Ubuntu
cpio package

cpio 2.9 drops directory permissions and ownership

Bug #214942 reported by Albert Y. C. Lai on 2008-04-10

12

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	cpio (Ubuntu)	Fix Released	Low	Daniel T Chen

Bug Description

Binary package hint: cpio

Using cpio 2.9 (in hardy) and the traditional "find . -depth" (e.g., as in the cpio tutorial), directory permissions and ownerships are not set properly when the directory in question is non-empty.

Example: Given the current directory has:

.:
total 0
drwxrws--T 2 daemon backup 72 2008-04-10 00:38 d

./d:
total 0
-rw-r--r-- 1 daemon backup 0 2008-04-10 00:38 hello

Now execute these as root:

mkdir ../tgt
find . -depth | cpio -pmd ../tgt
ls -lR ../tgt

../tgt:
total 0
drwxr-xr-x 2 root root 72 2008-04-10 00:38 d

../tgt/d:
total 0
-rw-r--r-- 1 daemon backup 0 2008-04-10 00:38 hello

The permissions and ownership of directory d are lost. This has not been the case for a decade (e.g., try it with the cpio versions distributed in gutsy, feisty, edgy, dapper, ...).

Similar behaviour if you go through "cpio -o | (cd ../tgt; cpio -idm)". In fact you can verify that the directory flags are stored into the archive file alright; the problem is during extraction.

If you change "find . -depth" to "find .", omitting "-depth", the problem goes away, which is my current workaround. But the original behaviour has been relied upon for decades. It certainly caught me off-guard when I used hardy's cpio (and the traditional find formula) to clone a whole system and then found out the clone broke.

I have also reported it to the gnu cpio mailing list.

Related branches

lp:ubuntu/maverick/cpio

CVE References

2010-0624

Revision history for this message

Albert Y. C. Lai (trebla) wrote on 2008-04-10:

#1

The message I sent to the gnu cpio mailing list, and replies:

http://lists.gnu.org/archive/html/bug-cpio/2008-04/msg00000.html

Revision history for this message

Daniel T Chen (crimsun) wrote on 2008-12-11:

#2

Is this symptom still reproducible in 8.10 or 9.04?

Changed in cpio:
assignee:	nobody → crimsun
importance:	Undecided → Low
status:	New → Incomplete

Revision history for this message

FP (fabrice-pardo) wrote on 2009-08-04:

#3

Same symptom in 9.04.

Nasty in 8.04 which is LTS and typically used as home server:
The command
find $1 -depth -xdev -print | cpio -pdm $2
is not usable since 16 months!

We have to use rsync instead.

Revision history for this message

Scott Merrilees (scott.merrilees) wrote on 2010-01-17:

#4

Since cd / && find . -depth -print|cpio -pdmu0 is my standard partition replication command, this bug has just caused me enough grief to have rebuild a system, rather than just the disk to disk copy that I intended to move the root file system around.

Revision history for this message

Scott Merrilees (scott.merrilees) wrote on 2010-01-17:

#5

So this bug is still present in karmic.

Revision history for this message

FP (fabrice-pardo) wrote on 2010-03-23:

#6

Good new, this bug, which is also debian bug #458079 is fixed in cpio-2.11
Cf. http://www.gnu.org/software/cpio/cpio.html

Revision history for this message

FP (fabrice-pardo) wrote on 2010-04-14:

#7

Bad news, still present in lucid (cpio-2.10), fixed in cpio-2.11

Revision history for this message

rennradler (bernhard67) wrote on 2010-04-19:

#8

I am a little bit surprised that this bug has low importance. It can cause a lot of trouble!

I can confirm that the bug is fixed in cpio 2.11. But Ubuntu 10.04 is still shipped with 2.10 - strange!

With cpio 2.10 there is a workaround. Just extract or copy/pass everything twice. The second run fixes the dropped ownerships and access times.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-06-16:

#9

This bug was fixed in the package cpio - 2.11-4ubuntu1

---------------
cpio (2.11-4ubuntu1) maverick; urgency=low

  * Merge from Debian unstable, remaining changes:
    - debian/control: Don't build a cpio-win32 package
    - debian/rules: don't depend on the binary-indep target in binary.
  * New upstream version fixes bug where directory permissions are dropped
    in passthrough mode. LP: #214942.

cpio (2.11-4) unstable; urgency=low

* Apply patch from Didier Raboud to fix win32 output again.
closes: #579533.

cpio (2.11-3) unstable; urgency=low

  * Return MT_EXIT_FAILURE instead of MT_EXIT_INVOP for fatal exits from
    mt.
  * Do not link mt with fatal.o even when automake is installed.
    closes: #576637.

cpio (2.11-2) unstable; urgency=medium

  * Patch from Sven Joachim to prevent /usr/share/info/dir.gz being
    shipped when install-info is present in the build environment.
    closes: #576620.

cpio (2.11-1) unstable; urgency=high

  * New upstream version.
    - Fixes CVE-2010-0624: Heap-based buffer overflow in GNU
      Tar and GNU Cpio.
  * Tweak mingw build to not fail.
  * Update watch file to pick bzip2-compressed tarballs.
  * Bump to Standards-Version 3.8.4.
  * Switch to 3.0 (quilt) source format.

cpio (2.10-2) unstable; urgency=low

  * Patch from Carl Miller to better handle device nodes from cramfs.
    closes: #565474.
  * Remove install-info invocations from prerm and postinst.
  * Depend on dpkg (>= 1.15.4) | install-info.
  * Bump to Standards-Version 3.8.3.
-- Steve Langasek <email address hidden> Tue, 15 Jun 2010 22:25:50 -0700

Changed in cpio (Ubuntu):
status:	Incomplete → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.