Ports cannot set setuid bit

[danchr (Dan Villiom Podlaski Christiansen)]

Found in bug #54958:

Ports cannot set the setuid bit on High Sierra; it works outside the ports infrastructure, but not within it. The attached tarball contains a simple port that tries to set the setuid bit on a file, checks that it succeeds. The ‘build’ phase fails on High Sierra.

[raimue (Rainer Müller)]

The test script uses chmod u+t, which is invalid. This is the sticky bit (+t), not setuid (+s). The sticky bit cannot be set in combination with any of ugo as it is a global flag. This should read chmod u+s.

Also the result in the test command in the last line for stat -f %p should probably be 104755.

After fixing the issues above with chmod u+s and 104755, I can confirm that this port works on macOS 10.12 Sierra, but not on macOS 10.13 High Sierra.

[raimue (Rainer Müller)]

The problem appears to occur due to sandbox-exec:

highsierra $ files/test.sh
-rwsr-xr-x+ 1 raimue  wheel  0 Oct  1 20:29 xxx
-rwsr-xr-x -> 104755
highsierra $ rm -f xxx
highsierra $ sandbox-exec -p '(version 1) (allow default)' files/test.sh
-rwxr-xr-x+ 1 raimue  wheel  0 Oct  1 20:29 xxx
-rwxr-xr-x -> 100755

That behavior changed from macOS 10.12 Sierra:

sierra $ sandbox-exec -p '(version 1) (allow default)' files/test.sh
-rwsr-xr-x+ 1 raimue  wheel  0 Oct  1 20:29 xxx
-rwsr-xr-x -> 104755

[danchr (Dan Villiom Podlaski Christiansen)]

Fixed test port

[danchr (Dan Villiom Podlaski Christiansen)]

Replying to raimue:

The problem appears to occur due to sandbox-exec: […]

Interestingly, it works if you cd into files and invoke ./test.sh instead…

[raimue (Rainer Müller)]

I can get it to work if I grant the file-write-setugid permission explicitly. I guess the default changed, but I have no idea how to retrieve that to confirm it.

highsierra $ sandbox-exec -p '(version 1) (allow default) (allow file-write-setugid)' files/test.sh
-rwsr-xr-x+ 1 raimue  wheel  0 Oct  1 20:44 xxx
-rwsr-xr-x -> 104755

As a side note, it looks like Apple also killed the very useful tracing ability with sandbox-exec -p '(version 1) (deny default) (trace "xxx.sb")' ... that reports all actions that would were attempted while still allowing all actions. This is the way I could debug this using Sierra. No idea how something like that could be done on High Sierra alone...

[danchr (Dan Villiom Podlaski Christiansen)]

AFAICT this fixes it:

src/port1.0/portsandbox.tcl

@@ -89 +89 @@
 (regex #\"^(/private)?(/var)?/tmp/\" #\"^(/private)?/var/folders/\"))"
 
     foreach dir $allow_dirs {
-        append portsandbox_profile " (allow file-write* ("
+        append portsandbox_profile " (allow file-write* file-write-setugid ("
         if {${os.major} > 9} {
             append portsandbox_profile "subpath \"${dir}\"))"
         } else {

[ryandesign (Ryan Carsten Schmidt)]

Sounds like we should get a MacPorts 2.4.2 out quickly with this fix.

[raimue (Rainer Müller)]

• ​https://lists.macports.org/pipermail/macports-dev/2017-October/036546.html
• ​https://github.com/macports/macports-base/pull/34

[raimue (Rainer Müller)]

In d72ad486b428570538ae0403675271242985c42f/macports-base:

sandbox: Add file-write-setugid for macOS 10.13

On macOS 10.13 High Sierra, file-write* does not seem to include
file-write-setugid, therefore adding it explicitly to allow build
scripts to produce suid/sgid binaries.

Closes: #54963

[raimue (Rainer Müller)]

This fix was released with MacPorts 2.4.2.