GNU bug report logs -
#29212
Setuid programs don't honor the system's timezone
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 29212 in the body.
You can then email your comments to 29212 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#29212; Package
guix.
(Wed, 08 Nov 2017 14:37:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Diego Nicola Barbato <dnbarbato <at> posteo.de>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Wed, 08 Nov 2017 14:37:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello Guix,
XLockMore (as invoked by the command `xlock') displays the wrong time on
the lock screen. Instead of honouring the timezone set in `config.scm'
(as do other programs e.g. the `date' command) it displays UTC.
Greetings
Diego
Information forwarded
to
bug-guix <at> gnu.org:
bug#29212; Package
guix.
(Wed, 08 Nov 2017 20:58:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 29212 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi,
Diego Nicola Barbato <dnbarbato <at> posteo.de> skribis:
> XLockMore (as invoked by the command `xlock') displays the wrong time on
> the lock screen. Instead of honouring the timezone set in `config.scm'
> (as do other programs e.g. the `date' command) it displays UTC.
The problem is that setuid programs ignore $TZDIR; quoth ‘tzfile.c’ in
libc:
/* We must not allow to read an arbitrary file in a setuid
program. So we fail for any file which is not in the
directory hierachy starting at TZDIR
and which is not the system wide default TZDEFAULT. */
if (__libc_enable_secure
&& ((*file == '/'
&& memcmp (file, TZDEFAULT, sizeof TZDEFAULT)
&& memcmp (file, default_tzdir, sizeof (default_tzdir) - 1))
|| strstr (file, "../") != NULL))
/* This test is certainly a bit too restrictive but it should
catch all critical cases. */
goto ret_free_transitions;
Thus, if I set TZ=Europe/Paris, I see that setuid binaries look for
timezone data only under
/gnu/store/3h31zsqxjjg52da5gp3qmhkh4x8klhah-glibc-2.25/share/zoneinfo/Europe/Paris,
which doesn’t exist.
Since GuixSD provides /etc/localtime already, we can actually unset TZ.
And when we do so, setuid binaries simply honor /etc/localtime and don’t
go searching for timezone data elsewhere, and they see the right time.
Can you confirm that:
(unset TZ; xlock)
works for you?
I’ll commit the patch below if it does.
Thanks,
Ludo’.
[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/system.scm b/gnu/system.scm
index 5f562b48b..ce2c05f4e 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -727,7 +727,8 @@ use 'plain-file' instead~%")
"Return the environment variables of OS for
@var{session-environment-service-type}, to be used in @file{/etc/environment}."
`(("LANG" . ,(operating-system-locale os))
- ("TZ" . ,(operating-system-timezone os))
+ ;; Note: No need to set 'TZ' since (1) we provide /etc/localtime, and (2)
+ ;; it doesn't work for setuid binaries. See <https://bugs.gnu.org/29212>.
("TZDIR" . ,(file-append tzdata "/share/zoneinfo"))
;; Tell 'modprobe' & co. where to look for modules.
("LINUX_MODULE_DIRECTORY" . "/run/booted-system/kernel/lib/modules")
Changed bug title to 'Setuid programs don't honor the system's timezone' from 'XLockMore displays wrong time'
Request was from
ludo <at> gnu.org (Ludovic Courtès)
to
control <at> debbugs.gnu.org.
(Wed, 08 Nov 2017 20:59:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#29212; Package
guix.
(Thu, 09 Nov 2017 06:31:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 29212 <at> debbugs.gnu.org (full text, mbox):
Hello Ludo,
ludo <at> gnu.org (Ludovic Courtès) writes:
> Since GuixSD provides /etc/localtime already, we can actually unset TZ.
> And when we do so, setuid binaries simply honor /etc/localtime and don’t
> go searching for timezone data elsewhere, and they see the right time.
>
> Can you confirm that:
>
> (unset TZ; xlock)
>
> works for you?
Yes, it displays the correct time.
Thanks,
Diego
Reply sent
to
ludo <at> gnu.org (Ludovic Courtès):
You have taken responsibility.
(Thu, 09 Nov 2017 09:07:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Diego Nicola Barbato <dnbarbato <at> posteo.de>:
bug acknowledged by developer.
(Thu, 09 Nov 2017 09:07:01 GMT)
Full text and
rfc822 format available.
Message #18 received at 29212-done <at> debbugs.gnu.org (full text, mbox):
Diego Nicola Barbato <dnbarbato <at> posteo.de> skribis:
> Hello Ludo,
>
> ludo <at> gnu.org (Ludovic Courtès) writes:
>
>> Since GuixSD provides /etc/localtime already, we can actually unset TZ.
>> And when we do so, setuid binaries simply honor /etc/localtime and don’t
>> go searching for timezone data elsewhere, and they see the right time.
>>
>> Can you confirm that:
>>
>> (unset TZ; xlock)
>>
>> works for you?
>
> Yes, it displays the correct time.
Awesome, pushed as 5475749960d44163a4c6c4d1d1cb1be9872b861e.
Thanks,
Ludo’.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Thu, 07 Dec 2017 12:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 6 years and 139 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.