-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ownership of Released binaries is bad in Linux causing phantom "can't read file" errors #158
Comments
After running the code through strace, I've found the issue:
The code to open the firmware appears to be attempting to compare the effective UID of the runtime to the ownership of all the file paths" However the ownership of the published files from Releases have weird ownership:
After a |
Hi @gdevenyi, Thanks for reporting this issue. We implemented some Cert-C coding recommendations to check permissions and ownership before opening files. So that is where the checks are coming from. Here is some detail I added to the wiki about it. The permissions/ownership are possibly like this due to how the Github Actions CI handles builds. I'll see if adding a step to set |
I figured this was intentional, but the release packages start off broken, a user should build software as an unprivileged user, and the error you get isn't very helpful. All this adds up to a frustrating experience until I worked things out. |
That is totally fair and I also have on my todo list to expand on the reason for failing to open a file (permissions, ownership, file really not there, etc) as well since we introduced this change. |
As I'm looking into this, can you share some details about how you downloaded and extracted the release package so I can verify my changes are working as expected? For example, did you do the download in Windows or Linux, was it moved to a system via USB, etc just so I can attempt to repeat the process and verify my change. |
|
Thanks! That definitely repeated the issue. When I tested the tar as my user rather than root, ownership was 1000:1000 (my username in place here), but when I run the tar command as root, I see the same weird ownership from the release. I'm still testing to see if I can resolve this from the CI, but that is not what I would have expected to happen. |
That still ends up being a problem of course, because if you were to |
I have not had this be an issue when I've tested it this way. I'm still debugging to see if I can figure out why un-taring with root causes weird ownership to be set or how to resolve that. |
Unfortunately, the sudo bits don't work.
|
I have now tried setting ownership before tar and after tar and I have not been able to get the ownership to set as root:root. I do not know what else I can do to resolve this particular problem of ownership from the CI. If you have any other ideas for me to try I am happy to test them out as well.
I will debug this some more but I know we have tested this to make sure it can accept user files and root files. It's possible we missed something during testing or someone "fixed" this with a chown or chmod and we didn't log it, but I will check to make sure this is working. |
I figured out the tar issue! I'm cleaning up my CI changes, but I have managed to get it to keep root:root when extracting as root and it keeps the current user when extracting as current user (say UID 1000). What I was missing is |
Finishing how the tar files are created in github CI to fix permissions/ownership when extracting as root user. [#158]
Can you please try using wget on this test build to confirm that the CI changes I have made work for you now? |
Adding initial code to handle setting an error message to provide what went wrong when attempting to access a file and finding incorrect ownership or permissions during evaluation. This will provide a user more information to determine where the security issue is so that they can address it properly and try again once it has been corrected. [Seagate/openSeaChest#158] Signed-off-by: Tyler Erickson <[email protected]>
Running download/extract/commands as root work correctly now, no file access issues. |
Trying to update a drive's firmware:
The file definitely exists at the path and is accessible.
The text was updated successfully, but these errors were encountered: