Bug 13239 - "rsync --times" does not keep dirs' setgid bits when user not member of setgid group
Summary: "rsync --times" does not keep dirs' setgid bits when user not member of setgi...
Status: NEW
Alias: None
Product: rsync
Classification: Unclassified
Component: core (show other bugs)
Version: 3.1.2
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Wayne Davison
QA Contact: Rsync QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-20 13:43 UTC by G.raud Meyer
Modified: 2018-04-04 11:27 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description G.raud Meyer 2018-01-20 13:43:28 UTC 
When copying into a setgid dir, an extra option --times has the unwanted side
effect of making the newly created directories not have the setgid bit set
(and of creating files inside a newly created directory that do not belong to
the setgid group as expected); this happens only if the rsync user is not a
member of the setgid group.

In a shell one can set file times with touch(1) without losing the setgid bit
so rsync should be able to do so too (and if it does not document that).

Small shell script demonstrating the bug:

```log
$ mkdir ~/testdir && cd ~/testdir
$ mkdir -p src/subdir dest
$ touch src/file src/subdir/file
$ chmod 2750 dest
$ sudo chgrp games dest
$ groups |grep games || echo "$USER is not a member of games"
guest is not a member of games
$ ls -lR src
src:
total 4
-rw-r----- 1 guest guest    0 Jan 20 14:09 file
drwxr-x--- 2 guest guest 4096 Jan 20 14:09 subdir

src/subdir:
total 0
-rw-r----- 1 guest guest 0 Jan 20 14:09 file
$ groups |grep games || echo "guest is not a member of games"
guest is not a member of games
## Without --tiles, setgid bit and group set as expected
$ rsync -r src/ dest
$ ls -lR dest
dest:
total 4
-rw-r----- 1 guest games    0 Jan 20 14:16 file
drwxr-s--- 2 guest games 4096 Jan 20 14:16 subdir

dest/subdir:
total 0
-rw-r----- 1 guest games 0 Jan 20 14:16 file
$ rm -rf dest/*
## With --times, missing setgid bit and group inside subdir
$ rsync -rt src/ dest
$ ls -lR dest
dest:
total 4
-rw-r----- 1 guest games    0 Jan 20 14:09 file
drwxr-x--- 2 guest games 4096 Jan 20 14:09 subdir

dest/subdir:
total 0
-rw-r----- 1 guest guest 0 Jan 20 14:09 file
$ rm -rf dest/*
## With --times and --omit-dir-times, setgid bit and group set as expected
$ rsync -rtO src/ dest
$ ls -lR dest
dest:
total 4
-rw-r----- 1 guest games    0 Jan 20 14:09 file
drwxr-s--- 2 guest games 4096 Jan 20 14:20 subdir

dest/subdir:
total 0
-rw-r----- 1 guest games 0 Jan 20 14:09 file
$ rm -rf dest/*
```

The version is 3.1.2 from Debian stretch:

```log
$ rsync --version
rsync  version 3.1.2  protocol version 31
Copyright (C) 1996-2015 by Andrew Tridgell, Wayne Davison, and others.
Web site: http://rsync.samba.org/
Capabilities:
    64-bit files, 64-bit inums, 64-bit timestamps, 64-bit long ints,
    socketpairs, hardlinks, symlinks, IPv6, batchfiles, inplace,
    append, ACLs, xattrs, iconv, symtimes, prealloc

rsync comes with ABSOLUTELY NO WARRANTY.  This is free software, and you
are welcome to redistribute it under certain conditions.  See the GNU
General Public Licence for details.
$ dpkg -l rsync
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                          Version             Architecture        Description
+++-=============================-===================-===================-===============================================================
ii  rsync                         3.1.2-1+deb9u1      amd64               fast, versatile, remote (and local) file-copying tool
```

Regards,
-- 
Géraud Meyer
Comment 1 Dave Gordon 2018-04-04 11:27:38 UTC 
Root cause here is that in some modes rsync will create a directory first, then later go back and fix up its modes. This is necessary if (for example) the final modes prevent writing by the owner, and convenient in some other cases, in particular when preserving directory times. However, Linux will not allow a user to set OR LEAVE SET the setgid bit if the user is not a member of the group associated with the object, EVEN THOUGH it can implicitly create such a thing. Thus:

$ mkdir setgid-dir
$ chmod g+s setgid-dir
$ sudo chgrp games setgid-dir # need root permission here!
$ touch setgid-dir/file
$ mkdir setgid-dir/subdir
$ ls -la setgid-dir/
total 12
drwxrwsr-x 3 guest games 4096 Apr  4 11:35 ./
drwxrwxr-x 6 guest guest 4096 Apr  4 11:34 ../
drwxrwsr-x 2 guest games 4096 Apr  4 11:35 subdir/
-rw-rw-r-- 1 guest games    0 Apr  4 11:35 file
$ # Note that subdir has been created setgid with gid=games even
$ # though user 'guest' could not set that combination explicitly
$ chmod o+w setgid-dir/*
$ ls -la setgid-dir/
total 12
drwxrwsr-x 3 guest games 4096 Apr  4 11:35 .
drwxrwxr-x 6 guest guest 4096 Apr  4 11:34 ..
drwxrwxrwx 2 guest games 4096 Apr  4 11:35 subdir/
-rw-rw-rw- 1 guest games    0 Apr  4 11:35 file
$ # Note that subdir is no longer setgid!

Arguably, this is a misfeature of the chmod(2) system call:

    If the calling process is not privileged, and the group of the
    file does not match the effective group ID of the process or
    one of its supplementary group IDs, the S_ISGID bit will be
    turned off, but this will not cause an error to be returned.

which is obviously sensible for (executable) files, but not necessarily for directories, where setgid means something completely different.

Anyway, in the --omit-dir-times case rsync creates the directory with the default modes (and the OS implicitly adds the setgid bit) and doesn't have to call chmod(2) later, whereas in the --times case the directory is created with modes 0700 (to which the OS adds the setgid bit) and then later rsync calls
  chmod("subdir", 02750)
which results in the setgid bit being cleared!

HTH,
.Dave.