Project

General

Profile

Bug #16383

3.12~rc fails to configure printers

Added by u 8 months ago. Updated 8 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Hardware support
Target version:
Start date:
01/22/2019
Due date:
% Done:

100%

Feature Branch:
bugfix/16383-printer-config+force-all-tests
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

There were two reports on tails-testers that said that thy cannot install their network printers anymore:


3.12RC detects my network connected Brother HL2070N, but "printer installation" fails. 

3.12RC does *not* detect my UBS connected HL2070N printer. The detection process/step appears not to happen/is not initiated.

ALL Tails versions prior to 3.12RC have both detected and successfully "installed" this printer.


Related issues

Blocks Tails - Feature #15507: Core work 2019Q1: Foundations Team Resolved 04/08/2018

Associated revisions

Revision 7dd2850e (diff)
Added by intrigeri 8 months ago

Preserve setuid & setgid bits when giving files back to their renumbered owner (refs: #16383)

chown(1) and chgrp(1) rely on the chown(2) system call, which clears setuid,
setgid, and friends (capabilities, ACLs, etc.).

So when 02da477970fcfe007529e7bb7977ea373ce0f33c started
running chgrp on files owned by the messagebus group,
/usr/lib/dbus-1.0/dbus-daemon-launch-helper lost its setuid bit,
which broke setting up a printer in Tails 3.12~rc1.

This commit fixes this, by ensuring we don't lose the setuid & setgid bits along
the way anymore.

Note that the storage stack that backs our root filesystem supports neither
extended attributes (getfattr/setfattr), nor Linux filesystem
attributes (lsattr/chattr), nor file capabilities (getcap/setcap), nor ACLs.
On the one hand it's too bad, e.g. the lack of support for capabilities is the
reason why /bin/ping is setuid root on Tails but not on the average Debian
system. OTOH it makes it vastly easier to fix this bug: the only thing we need
to restore here is basic Unix DAC permissions.

Revision 8b8755d7
Added by intrigeri 8 months ago

Merge branch 'bugfix/16383-printer-config+force-all-tests' into testing (Fix-committed: #16383)

History

#1 Updated by u 8 months ago

  • Subject changed from 3.12 fails to install network printers to 3.12~rc fails to install network printers

#2 Updated by intrigeri 8 months ago

  • Subject changed from 3.12~rc fails to install network printers to 3.12~rc fails to configure Brother HL2070N printers
  • Category set to Hardware support

(This affects that printer when connected via USB too. We don't know yet if this affects any other printer.)

Thanks. I'll test with a printer I have access to.

Help desk, please let me know if this sort of regression is reported.

#3 Updated by intrigeri 8 months ago

  • Subject changed from 3.12~rc fails to configure Brother HL2070N printers to 3.12~rc fails to configure printers
  • Assignee set to intrigeri

Reproduced with a HP network printer. I'll investigate the errors I see in the logs.

#4 Updated by intrigeri 8 months ago

Relevant logs:

Jan 23 16:49:40 amnesia dbus[1141]: [system] Activating service name='org.opensuse.CupsPkHelper.Mechanism' (using servicehelper)
Jan 23 16:49:40 amnesia dbus[9520]: [system] Failed to reset fd limit before activating service: org.freedesktop.DBus.Error.AccessDenied: Failed to restore old fd limit: Operation not permitted
Jan 23 16:49:40 amnesia dbus[1141]: [system] Activated service 'org.opensuse.CupsPkHelper.Mechanism' failed: The permission of the setuid helper is not correct
Jan 23 16:49:40 amnesia gnome-control-c[9471]: GDBus.Error:org.freedesktop.DBus.Error.Spawn.PermissionsInvalid: The permission of the setuid helper is not correct
Jan 23 16:49:40 amnesia gnome-control-c[9471]: Installation of the new printer failed.

#5 Updated by intrigeri 8 months ago

On Tails 3.11, /usr/lib/dbus-1.0/dbus-daemon-launch-helper is setuid root. On 3.12~rc1 it's not but making it setuid root fixes this regression.

#6 Updated by intrigeri 8 months ago

These permissions are normally set via dpkg-statoverride in dbus.postinst. I suspect one of our build hooks breaks this, debugging.

#7 Updated by intrigeri 8 months ago

Before Changing GID for messagebus (109 -> 1050) the permissions are correct: -rwsr-xr--. But after that they're broken: -rwxr-xr--.

#8 Updated by intrigeri 8 months ago

  • Status changed from Confirmed to In Progress

chown() clears setuid, setgid, and possibly also capabilities and ACLs. So we need to do something a bit more elaborate to ensure we don't lose them along the way. More info and implementation ideas:

#9 Updated by intrigeri 8 months ago

#10 Updated by intrigeri 8 months ago

The storage stack that backs our / supports neither extended attributes (getfattr/setfattr), nor Linux filesystem attributes (lsattr/chattr), nor file capabilities (getcap/setcap), nor ACLs. On the one hand it's too bad, e.g. the lack of support for capabilities is the reason why /bin/ping is setuid root on Tails but not on the average Debian system. OTOH it'll make it vastly easier to fix this bug: the only thing we need to restore is basic DAC permissions (chmod).

#11 Updated by intrigeri 8 months ago

  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/16383-printer-config+force-all-tests

#12 Updated by intrigeri 8 months ago

  • Assignee changed from intrigeri to lamby
  • QA Check set to Ready for QA

Built an ISO, confirmed the permissions of /usr/lib/dbus-1.0/dbus-daemon-launch-helper are fixed, verified that I can configure a printer. Verified that the list of setuid and/or setgid executables did not suddenly become huge. Please do a code review, optionally some of these tests and/or other checks you can think of. I'm happy to check the CI results myself.

Thanks!

#13 Updated by lamby 8 months ago

[Not marking as QA complete, see below]

Methodology:

  • Checked out bugfix/16383-printer-config+force-all-tests at 7dd2850e7a084911c0d71a6211b6eba561148b12 ("_Preserve setuid & setgid bits when giving files back to their renumbered owner (refs: #16383)_")
  • Built. See attached tails-amd64-bugfix_16383-printer-config+force-all-tests-3.12-20190124T2023Z-7dd2850e7a.buildlog.xz
  • Booted image in qemu, adding administration password

  • Confirming setuid root bit now set:

… but I don't see aetgid, so you get:

Is this actually a problem?

#14 Updated by intrigeri 8 months ago

Across 2 full test suite runs on Jenkins, every scenario passed at least once except:

  • "MAC address spoofing fails and the module is not removed": notification not seen, known issue; thanks to 26671c6e2c6361a12d284f0e95cdc78ecce9c146 at least we know that the safety-critical properties are satisfied
  • "Watching a WebM video over HTTPS": always fails on Jenkins these days, not sure why (#10442)

#15 Updated by intrigeri 8 months ago

  • Assignee changed from intrigeri to lamby
  • Confirming setuid root bit now set:
    … but I don't see aetgid, so you get:

Is this actually a problem?

/var/lib/dpkg/info/dbus.postinst sets permissions on this file to 4754, i.e. what you've observed. I see the same permissions on Tails 3.11 and on my sid system so everything seems to be in order.

The fact the amnesia user cannot execute this program has nothing to do with the setgid bit: instead, it's because amnesia not in the messagebus group and the executable bit is not set for "others". That's on purpose: only members of the messagebus group, i.e. the messagebus user, are meant to benefit from the setuid root property (so the system-wide D-Bus daemon can start this helper as root).

#16 Updated by lamby 8 months ago

  • Assignee changed from lamby to intrigeri
  • QA Check changed from Ready for QA to Pass

the system-wide D-Bus daemon can start this helper as root

Getcha. I assumed it was per-user and/or amnesia needed to part of that group. :) Marking as QA pass and returning to you.

#17 Updated by intrigeri 8 months ago

  • Status changed from In Progress to Fix committed
  • % Done changed from 10 to 100

#18 Updated by intrigeri 8 months ago

  • Assignee deleted (intrigeri)

Thanks!

#19 Updated by anonym 8 months ago

  • Status changed from Fix committed to Resolved

#20 Updated by anonym 8 months ago

  • Target version changed from Tails_3.12 to Tails_3.13

Also available in: Atom PDF