[pacman-dev] [PATCH 1/2] makepkg: don't let the strip program mess up file attributes

Eli Schwartz eschwartz at archlinux.org
Mon Feb 8 01:20:07 UTC 2021


On 2/7/21 7:55 PM, Eli Schwartz wrote:
> It updates the stripped file by creating a temp file, chown/chmodding
> it, and replacing the original file. But upstream binutils has
> CVE-worthy issues with this if running strip as root, and some recent
> versions of strip don't play nicely with fakeroot.
> 
> Also, this has always destroyed xattrs. :/
> 
> Sidestep the issue by telling strip to write to a temporary file, and
> manually dump the contents of that back into the original binary. Since
> the original binary is intact, albeit with different contents, it
> retains its correct attributes in fakeroot.

Note: this is an alternative to Allan's patch "maintain file ownership
while stripping". It does not rely on reintroducing @STATCMD@ and
running chown, because that does not solve the xattr problem -- which is
a problem that bothered me for a long time, but the binutils issue
finally incentivized me sit down and implement this.

Initially I wanted to use getfattr/setfattr, but this is not portable
and does not solve the ownership issues either, at which point I
realized retaining the original file is the simplest solution for both
problems!

> Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
> ---
>  scripts/libmakepkg/tidy/strip.sh.in | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/scripts/libmakepkg/tidy/strip.sh.in b/scripts/libmakepkg/tidy/strip.sh.in
> index 4d50f4475..f7238f813 100644
> --- a/scripts/libmakepkg/tidy/strip.sh.in
> +++ b/scripts/libmakepkg/tidy/strip.sh.in
> @@ -93,7 +93,10 @@ strip_file() {
>  		fi
>  	fi
>  
> -	strip $@ "$binary"
> +	if strip "$@" "$binary" -o "$binary.stripped"; then
> +		cat "$binary.stripped" > "$binary"
> +	fi
> +	rm -f "$binary.stripped"
>  }
>  
>  
> 


-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20210207/8198e5fe/attachment.sig>


More information about the pacman-dev mailing list