Cannot set permissions with file resource to quoted string

Alexander_Skwar · November 3, 2015, 2:12pm

Hello

I'd need to remove the setuid bit from certain files (as that was the finding of some security audit). On the command line, I'd simply do a "chmod u-s $file", as that would be the least interfering way and would do exactly, what I would need to do: "Remove the setuid bit from a file".

How can I do that in a recipe? I tried:

%w[/usr/lib/pt_chown /usr/lib/eject/dmcrypt-get-device /usr/bin/chfn].each do |setuidfile|
    file "Setuid Berechtigung anpassen: " + setuidfile do
        path setuidfile
        mode "u-s"
    end # of file "Setuid Berechtigung anpassen: " + setuidfile do
end # of %w[/usr/lib/pt_chown /usr/lib/eject/dmcrypt-get-device /usr/bin/chfn].each do |setuidfile|

But this fails:

================================================================================
Recipe Compile Error in /opt/kitchen/cookbooks/ew-hardening/recipes/default.rb
================================================================================


ArgumentError
-------------
invalid value for Integer(): "0u-s"


Cookbook Trace:
---------------
  /opt/kitchen/cookbooks/ew-hardening/recipes/default.rb:141:in `block (2 levels) in from_file'
  /opt/kitchen/cookbooks/ew-hardening/recipes/default.rb:139:in `block in from_file'
  /opt/kitchen/cookbooks/ew-hardening/recipes/default.rb:138:in `each'
  /opt/kitchen/cookbooks/ew-hardening/recipes/default.rb:138:in `from_file'


Relevant File Content:
----------------------
/opt/kitchen/cookbooks/ew-hardening/recipes/default.rb:

134:  #############################################
135:  # Audit
136:  # Setuid Dateien anpassen
137:  # https://wiki.ubuntu.com/Security/Investigation/Setuid
138:  %w[/usr/lib/pt_chown /usr/lib/eject/dmcrypt-get-device /usr/bin/chfn].each do |setuidfile|
139:      file "Setuid Berechtigung anpassen: " + setuidfile do
140:          path setuidfile
141>>         mode "u-s"
142:      end # of file "Setuid Berechtigung anpassen: " + setuidfile do
143:  end # of %w[/usr/lib/pt_chown /usr/lib/eject/dmcrypt-get-device /usr/bin/chfn].each do |setuidfile|
144:  
145:  # EOF
146:  


Chef Client failed. 0 resources updated

But according to the docs at "mode", it should be possible to use a string, I'd think:

mode
Ruby Types: Integer, String
…
UNIX- and Linux-based systems: A quoted 3-5 character string that defines the octal mode that is passed to chmod. For example: '755', '0755', or '00755'. If the value is specified as a quoted string, it works exactly as if the chmod command was passed.

Í am passing this as a quoted string (I'd think…). But what am I doing wrong?

I'm on Chef 11.8.2.

Thanks a lot,
Alexander

Shubby · November 3, 2015, 2:28pm

You probably need to translate that "u-s" into an actual mode, e.g. '0755'. Yes, "u-s" is a string but it doesn’t contain something that Chef is able to process.
https://docs.chef.io/ruby.html#file-modes (note these are guidelines, not requirements, but you might as well adopt them)

Alexander_Skwar · November 3, 2015, 2:45pm

Hello

[quote="Shubby, post:2, topic:7259, full:true"]
You probably need to translate that "u-s" into an actual mode, e.g. '0755'. Yes, "u-s" is a string but it doesn't contain something that Chef is able to process.[/quote]

"u-s" cannot be translated into an actual mode. An actual mode also modifies the group and world permissions, whereas something like "u-s" does not. If I'm giving chef a valid string, why does it try to make an octal number out of it by prefixing a "0" to it? That's broken.

That's using chmod in a different way. It's kinda like trying to open a can with a sledge hammer, whereas I'd rather use a can opener to open a can.

Oh, well, guess that an "execute" resource is as good as it will get with Chef.

%w[/usr/lib/pt_chown /usr/lib/eject/dmcrypt-get-device /usr/bin/chfn].each do |setuidfile|
    execute "Setuid Berechtigung anpassen: " + setuidfile do
        command 'chmod u-s "' + setuidfile + '"'
        only_if {::File.stat(setuidfile).setuid?}
    end # of execute "Setuid Berechtigung anpassen: " + setuidfile do
end # of %w[/usr/lib/pt_chown /usr/lib/eject/dmcrypt-get-device /usr/bin/chfn].each do |setuidfile|

Feels a bit clumsy, though. I hate having to invoke shell tools.

Regards
Alexander

Shubby · November 3, 2015, 3:10pm

"u-s" cannot be translated into an actual mode. An actual mode also modifies the group and world permissions, whereas something like "u-s" does not.

What I meant by that is you should be able to set a mode that does not change the current group and world permissions because what you'd be setting is equal to what's already in place.

I think you have a misunderstanding around what a string is vs. what Chef expects. Just because the Chef docs tell you that the mode setting expects a string doesn't mean that it must accept the string you are passing. Like I said, yes, 'u-s' is a string, but so is '775' (as opposed to 775), but Chef is built to parse only the latter. That's not broken, that's by design. 'u-s' is not idempotent, which is against Chef's design philosophy.

Alexander_Skwar · November 3, 2015, 3:25pm

Shubby:

"u-s" cannot be translated into an actual mode. An actual mode also modifies the group and world permissions, whereas something like "u-s" does not.

What I meant by that is you should be able to set a mode that does not change the current group and world permissions because what you'd be setting is equal to what's already in place. [/quote]

Well, yeah, but that just cannot be done… "u-s" (or "g+w" or somesuch) is setting the filemodes "relatively", so to say. So, if the mode used to be "ug=rwx,o=rx,u+s" (or "04775"), then "u-s" would be equal to "00775". But if the old mode were "ug=rw,o=,u+s" (=> "04660"), "u-s" would be equal to "00660".

What you're asking (or what Chef is demanding) cannot be done. And that's why the handling is broken. It's trying to be more clever than the user and fails to be so.

[quote][quote="Alexander_Skwar, post:3, topic:7259"]
If I'm giving chef a valid string, why does it try to make an octal number out of it by prefixing a "0" to it? That's broken.

I think you have a misconception around what a string is vs. what Chef expects. Just because the Chef docs tell you that the mode setting expects a string doesn't mean that it must accept the string you are passing.
[/quote]

Then the docs are broken. It's not mentioned there, that valid mode letters (like "u-s", or "ug=rwx,o=") are not supported. If a valid string is given, it should be accepted. "u-s" is a valid string. The docs say, that strings are supported, but valid chmod strings aren't supported. As I quoted already, the docs say this: "If the value is specified as a quoted string, it works exactly as if the chmod command was passed." That is not what is happening.

Okay, so it's broken by design. That makes it not better, I'd think.

[quote] 'u-s' is not idempotent, which is against Chef's design philosophy.
[/quote]

How's 'u-s' not idempotent, but eg. 0644 is? Both would remove the setuid bit from a file, if the perm used to be "u+s".

Regards,
Alexander

Shubby · November 3, 2015, 3:51pm

Chef is expecting a valid octal mode, passed as an integer or a string, that's all. It would also be unable to parse something more mundane like +x because that's not an octal mode. Perhaps the docs could be clearer about what is considered a valid string -- it sounds like you're assuming that anything enclosed in quotes is a valid string, but really you're trying to fit a square peg into a round hole.

Imagine you have two servers and both have this file, /tmp/foo.txt.
On server A, its permissions are 775.
On server B, they are 755.
Now, you run this Chef recipe on both nodes with the following code:

file '/tmp/foo.txt' do
  mode 'g-x'
end

Ignore the fact that this wouldn't work to begin with, it's just an example. At the end, the file on server A would have mode = 765, and the same file on server B would have mode = 745. That's what's not idempotent. You're supposed to end up with the same end state, every time, and only by specifying the octal mode can you get that result reliably, which is why I'm assuming that specifying the mode the way you're trying to specify it is not supported.

Tensibai · November 3, 2015, 3:54pm

Quoting the doc, emphasis is mine:

UNIX- and Linux-based systems: A quoted 3-5 character string that defines the octal mode that is passed to chmod. For example: '755', '0755', or '00755'. If the value is specified as a quoted string, it works exactly as if the chmod command was passed. If the value is specified as an integer, prepend a zero (0) to the value to ensure that it is interpreted as an octal number. For example, to assign read, write, and execute rights for all users, use '0777' or '777'; for the same rights, plus the sticky bit, use '01777' or '1777'.

Reading only part of the doc won't help you. Both If goes together and are there to extend on the previous part saying it has to be a 3 to 5 digits string.

Relative mode changes on files are inherently unpredictable and does not describe a state, so obviously Chef do not allow it as you can't tell if the state of the permission is correct or not at the end of your action (Ok, you removed the setuid, so it should probably be executable, but by who ? only owner ? group too ? others ? Too much indetermination there.

When you use a configuration management system it is to ensure your system ends up in a predictable state, if you don't want to describe precisely your system state, Chef is probably not the right tool for you.

Alexander_Skwar · November 3, 2015, 4:04pm

[quote="Shubby, post:6, topic:7259, full:true"]
Chef is expecting a valid octal mode, passed as an integer or a string, that's all. [/quote]

Okay. But that is not what the docs say. The docs say, that it accepts a string, just like if chmod were run.

On the contrary. Chef is doing that. I am trying to interfere with the environment as little as possible. Whereas Chef is doing the opposite - it's always using a sledge hammer to open a can.

I'm not assuming that "anything" enclosed in quotes is a valid string. "foo" would not be. But if it's a string, Chef should assume that it is valid. If not, the user will notice anyway. Currently, Chef is trying to be too clever and is failing to do so. It is interpreting the string as a number and fails.

Alexander_Skwar:

How's 'u-s' not idempotent, but eg. 0644 is? Both would remove the setuid bit from a file, if the perm used to be "u+s".

Imagine you have two servers and both have this file, /tmp/foo.txt.
On server A, its permissions are 775.
On server B, they are 755.
Now, you run this Chef recipe on both nodes with the following code:
file '/tmp/foo.txt' do
  mode 'g-x'
end
Ignore the fact that this wouldn't work to begin with, it's just an example. At the end, the file on server A would have mode = 765, and the same file on server B would have mode = 745. That's what's not idempotent. [/quote]

Well, how did this happen in the first place? Just assume further, that you'd try to "chmod 0775 /tmp/a" on server a and "chmod 0775 /tmp/a" on server b, and /tmp/a doesn't exist on server b. That's what's not idempotent in chmod 0775.

Really, to compare this, one has to assume that preconditions are identical on both sides. Else, stupid things will happen, like we both have shown now.

[quote]You're supposed to end up with the same end state, every time, and only by specifying the octal mode can you get that result reliably, which is why I'm assuming that specifying the mode the way you're trying to specify it is not supported.

Nope. That's just not the case, as I've shown. Even with "chmod 0775", you will only end up with identical results, if other preconditions are met. It's simply that the number of preconditions differ with "chmod 0775" vs. "chmod u-s".

Alexander

Alexander_Skwar · November 3, 2015, 4:12pm

Tensibai:

Quoting the doc, emphasis is mine:

UNIX- and Linux-based systems: A quoted 3-5 character string that defines the octal mode that is passed to chmod. For example: '755', '0755', or '00755'. If the value is specified as a quoted string, it works exactly as if the chmod command was passed. If the value is specified as an integer, prepend a zero (0) to the value to ensure that it is interpreted as an octal number. For example, to assign read, write, and execute rights for all users, use '0777' or '777'; for the same rights, plus the sticky bit, use '01777' or '1777'.

Reading only part of the doc won't help you. Both If goes together and are there to extend on the previous part saying it has to be a 3 to 5 digits string.[/quote]

Well, yeah, but even that isn't right. The docs say, that if an int is passed, a 0 is prepended to it. That is not, what is happening. If a string is passed, a 0 is also prepended.

I think it simply boils down to this: Chef doesn't behave the way the docs are written. And it's trying to be clever, where there is no need.

Relative mode changes on files are inherently unpredictable

Uh? What do you mean? How is "u-s" unpredictable? It is very much predictable - it will only remove the setuid bit.

and does not describe a state,

It does. "Afterwards, the setuid bit is gone".

so obviously Chef do not allow it as you can't tell if the state of the permission is correct or not at the end of your action (Ok, you removed the setuid, so it should probably be executable,

probably? No. Who says so? If it should be executable, the string would have an x somewhere. Like "u-s,u+x" or whatnot.

but by who ? only owner ? group too ? others ? Too much indetermination there.

Nope. No indetermination at all there. With u+s, all is said. It only effects the user. Not group, Not others.

When you use a configuration management system it is to ensure your system ends up in a predictable state,

Exactly. But that is not, what is happening. The predictable state after "chmod u-s file" is, that "file" is no longer with a setuid bit.

[quote]if you don't want to describe precisely your system state, Chef is probably not the right tool for you.

Got to use Chef.
I want describe precisely my system state.
Chef doesn't let me do this (if we ignore execute blocks)

Regards,
Alexander

Tensibai · November 3, 2015, 4:21pm

No, the doc say that YOU have to prepend it with a 0 if you write it as an integer and not a quoted string, so it will be an octal number...

What should have be the point of a file being suid if it is not executable ?

It does not enforce a state, the permission on the file could be everything another process/user set them to, you just ensure the file is not suid, you're not sure it has the permission you assume would be after just removing the suid bit, which is not a precise description of the file state...

Alexander_Skwar · November 3, 2015, 5:36pm

[quote="Tensibai, post:10, topic:7259, full:true"]

No, the doc say that YOU have to prepend it with a 0 if you write it as an integer and not a quoted string, so it will be an octal number...[/quote]

No, the doc does not say, that the user has to prepend a 0. It gives examples, where the 0 is left out. Eg.: "For example, to assign read, write, and execute rights for all users, use '0777' or '777';"

However, the doc does NOT say, that Chef prepends a 0 to a string. But it does say this: "If the value is specified as a quoted string, it works exactly as if the chmod command was passed. ". "chmod u-s" works. But mode "u-s" does not. How is "does not work" exactly the same as "does work"?

Alexander_Skwar:

probably? No. Who says so?

What should have be the point of a file being suid if it is not executable ? [/quote]

That's not the problem of Chef and it shouldn't be. What's next? One can only do a "chmod 0644", if the owning directory would allow write permissions?

Consider this:
(1)6:17% sudo ls -laR /tmp/dir
/tmp/dir:
insgesamt 72
d--------- 2 root root  4096 Nov  3 18:17 .
drwxrwxrwt 7 root root 65536 Nov  3 18:17 ..
-r--r--r-- 1 a    root     0 Nov  3 18:17 file
Should a "chmod 0644" only be allowed, if the directory "/tmp/dir" would be owned by user "a", because what's the point of granting write permissions to a file, if he cannot write to it?

Chef doesn't check this and that's good. It should not check. But I guess, you'd now say, that it should check, right? Because a "chmod 0644" wouldn't make much sense here. But maybe it does, but only "later on". Same with "u-s".

The thing is - the admin probably knows what he's doing.

Alexander_Skwar:

Exactly. But that is not, what is happening. The predictable state after "chmod u-s file" is, that "file" is no longer with a setuid bit.

It does not enforce a state,

"chmod u-s" does NOT enforce a state? Your kidding, right? Of course it does enforce a state - the state "setuid is gone" is enforced. Nothing else.

But you're right. "chmod 0644 /tmp/file" also doesn't enforce a state. For example, if /tmp/file isn't there, it won't work.

the permission on the file could be everything another process/user set them to, you just ensure the file is not suid,

Yep, I just ensure that the file is not suid. Which is a bit in the permissions mask.

Same with "chmod 0644", btw. If ACL were used, "chmod 0444" might not do what one might expect. So with "chmod 0444", one doesn't set the state of a file to "read only for everybody". It could be something else.

you're not sure it has the permission you assume would be after just removing the suid bit,

Of course I am sure. For the part that I care about (=> setuid), I do exactly know what the state is, after running "chmod u-s".

[quote] which is not a precise description of the file state...

Yep, if you do a "chmod 0644 /tmp/foo/bar", you're also not sure what happens. For example, what happens, if /tmp/foo/bar isn't there? Or what happens, if it's set to "strange" rights (like in my /tmp/dir example above)?

If "chmod u-s" isn't idempotent, then "chmod 0644" also isn't. Because in both cases, it's easy to make up examples, which support the case. One just has to leave out bits of data, that support the own case.

"chmod u-s file" is a very precise description of the file state. It does not have the setuid bit set anymore. Cannot be much more precise.

Octals, on the other hand, are too broad. They describe things, which I don't care about (at this point).

Shubby · November 3, 2015, 6:02pm

The docs clearly do say that the user has to prepend a 0 if you're passing the value as an integer, and if using a string instead, that it must be three to five digits, e.g. '777', '0777', or '00777'. It is neither mentioned nor implied that a relative statement like +x is acceptable. It does not matter whether or not Chef prepends a zero to a string, because you're not supposed to pass something like +x or u-s, because it's not supported.

The first line of the same paragraph clearly states what the mode setting expects.
It must be a mode. That prevails over everything else. It cannot be something else. If it's a string, it can be 3, 4 or 5 digits and is passed to chmod as-is. Or apparently, it may be prepending a zero to your string behind the scenes for some reason, but it doesn't matter since u-s wouldn't be supported here whether Chef prepends the zero or not. It doesn't say that Chef passes that value to chmod as is, only that it works the same way as if you'd passed it to chmod, provided that it fits within the first and main parameter of the setting, which is that it requires an absolute mode made of 3 to 5 digits. Again, that's not broken, nor is it broken by design, it's just by design.

Actually it's quite certain what would happen if the file does not exist: an empty file would be created with mode 644.

Lamont_Granquist · November 3, 2015, 6:21pm

https://tickets.opscode.com/browse/CHEF-1857

I cut that ticket back in Nov 2010, its just not easy to implement due to changes needed deep in the bowels of Chef::ScanAccessControl and Chef::FileAccessControl, which are scary bits of code to touch.

Alexander_Skwar · November 4, 2015, 7:22am

Shubby:

It is neither mentioned nor implied that a relative statement like +x is acceptable. [/quote]

It is implied, that a string like "+x" would be acceptable. It clearly states, that it works exactly, as if the chmod command was passed. And the chmod command would accept "+x". It is not stated, that something like "+x" would not be acceptable.

It does not matter whether or not Chef prepends a zero to a string, because you're not supposed to pass something like +x or u-s, because it's not supported.

It does totally matter, because something like "0+x" makes no sense at all for the chmod command, whereas "+x" does. The docs do not say, that a user isn't supposed to pass something like +x or u-s. It does not state, that this is not supported.

[quote][quote="Alexander_Skwar, post:11, topic:7259"]
However, the doc does NOT say, that Chef prepends a 0 to a string. But it does say this: "If the value is specified as a quoted string, it works exactly as if the chmod command was passed. ". "chmod u-s" works. But mode "u-s" does not. How is "does not work" exactly the same as "does work"?

The first line of the same paragraph clearly states what the mode setting expects.
It must be a mode.[/quote]

"u+s" or "ugo=rwx" are modes. Those mode specifications aren't supported.

[quote][quote="Alexander_Skwar, post:11, topic:7259"]
Yep, if you do a "chmod 0644 /tmp/foo/bar", you're also not sure what happens. For example, what happens, if /tmp/foo/bar isn't there?
[/quote]

Actually it's quite certain what would happen if the file does not exist: an empty file would be created with mode 644.
[/quote]

But not, if the directory /tmp/foo doesn't exist.

[2015-11-04T08:19:30+01:00] ERROR: file[/tmp/foo/bar] (ew::test line 10) had an error: Chef::Exceptions::EnclosingDirectoryDoesNotExist: Parent directory /tmp/foo does not exist.
[2015-11-04T08:19:30+01:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

So, no, it's not quite certain what would happen.

Alexander_Skwar · November 4, 2015, 7:27am

I suppose the problem boils down to the fact, that the Ruby File.chmod function does only support "mode_int". And thus, somebody would need to interprete the string passed. Up to now, maybe nobody has done so, it seems.

I haven't looked at it, but maybe it might be doable to copy the parsing from Gnu chmod?

Cheers
Alexander

Tensibai · November 4, 2015, 8:31am

What you're asking for go against a predictable state of the file at end as any external mode change out of the suid bit won't be checked nor enforced.

This is an as bad pattern as modifying files instead of managing its entire content in my opinion, maybe explaining why it has never be done too.

Alexander_Skwar · November 4, 2015, 9:10am

[quote="Tensibai, post:16, topic:7259, full:true"]

What you're asking for go against a predictable state of the file at end as any external mode change out of the suid bit won't be checked nor enforced. [/quote]

How is "chmod u-s $file" not specifying a predictable state? Afterwards, the setuid bit is gone.

If I only look at the setuid bit, I know how the state is afterwards: Gone.

Or if we'd talk about "chmod +x $file", we also know the state afterwards: The "x" bit for user, group and others is set. Sure, we do not know how the r and/or w bits are set. But we don't need to. Even with a "chmod 0700 /tmp/foo/bar", we do not know if the user as able to read-write-execute the file, because we do not know the permissions of the /tmp/foo directory.

So, in that respect, chmod 0700 $file also doesn't describe a predictable state regarding the accessability of the file.

Because of?

Regards
Alexander

Tensibai · November 4, 2015, 9:27am

This is just part of the state, not the state in my point of view.

I disagreee

I don't see how this is relevant to the start of the talk about string mode in file/template resources. (but I agree the parent directory should be managed too with mode enforced)

You won't convince me it's a correct practice to not manage the whole permission set, it get opens to too much DoS, errors, compromission or any other problem caused by out of band operation on this file.

I've said what I think about it, I'll stop there before we end up on a GodWin point.

Alexander_Skwar · November 4, 2015, 10:39am

[quote="Tensibai, post:18, topic:7259, full:true"]

This is just part of the state, not the state in my point of view.[/quote]

This is the whole part of the state that is important here. With chmod 0644 $file, you're also just looking at parts of the "file accessibility state". You're happy ignoring the permissions of directories, for example. In that respect, chmod 0644 also is not good, I assume.

[quote]

I disagreee[/quote]

For the question "is setuid set?", the state of the r/w/x bits is of no matter.

[quote]

I don't see how this is relevant to the start of the talk about string mode in file/template resources. [/quote]

It is important, because someone brought up the point, that "chmod u-s" somehow would not describe the state of some parts of file access. That was not my point.

Hopefully this will never happen.

But you already do. The file resource does not manage the permissions of directories (in the case of "file "/tmp/foo/bar" …"). So already now, not the whole permission set is managed. And that's somehow fine? Because of… … it's always been like that? Is that the only reason? Mind you, I would not want this. But I'm not after Chef forcing the user to manage the "complete set of permissions" (whatever that might be…) of a file.

Regards
Alexander

Topic		Replies	Views
Setsuid using chef Chef Infra (archive)	1	278	March 3, 2012
[RESOLVED] Differences in using sudo with test-kitchen vs chef-client Chef Infra (archive)	2	1230	August 8, 2017
File format change after cookbook upload Chef Infra (archive)	5	458	February 7, 2019
Chef Infra (archive)	1	306	March 21, 2014
Win Cookbook File Permission Denied Chef Infra (archive)	5	2536	September 24, 2016

Cannot set permissions with file resource to quoted string

Related topics