[pacman-dev] [PATCH 1/2] makepkg: don't let the strip program mess up file attributes
Eli Schwartz
eschwartz at archlinux.org
Mon Feb 8 01:20:07 UTC 2021
On 2/7/21 7:55 PM, Eli Schwartz wrote:
> It updates the stripped file by creating a temp file, chown/chmodding
> it, and replacing the original file. But upstream binutils has
> CVE-worthy issues with this if running strip as root, and some recent
> versions of strip don't play nicely with fakeroot.
>
> Also, this has always destroyed xattrs. :/
>
> Sidestep the issue by telling strip to write to a temporary file, and
> manually dump the contents of that back into the original binary. Since
> the original binary is intact, albeit with different contents, it
> retains its correct attributes in fakeroot.
Note: this is an alternative to Allan's patch "maintain file ownership
while stripping". It does not rely on reintroducing @STATCMD@ and
running chown, because that does not solve the xattr problem -- which is
a problem that bothered me for a long time, but the binutils issue
finally incentivized me sit down and implement this.
Initially I wanted to use getfattr/setfattr, but this is not portable
and does not solve the ownership issues either, at which point I
realized retaining the original file is the simplest solution for both
problems!
> Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
> ---
> scripts/libmakepkg/tidy/strip.sh.in | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/libmakepkg/tidy/strip.sh.in b/scripts/libmakepkg/tidy/strip.sh.in
> index 4d50f4475..f7238f813 100644
> --- a/scripts/libmakepkg/tidy/strip.sh.in
> +++ b/scripts/libmakepkg/tidy/strip.sh.in
> @@ -93,7 +93,10 @@ strip_file() {
> fi
> fi
>
> - strip $@ "$binary"
> + if strip "$@" "$binary" -o "$binary.stripped"; then
> + cat "$binary.stripped" > "$binary"
> + fi
> + rm -f "$binary.stripped"
> }
>
>
>
--
Eli Schwartz
Bug Wrangler and Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20210207/8198e5fe/attachment.sig>
More information about the pacman-dev
mailing list