Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#54963 closed defect (fixed)

Ports cannot set setuid bit

Reported by: danchr (Dan Villiom Podlaski Christiansen) Owned by: raimue (Rainer Müller)
Priority: Normal Milestone: MacPorts 2.4.2
Component: base Version: 2.4.99
Keywords: highsierra Cc: ryandesign (Ryan Carsten Schmidt), Schamschula (Marius Schamschula), raimue (Rainer Müller), jmroot (Joshua Root)
Port:

Description

Found in bug #54958:

Ports cannot set the setuid bit on High Sierra; it works outside the ports infrastructure, but not within it. The attached tarball contains a simple port that tries to set the setuid bit on a file, checks that it succeeds. The ‘build’ phase fails on High Sierra.

Attachments (1)

setuid-test.tar (4.5 KB) - added by danchr (Dan Villiom Podlaski Christiansen) 6 years ago.
Fixed test port

Download all attachments as: .zip

Change History (11)

comment:1 Changed 6 years ago by raimue (Rainer Müller)

Cc: raimue added

The test script uses chmod u+t, which is invalid. This is the sticky bit (+t), not setuid (+s). The sticky bit cannot be set in combination with any of ugo as it is a global flag. This should read chmod u+s.

Also the result in the test command in the last line for stat -f %p should probably be 104755.

After fixing the issues above with chmod u+s and 104755, I can confirm that this port works on macOS 10.12 Sierra, but not on macOS 10.13 High Sierra.

comment:2 Changed 6 years ago by raimue (Rainer Müller)

The problem appears to occur due to sandbox-exec:

highsierra $ files/test.sh
-rwsr-xr-x+ 1 raimue  wheel  0 Oct  1 20:29 xxx
-rwsr-xr-x -> 104755
highsierra $ rm -f xxx
highsierra $ sandbox-exec -p '(version 1) (allow default)' files/test.sh
-rwxr-xr-x+ 1 raimue  wheel  0 Oct  1 20:29 xxx
-rwxr-xr-x -> 100755

That behavior changed from macOS 10.12 Sierra:

sierra $ sandbox-exec -p '(version 1) (allow default)' files/test.sh
-rwsr-xr-x+ 1 raimue  wheel  0 Oct  1 20:29 xxx
-rwsr-xr-x -> 104755

Changed 6 years ago by danchr (Dan Villiom Podlaski Christiansen)

Attachment: setuid-test.tar added

Fixed test port

comment:3 in reply to:  2 Changed 6 years ago by danchr (Dan Villiom Podlaski Christiansen)

Replying to raimue:

The problem appears to occur due to sandbox-exec: […]

Interestingly, it works if you cd into files and invoke ./test.sh instead…

comment:4 Changed 6 years ago by danchr (Dan Villiom Podlaski Christiansen)

Summary: Ports cannot set sticky bitPorts cannot set setuid bit
Last edited 6 years ago by danchr (Dan Villiom Podlaski Christiansen) (previous) (diff)

comment:5 Changed 6 years ago by raimue (Rainer Müller)

I can get it to work if I grant the file-write-setugid permission explicitly. I guess the default changed, but I have no idea how to retrieve that to confirm it.

highsierra $ sandbox-exec -p '(version 1) (allow default) (allow file-write-setugid)' files/test.sh
-rwsr-xr-x+ 1 raimue  wheel  0 Oct  1 20:44 xxx
-rwsr-xr-x -> 104755

As a side note, it looks like Apple also killed the very useful tracing ability with sandbox-exec -p '(version 1) (deny default) (trace "xxx.sb")' ... that reports all actions that would were attempted while still allowing all actions. This is the way I could debug this using Sierra. No idea how something like that could be done on High Sierra alone...

comment:6 Changed 6 years ago by danchr (Dan Villiom Podlaski Christiansen)

AFAICT this fixes it:

  • src/port1.0/portsandbox.tcl

    diff --git a/src/port1.0/portsandbox.tcl b/src/port1.0/portsandbox.tcl
    a b proc portsandbox::set_profile {target} { 
    8989(regex #\"^(/private)?(/var)?/tmp/\" #\"^(/private)?/var/folders/\"))"
    9090
    9191    foreach dir $allow_dirs {
    92         append portsandbox_profile " (allow file-write* ("
     92        append portsandbox_profile " (allow file-write* file-write-setugid ("
    9393        if {${os.major} > 9} {
    9494            append portsandbox_profile "subpath \"${dir}\"))"
    9595        } else {

comment:7 Changed 6 years ago by ryandesign (Ryan Carsten Schmidt)

Cc: jmroot added

Sounds like we should get a MacPorts 2.4.2 out quickly with this fix.

comment:9 Changed 6 years ago by raimue (Rainer Müller)

Owner: set to raimue
Resolution: fixed
Status: newclosed

In d72ad486b428570538ae0403675271242985c42f/macports-base:

sandbox: Add file-write-setugid for macOS 10.13

On macOS 10.13 High Sierra, file-write* does not seem to include
file-write-setugid, therefore adding it explicitly to allow build
scripts to produce suid/sgid binaries.

Closes: #54963

comment:10 Changed 6 years ago by raimue (Rainer Müller)

Milestone: MacPorts 2.4.2

This fix was released with MacPorts 2.4.2.

Note: See TracTickets for help on using tickets.