extra_data: In system-helper case, canonicalize uid/gid

Make sure all files produced by apply_extra are owned by root. Closes: #2398 Approved by: matthiasclasen
2026-05-19 06:11:47 -04:00 · 2018-12-07 16:04:22 +01:00
parent 7fb5f2a33e
commit 185fe43fb7
3 changed files with 28 additions and 3 deletions
--- a/common/flatpak-dir.c
+++ b/common/flatpak-dir.c
@@ -6700,7 +6700,10 @@ apply_extra_data (FlatpakDir   *self,
                     error))
    return FALSE;

-  if (!flatpak_canonicalize_permissions (AT_FDCWD, flatpak_file_get_path_cached (extra_files), error))
+  if (!flatpak_canonicalize_permissions (AT_FDCWD, flatpak_file_get_path_cached (extra_files),
+                                         getuid() == 0 ? 0 : -1,
+                                         getuid() == 0 ? 0 : -1,
+                                         error))
    return FALSE;

  if (exit_status != 0)
--- a/common/flatpak-utils-private.h
+++ b/common/flatpak-utils-private.h
@@ -479,6 +479,8 @@ gboolean flatpak_rm_rf (GFile        *dir,

 gboolean flatpak_canonicalize_permissions (int           parent_dfd,
                                           const char   *rel_path,
+                                           int           uid,
+                                           int           gid,
                                           GError      **error);

 char * flatpak_readlink (const char *path,
--- a/common/flatpak-utils.c
+++ b/common/flatpak-utils.c
@@ -1993,6 +1993,8 @@ static gboolean
 _flatpak_canonicalize_permissions (int           parent_dfd,
                                   const char   *rel_path,
                                   gboolean      toplevel,
+                                   int           uid,
+                                   int           gid,
                                   GError      **error)
 {
  struct stat stbuf;
@@ -2008,6 +2010,22 @@ _flatpak_canonicalize_permissions (int           parent_dfd,
      return FALSE;
    }

+  if ((uid != -1 && uid != stbuf.st_uid) || (gid != -1 && gid != stbuf.st_gid))
+    {
+      if (TEMP_FAILURE_RETRY (fchownat (parent_dfd, rel_path, uid, gid, AT_SYMLINK_NOFOLLOW)) != 0)
+        {
+          glnx_set_error_from_errno (error);
+          return FALSE;
+        }
+
+      /* Re-read st_mode for new owner */
+      if (TEMP_FAILURE_RETRY (fstatat (parent_dfd, rel_path, &stbuf, AT_SYMLINK_NOFOLLOW)) != 0)
+        {
+          glnx_set_error_from_errno (error);
+          return FALSE;
+        }
+    }
+
  if (S_ISDIR (stbuf.st_mode))
    {
      g_auto(GLnxDirFdIterator) dfd_iter = { 0, };
@@ -2031,7 +2049,7 @@ _flatpak_canonicalize_permissions (int           parent_dfd,
              if (!glnx_dirfd_iterator_next_dent (&dfd_iter, &dent, NULL, NULL) || dent == NULL)
                break;

-              if (!_flatpak_canonicalize_permissions (dfd_iter.fd, dent->d_name, FALSE, error))
+              if (!_flatpak_canonicalize_permissions (dfd_iter.fd, dent->d_name, FALSE, uid, gid, error))
                {
                  error = NULL;
                  res = FALSE;
@@ -2086,9 +2104,11 @@ _flatpak_canonicalize_permissions (int           parent_dfd,
 gboolean
 flatpak_canonicalize_permissions (int           parent_dfd,
                                  const char   *rel_path,
+                                  int           uid,
+                                  int           gid,
                                  GError      **error)
 {
-  return _flatpak_canonicalize_permissions (parent_dfd, rel_path, TRUE, error);
+  return _flatpak_canonicalize_permissions (parent_dfd, rel_path, TRUE, uid, gid, error);
 }

 /* Make a directory, and its parent. Don't error if it already exists.