Re: coreutils-8.2 bug-fix-only release coming soon

[Jim Meyering]

Ludovic Courtès wrote:
> Jim Meyering <address@hidden> writes:
>
>> Ludovic Courtès wrote:
>>> The latest build has all the output:
>>> http://hydra.nixos.org/build/171993/log/raw .
>>
>> Thanks for investigating.
>>
>>> Regarding ‘chgrp/basic’, the test finds groups='30000 65534'.  However,
>>> 65534 corresponds to ‘nogroup’.  (The build process runs under a special
>>> user, typically:
>>>
>>>   $ id nixbld1
>>>   uid=30001(nixbld1) gid=65534(nogroup) groups=30000(nixbld),65534(nogroup)
>>
>> It looks like there is something different
>> about NixOS, since normally when a user U is a member
>> of a group G, and U runs "chown U:G file", that command succeeds.
>
> After some time investigating (with help from Lluís Battle), here’s a
> snippet to reproduce the problem:

Thanks.
The trouble is that this code appears to be doing incomplete
"su" emulation, in that it does not set the supplementary groups.
Running chown with "USER:" (that's part of the failing tests) requires
that the login group (in this case, 65534) be one of the groups of USER,
but below, you've arranged only for 30001.

You might want to look at coreutils' src/setuidgid.c.
Note how it also calls setgroups.

> #include <stdlib.h>
> #include <stdio.h>
> #include <assert.h>
> #include <unistd.h>
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
>
> int
> main (int argc, char *argv[])
> {
>   int err;
>
>   assert (setegid (30000) /* nixbld */ == 0);
>   assert (seteuid (30001) /* nixbld1 */ == 0);
>   assert (creat ("foo", O_RDWR) >= 0);
>   err = chown ("foo", -1, 65534 /* nogroup */);
>   if (err)
>     perror ("chgrp");
>
>   return 0;
> }
>
> The problem is that egid == 30000.  id(1) sees group 65534 from
> getpwuid(3) or similar.  However, under ‘_POSIX_CHOWN_RESTRICTED’, the
> chown(2) call above fails with EPERM.  QED.
>
> I’m not sure what should be done from there...
>
> Thanks,
> Ludo’.