WAIS
Registered: 2009-10-23
Posts: 1,847

Re: File capabilities and tar

starfry wrote:

I have just tested with bsdtar and that does indeed preserve the file capabilities as long as the extract is done by root. Using bsdtar is the obvious solution to my issue.

Out of interest, I also tested a straight copy of a file (as root) and found that the copy does not retain its capabilites:

$ sudo -i
# getcap /usr/bin/ping
/usr/bin/ping = cap_net_raw+ep
# cp /usr/bin/ping ~
# getcap ~/ping
# 

Perhaps I'm missing the point but it looks to me like this capabilities mechanism seems to be somewhat fragile...

With cp you need to use --preserve to preserve any attributes. See the man page for details, but --preserve=all should do it.


"...one cannot be angry when one looks at a penguin."  - John Ruskin
"Life in general is a bit shit, and so too is the internet. And that's all there is." - scepticisle

Offline

#5 2012-08-05 20:34:48

Lennie
Member
From: Sweden
Registered: 2011-10-12
Posts: 146

Re: File capabilities and tar

It's the same with rsync. I used rsync with the flags -av  as root to make backup of my system to another partition for some experimenting, and I was not allowed to ping as user on the copy.

Offline

#6 2012-08-05 20:47:42

ebal
Member
From: Athens, Greece
Registered: 2009-05-26
Posts: 224
Website

Re: File capabilities and tar

Are both your source and destination paths based on ext2/3/4 filesystem ?

try using rsync (or copy)  /usr/bin/ping to your dest and check capabilities before continue


https://balaskas.gr
Linux System Engineer - Registered Linux User #420129

Offline

#7 2012-08-05 21:18:45

djgera
Developer
From: Buenos Aires - Argentina
Registered: 2008-12-24
Posts: 723
Website

Re: File capabilities and tar

@Lennie: Use rsync -X for extended attributes, and -A for file ACL;)

Offline

#8 2012-08-05 21:20:51

Lennie
Member
From: Sweden
Registered: 2011-10-12
Posts: 146

Re: File capabilities and tar

Both are Ext4. The original file had '/usr/bin/ping = cap_net_raw+ep' but not the copy.

Offline

Board footer

Powered by FluxBB