GNU bug report logs - #29212
Setuid programs don't honor the system's timezone

Previous Next

Package: guix;

Reported by: Diego Nicola Barbato <dnbarbato <at> posteo.de>

Date: Wed, 8 Nov 2017 14:37:02 UTC

Severity: normal

Done: ludo <at> gnu.org (Ludovic Courtès)

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: ludo <at> gnu.org (Ludovic Courtès)
To: Diego Nicola Barbato <dnbarbato <at> posteo.de>
Cc: 29212 <at> debbugs.gnu.org
Subject: bug#29212: XLockMore displays wrong time
Date: Wed, 08 Nov 2017 21:57:44 +0100

[Message part 1 (text/plain, inline)]
Hi,

Diego Nicola Barbato <dnbarbato <at> posteo.de> skribis:

> XLockMore (as invoked by the command `xlock') displays the wrong time on
> the lock screen.  Instead of honouring the timezone set in `config.scm'
> (as do other programs e.g. the `date' command) it displays UTC.

The problem is that setuid programs ignore $TZDIR; quoth ‘tzfile.c’ in
libc:

      /* We must not allow to read an arbitrary file in a setuid
	 program.  So we fail for any file which is not in the
	 directory hierachy starting at TZDIR
	 and which is not the system wide default TZDEFAULT.  */
      if (__libc_enable_secure
	  && ((*file == '/'
	       && memcmp (file, TZDEFAULT, sizeof TZDEFAULT)
	       && memcmp (file, default_tzdir, sizeof (default_tzdir) - 1))
	      || strstr (file, "../") != NULL))
	/* This test is certainly a bit too restrictive but it should
	   catch all critical cases.  */
	goto ret_free_transitions;

Thus, if I set TZ=Europe/Paris, I see that setuid binaries look for
timezone data only under
/gnu/store/3h31zsqxjjg52da5gp3qmhkh4x8klhah-glibc-2.25/share/zoneinfo/Europe/Paris,
which doesn’t exist.

Since GuixSD provides /etc/localtime already, we can actually unset TZ.
And when we do so, setuid binaries simply honor /etc/localtime and don’t
go searching for timezone data elsewhere, and they see the right time.

Can you confirm that:

  (unset TZ; xlock)

works for you?

I’ll commit the patch below if it does.

Thanks,
Ludo’.


[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/system.scm b/gnu/system.scm
index 5f562b48b..ce2c05f4e 100644
--- a/gnu/system.scm
+++ b/gnu/system.scm
@@ -727,7 +727,8 @@ use 'plain-file' instead~%")
   "Return the environment variables of OS for
 @var{session-environment-service-type}, to be used in @file{/etc/environment}."
   `(("LANG" . ,(operating-system-locale os))
-    ("TZ" . ,(operating-system-timezone os))
+    ;; Note: No need to set 'TZ' since (1) we provide /etc/localtime, and (2)
+    ;; it doesn't work for setuid binaries.  See <https://bugs.gnu.org/29212>.
     ("TZDIR" . ,(file-append tzdata "/share/zoneinfo"))
     ;; Tell 'modprobe' & co. where to look for modules.
     ("LINUX_MODULE_DIRECTORY" . "/run/booted-system/kernel/lib/modules")
This bug report was last modified 7 years and 255 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.