<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 3, 2017 at 8:06 PM, Rob Landley <span dir="ltr"><<a href="mailto:rob@landley.net" target="_blank">rob@landley.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 05/03/2017 04:48 AM, Pierre-Hugues HUSSON wrote:<br>
> cp -R --preserve copies the content of a folder, before copying<br>
> owner/permissions.<br>
<br>
You can't create things with arbitrary ownership, and writing to<br>
something with an suid bit removes the suid bit.<br>
<br>
> This can be problematic if the copy is canceled.<br>
><br>
> For instance, if we have<br>
> /a 1000 1000 0755<br>
> /a/b 2000 2000 0755<br>
><br>
> We'll have a point in time where during cp -R --preserve as root, we have:<br>
> /a 0 0 0775<br>
> /a/b 2000 2000 0755<br>
><br>
> The "cp" might command might be behind a daemon-wall, which leads to an<br>
> unrecoverable state.<br>
<br>
You can run cp as root but can't run cleanup as root?<br></blockquote><div><br></div><div>yeah, i'm not sure how you'd actually hit this with vold. here's a fragment of the relevant calling code:</div><div><br></div><div><div> // Step 2: clean up any stale data</div><div> if (execRm(toPath, 10, 10) != OK) {</div><div> goto fail;</div><div> }</div><div><br></div><div> // Step 3: perform actual copy</div><div> if (execCp(fromPath, toPath, 20, 60) != OK) {</div><div> goto copy_fail;</div><div> }</div></div><div> </div><div>if you have repro steps, [file a bug](<a href="https://source.android.com/source/report-bugs">https://source.android.com/source/report-bugs</a>).</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
> For instance, in Android, vold uses cp -R --preserve to move data from<br>
> internal to external storage and back.<br>
> vold runs as root, this means that if the copy is stopped during the<br>
> migration, /data/media will contain a root-owned directory. This means<br>
> this folder won't ever be removable or writable ever, unless the user<br>
> does a factory reset.<br>
<br>
This sounds like a bug in vold. (What's a vold?)<br>
<br>
<a href="https://www.slideshare.net/wiliwe/android-storage-vold" rel="noreferrer" target="_blank">https://www.slideshare.net/<wbr>wiliwe/android-storage-vold</a><br>
<br>
Android volume daemon. Ok.<br>
<br>
Part of the reason I did that was to minimize the likelihood of symlink<br>
attacks where you cp -a and somebody drops a symlink to a new file it<br>
wants you to overwrite. If they can't write to the directory until<br>
you're done with it, they can't do that. So it creates directories<br>
belonging to the user and non-world-writeable, copies the contents into<br>
them, and then does the chown/chmod to the final ownership and<br>
permissions on the way out. (This also avoids the problem of writing<br>
files into a read-only directory.)<br>
<br>
I could instead open the files O_EXCL but cp historically doesn't do<br>
that, and has defined behavior for "cp file /dev/ttyS0" and so on where<br>
it does O_TRUNC and then writes, so if you have a removable disk it<br>
images it and if you have hardlinks it updates all copies.<br>
<br>
I'm fine with changing how it works, just explaining why I did it in the<br>
first place.<br>
<br>
Elliott: any opinions on the right place to fix this?<br>
<br>
Rob<br>
______________________________<wbr>_________________<br>
Toybox mailing list<br>
<a href="mailto:Toybox@lists.landley.net">Toybox@lists.landley.net</a><br>
<a href="http://lists.landley.net/listinfo.cgi/toybox-landley.net" rel="noreferrer" target="_blank">http://lists.landley.net/<wbr>listinfo.cgi/toybox-landley.<wbr>net</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Elliott Hughes - <a href="http://who/enh" target="_blank">http://who/enh</a> - <a href="http://jessies.org/~enh/" target="_blank">http://jessies.org/~enh/</a><br>Android native code/tools questions? Mail me/drop by/add me as a reviewer.</div>
</div></div>