How fakeroot is not a security breach in Linux?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
17
down vote

favorite
5












After reading some pretty nice answers from this question, I am still fuzzy on why you would want to pretend that you are root without getting any of the benefits of actually being root.



So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?



A Google Groups discussion here points out that you need fakeroot to compile a Debian kernel (if you want to do it from an unprivileged user). My comment is that, the reason you need to be root in order to compile is probably because read permissions were not set for other users. If so isn't it a security violation that fakeroot allows for compilation(which means gcc can now read a file that was for root)?



This answer here describes that the actual system calls are made with real uid/gid of the user, so again where does fakeroot help?



How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?



From what I have gathered, fakeroot is just useful when you want to change the owner of any package files that you built to root. But you can do that with chown, so where am I lacking in my understanding of how this component is suppose to be used?







share|improve this question

















  • 1




    You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
    – Wumpus Q. Wumbley
    Jul 11 at 12:45











  • @WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
    – ng.newbie
    Jul 11 at 12:51










  • Because fakeroot is a Debian thing, and Linux is more than Debian?
    – Wumpus Q. Wumbley
    Jul 11 at 13:10










  • @WumpusQ.Wumbley it should run on any distribution.
    – immibis
    Jul 12 at 4:38














up vote
17
down vote

favorite
5












After reading some pretty nice answers from this question, I am still fuzzy on why you would want to pretend that you are root without getting any of the benefits of actually being root.



So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?



A Google Groups discussion here points out that you need fakeroot to compile a Debian kernel (if you want to do it from an unprivileged user). My comment is that, the reason you need to be root in order to compile is probably because read permissions were not set for other users. If so isn't it a security violation that fakeroot allows for compilation(which means gcc can now read a file that was for root)?



This answer here describes that the actual system calls are made with real uid/gid of the user, so again where does fakeroot help?



How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?



From what I have gathered, fakeroot is just useful when you want to change the owner of any package files that you built to root. But you can do that with chown, so where am I lacking in my understanding of how this component is suppose to be used?







share|improve this question

















  • 1




    You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
    – Wumpus Q. Wumbley
    Jul 11 at 12:45











  • @WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
    – ng.newbie
    Jul 11 at 12:51










  • Because fakeroot is a Debian thing, and Linux is more than Debian?
    – Wumpus Q. Wumbley
    Jul 11 at 13:10










  • @WumpusQ.Wumbley it should run on any distribution.
    – immibis
    Jul 12 at 4:38












up vote
17
down vote

favorite
5









up vote
17
down vote

favorite
5






5





After reading some pretty nice answers from this question, I am still fuzzy on why you would want to pretend that you are root without getting any of the benefits of actually being root.



So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?



A Google Groups discussion here points out that you need fakeroot to compile a Debian kernel (if you want to do it from an unprivileged user). My comment is that, the reason you need to be root in order to compile is probably because read permissions were not set for other users. If so isn't it a security violation that fakeroot allows for compilation(which means gcc can now read a file that was for root)?



This answer here describes that the actual system calls are made with real uid/gid of the user, so again where does fakeroot help?



How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?



From what I have gathered, fakeroot is just useful when you want to change the owner of any package files that you built to root. But you can do that with chown, so where am I lacking in my understanding of how this component is suppose to be used?







share|improve this question













After reading some pretty nice answers from this question, I am still fuzzy on why you would want to pretend that you are root without getting any of the benefits of actually being root.



So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?



A Google Groups discussion here points out that you need fakeroot to compile a Debian kernel (if you want to do it from an unprivileged user). My comment is that, the reason you need to be root in order to compile is probably because read permissions were not set for other users. If so isn't it a security violation that fakeroot allows for compilation(which means gcc can now read a file that was for root)?



This answer here describes that the actual system calls are made with real uid/gid of the user, so again where does fakeroot help?



How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?



From what I have gathered, fakeroot is just useful when you want to change the owner of any package files that you built to root. But you can do that with chown, so where am I lacking in my understanding of how this component is suppose to be used?









share|improve this question












share|improve this question




share|improve this question








edited Jul 12 at 9:47
























asked Jul 11 at 12:24









ng.newbie

252211




252211







  • 1




    You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
    – Wumpus Q. Wumbley
    Jul 11 at 12:45











  • @WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
    – ng.newbie
    Jul 11 at 12:51










  • Because fakeroot is a Debian thing, and Linux is more than Debian?
    – Wumpus Q. Wumbley
    Jul 11 at 13:10










  • @WumpusQ.Wumbley it should run on any distribution.
    – immibis
    Jul 12 at 4:38












  • 1




    You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
    – Wumpus Q. Wumbley
    Jul 11 at 12:45











  • @WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
    – ng.newbie
    Jul 11 at 12:51










  • Because fakeroot is a Debian thing, and Linux is more than Debian?
    – Wumpus Q. Wumbley
    Jul 11 at 13:10










  • @WumpusQ.Wumbley it should run on any distribution.
    – immibis
    Jul 12 at 4:38







1




1




You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
– Wumpus Q. Wumbley
Jul 11 at 12:45





You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
– Wumpus Q. Wumbley
Jul 11 at 12:45













@WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
– ng.newbie
Jul 11 at 12:51




@WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
– ng.newbie
Jul 11 at 12:51












Because fakeroot is a Debian thing, and Linux is more than Debian?
– Wumpus Q. Wumbley
Jul 11 at 13:10




Because fakeroot is a Debian thing, and Linux is more than Debian?
– Wumpus Q. Wumbley
Jul 11 at 13:10












@WumpusQ.Wumbley it should run on any distribution.
– immibis
Jul 12 at 4:38




@WumpusQ.Wumbley it should run on any distribution.
– immibis
Jul 12 at 4:38










3 Answers
3






active

oldest

votes

















up vote
32
down vote



accepted











So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?




Because you can’t just do that with chown, at least not as a non-root user. (And if you’re running as root, you don’t need fakeroot.) That’s the whole point of fakeroot: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.



This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root, or install -o root, etc.). fakeroot remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar runs for example to store files as owned by root.




How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?




fakeroot doesn’t trick tar into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You don’t need fakeroot to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary, as a regular user, will create a tarball containing evilbinary, owned by root, and suid. However, you won’t be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects “for real” always requires root privileges; fakeroot doesn’t provide any method of acquiring them.



To understand the use of fakeroot in more detail, consider that a typical distribution build involves the following operations (among many others):



  • install files, owned by root

  • ...

  • archive those files, still owned by root, so that when they’re extracted, they’ll be owned by root

The first part obviously fails if you’re not root. However, when running under fakeroot, as a normal user, the process becomes



  • install files, owned by root — this fails, but fakeroot pretends it succeeds, and remembers the changed ownership

  • ...

  • archive those files, still owned by root — when tar (or whatever archiver is being used) asks the system what the file ownership is, fakeroot changes the answer to match the ownership it recorded earlier

Thus you can run a package build without being root, while obtaining the same results you’d get if you were really running as root. Using fakeroot is safer: the system still can’t do anything your user can’t do, so a rogue installation process can’t damage your system (beyond touching your files).



In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot. This is supported by dpkg directly with the Rules-Requires-Root directive (see rootless-builds.txt).



To understand the purpose of fakeroot, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:



  1. build the software (which can be done without privileges)

  2. install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)

When you package a piece of software, you’re delaying the second part; but to do so successfully, you still need to “install” the software, into the package rather than onto the system. So when you package software, the process becomes:



  1. build the software (with no special privileges)

  2. pretend to install the software (again with no special privileges)

  3. capture the software installation as a package (ditto)

  4. make the package available (ditto)

Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.



fakeroot helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.






share|improve this answer



















  • 1




    @ng.newbie see my updated answer. When you are not root, you can’t change the ownership of a file to root (or anyone else). Because fakeroot pretends, it doesn’t need to be root (same as when an actor pretends to be someone else, he or she isn’t that person).
    – Stephen Kitt
    Jul 11 at 13:07






  • 3




    @ng.newbie I’m afraid I don’t understand why you’re confused. fakeroot can’t do anything more than the user; it doesn’t have any ability to “hack” anything or perform any action that only root can do. It tells the programs it’s running that they’re running as root, but it’s lying; it doesn’t have any special privilege. A hacker using fakeroot (or similar techniques) couldn’t do anything special either, he or she could only lie about doing so.
    – Stephen Kitt
    Jul 11 at 15:03







  • 5




    It doesn’t happen because tar running as you can’t set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesn’t mean that you can extract them with those permissions (unless you’re running as root).
    – Stephen Kitt
    Jul 11 at 15:34






  • 1




    @ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
    – mbrig
    Jul 11 at 21:44






  • 2




    @ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for using tar --mode --owner for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
    – ilkkachu
    Jul 12 at 9:22

















up vote
7
down vote













NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.



It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.



It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls) without it.



It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown, chmod, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.



Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.



It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.






share|improve this answer























  • @ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
    – ng.newbie
    Jul 11 at 13:02










  • @ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
    – ng.newbie
    Jul 11 at 13:06










  • @ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
    – ng.newbie
    Jul 11 at 15:25






  • 1




    No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
    – ctrl-alt-delor
    Jul 11 at 15:48

















up vote
4
down vote













There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot man page1 actually explains it pretty clearly and concisely:




fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.




Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2



But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step — where a fakeroot-assisted archive containing "root" files is extracted by a privileged user — is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.



Notes



  1. Fakeroot has spawned some competitors/imitators that will masquerade as fakeroot if installed, including fakeroot-ng and pseudo. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and only fakeroot O.G.


  2. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring fakeroot. It's all done within the user's $HOME/rpmbuild/ space, and normally-privileged steps like make install get redirected (via mechanisms like --prefix and DESTDIR) to a $HOME/rpmbuild/BUILDROOT/ hierarchy that could be considered a sort of "fakechroot" space (without actually using fakechroot).



    But even during make install, everything is executed as and owned by the
    unprivileged user. Extracted file ownership and permissions will be set to root,root and 0644 (or 0755 for executables) by default, unless overridden in the package definition (.spec) file in which case they're stored as metadata within the final package.
    Because no permissions or ownership are actually applied until the rpm package's (privileged)
    installation process, neither root nor fakeroot is needed during packaging. But fakeroot is really just a different
    path to that same result.







share|improve this answer



















  • 1




    Regarding your first note, fakeroot-ng claims to supersede fakeroot, but in practice it hasn’t replaced it, and AFAIK fakeroot is still the tool used in Debian by default (when necessary).
    – Stephen Kitt
    Jul 12 at 13:04











  • @StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for the fakeroot manpage, and Google dumped me at fakeroot-ng's (masquerading as fakeroot(1)), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
    – FeRD
    Jul 12 at 13:12






  • 1




    Yeah I was confused at first too, since the fakeroot manpage on Debian’s site leads to fakeroot-ng’s version by default. Check out the last paragraph of the fakeroot-ng for an amusing twist ;-).
    – Stephen Kitt
    Jul 12 at 13:25










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f454686%2fhow-fakeroot-is-not-a-security-breach-in-linux%23new-answer', 'question_page');

);

Post as a guest






























3 Answers
3






active

oldest

votes








3 Answers
3






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
32
down vote



accepted











So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?




Because you can’t just do that with chown, at least not as a non-root user. (And if you’re running as root, you don’t need fakeroot.) That’s the whole point of fakeroot: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.



This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root, or install -o root, etc.). fakeroot remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar runs for example to store files as owned by root.




How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?




fakeroot doesn’t trick tar into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You don’t need fakeroot to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary, as a regular user, will create a tarball containing evilbinary, owned by root, and suid. However, you won’t be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects “for real” always requires root privileges; fakeroot doesn’t provide any method of acquiring them.



To understand the use of fakeroot in more detail, consider that a typical distribution build involves the following operations (among many others):



  • install files, owned by root

  • ...

  • archive those files, still owned by root, so that when they’re extracted, they’ll be owned by root

The first part obviously fails if you’re not root. However, when running under fakeroot, as a normal user, the process becomes



  • install files, owned by root — this fails, but fakeroot pretends it succeeds, and remembers the changed ownership

  • ...

  • archive those files, still owned by root — when tar (or whatever archiver is being used) asks the system what the file ownership is, fakeroot changes the answer to match the ownership it recorded earlier

Thus you can run a package build without being root, while obtaining the same results you’d get if you were really running as root. Using fakeroot is safer: the system still can’t do anything your user can’t do, so a rogue installation process can’t damage your system (beyond touching your files).



In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot. This is supported by dpkg directly with the Rules-Requires-Root directive (see rootless-builds.txt).



To understand the purpose of fakeroot, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:



  1. build the software (which can be done without privileges)

  2. install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)

When you package a piece of software, you’re delaying the second part; but to do so successfully, you still need to “install” the software, into the package rather than onto the system. So when you package software, the process becomes:



  1. build the software (with no special privileges)

  2. pretend to install the software (again with no special privileges)

  3. capture the software installation as a package (ditto)

  4. make the package available (ditto)

Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.



fakeroot helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.






share|improve this answer



















  • 1




    @ng.newbie see my updated answer. When you are not root, you can’t change the ownership of a file to root (or anyone else). Because fakeroot pretends, it doesn’t need to be root (same as when an actor pretends to be someone else, he or she isn’t that person).
    – Stephen Kitt
    Jul 11 at 13:07






  • 3




    @ng.newbie I’m afraid I don’t understand why you’re confused. fakeroot can’t do anything more than the user; it doesn’t have any ability to “hack” anything or perform any action that only root can do. It tells the programs it’s running that they’re running as root, but it’s lying; it doesn’t have any special privilege. A hacker using fakeroot (or similar techniques) couldn’t do anything special either, he or she could only lie about doing so.
    – Stephen Kitt
    Jul 11 at 15:03







  • 5




    It doesn’t happen because tar running as you can’t set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesn’t mean that you can extract them with those permissions (unless you’re running as root).
    – Stephen Kitt
    Jul 11 at 15:34






  • 1




    @ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
    – mbrig
    Jul 11 at 21:44






  • 2




    @ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for using tar --mode --owner for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
    – ilkkachu
    Jul 12 at 9:22














up vote
32
down vote



accepted











So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?




Because you can’t just do that with chown, at least not as a non-root user. (And if you’re running as root, you don’t need fakeroot.) That’s the whole point of fakeroot: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.



This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root, or install -o root, etc.). fakeroot remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar runs for example to store files as owned by root.




How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?




fakeroot doesn’t trick tar into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You don’t need fakeroot to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary, as a regular user, will create a tarball containing evilbinary, owned by root, and suid. However, you won’t be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects “for real” always requires root privileges; fakeroot doesn’t provide any method of acquiring them.



To understand the use of fakeroot in more detail, consider that a typical distribution build involves the following operations (among many others):



  • install files, owned by root

  • ...

  • archive those files, still owned by root, so that when they’re extracted, they’ll be owned by root

The first part obviously fails if you’re not root. However, when running under fakeroot, as a normal user, the process becomes



  • install files, owned by root — this fails, but fakeroot pretends it succeeds, and remembers the changed ownership

  • ...

  • archive those files, still owned by root — when tar (or whatever archiver is being used) asks the system what the file ownership is, fakeroot changes the answer to match the ownership it recorded earlier

Thus you can run a package build without being root, while obtaining the same results you’d get if you were really running as root. Using fakeroot is safer: the system still can’t do anything your user can’t do, so a rogue installation process can’t damage your system (beyond touching your files).



In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot. This is supported by dpkg directly with the Rules-Requires-Root directive (see rootless-builds.txt).



To understand the purpose of fakeroot, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:



  1. build the software (which can be done without privileges)

  2. install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)

When you package a piece of software, you’re delaying the second part; but to do so successfully, you still need to “install” the software, into the package rather than onto the system. So when you package software, the process becomes:



  1. build the software (with no special privileges)

  2. pretend to install the software (again with no special privileges)

  3. capture the software installation as a package (ditto)

  4. make the package available (ditto)

Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.



fakeroot helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.






share|improve this answer



















  • 1




    @ng.newbie see my updated answer. When you are not root, you can’t change the ownership of a file to root (or anyone else). Because fakeroot pretends, it doesn’t need to be root (same as when an actor pretends to be someone else, he or she isn’t that person).
    – Stephen Kitt
    Jul 11 at 13:07






  • 3




    @ng.newbie I’m afraid I don’t understand why you’re confused. fakeroot can’t do anything more than the user; it doesn’t have any ability to “hack” anything or perform any action that only root can do. It tells the programs it’s running that they’re running as root, but it’s lying; it doesn’t have any special privilege. A hacker using fakeroot (or similar techniques) couldn’t do anything special either, he or she could only lie about doing so.
    – Stephen Kitt
    Jul 11 at 15:03







  • 5




    It doesn’t happen because tar running as you can’t set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesn’t mean that you can extract them with those permissions (unless you’re running as root).
    – Stephen Kitt
    Jul 11 at 15:34






  • 1




    @ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
    – mbrig
    Jul 11 at 21:44






  • 2




    @ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for using tar --mode --owner for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
    – ilkkachu
    Jul 12 at 9:22












up vote
32
down vote



accepted







up vote
32
down vote



accepted







So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?




Because you can’t just do that with chown, at least not as a non-root user. (And if you’re running as root, you don’t need fakeroot.) That’s the whole point of fakeroot: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.



This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root, or install -o root, etc.). fakeroot remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar runs for example to store files as owned by root.




How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?




fakeroot doesn’t trick tar into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You don’t need fakeroot to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary, as a regular user, will create a tarball containing evilbinary, owned by root, and suid. However, you won’t be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects “for real” always requires root privileges; fakeroot doesn’t provide any method of acquiring them.



To understand the use of fakeroot in more detail, consider that a typical distribution build involves the following operations (among many others):



  • install files, owned by root

  • ...

  • archive those files, still owned by root, so that when they’re extracted, they’ll be owned by root

The first part obviously fails if you’re not root. However, when running under fakeroot, as a normal user, the process becomes



  • install files, owned by root — this fails, but fakeroot pretends it succeeds, and remembers the changed ownership

  • ...

  • archive those files, still owned by root — when tar (or whatever archiver is being used) asks the system what the file ownership is, fakeroot changes the answer to match the ownership it recorded earlier

Thus you can run a package build without being root, while obtaining the same results you’d get if you were really running as root. Using fakeroot is safer: the system still can’t do anything your user can’t do, so a rogue installation process can’t damage your system (beyond touching your files).



In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot. This is supported by dpkg directly with the Rules-Requires-Root directive (see rootless-builds.txt).



To understand the purpose of fakeroot, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:



  1. build the software (which can be done without privileges)

  2. install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)

When you package a piece of software, you’re delaying the second part; but to do so successfully, you still need to “install” the software, into the package rather than onto the system. So when you package software, the process becomes:



  1. build the software (with no special privileges)

  2. pretend to install the software (again with no special privileges)

  3. capture the software installation as a package (ditto)

  4. make the package available (ditto)

Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.



fakeroot helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.






share|improve this answer
















So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?




Because you can’t just do that with chown, at least not as a non-root user. (And if you’re running as root, you don’t need fakeroot.) That’s the whole point of fakeroot: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.



This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root, or install -o root, etc.). fakeroot remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar runs for example to store files as owned by root.




How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?




fakeroot doesn’t trick tar into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You don’t need fakeroot to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary, as a regular user, will create a tarball containing evilbinary, owned by root, and suid. However, you won’t be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects “for real” always requires root privileges; fakeroot doesn’t provide any method of acquiring them.



To understand the use of fakeroot in more detail, consider that a typical distribution build involves the following operations (among many others):



  • install files, owned by root

  • ...

  • archive those files, still owned by root, so that when they’re extracted, they’ll be owned by root

The first part obviously fails if you’re not root. However, when running under fakeroot, as a normal user, the process becomes



  • install files, owned by root — this fails, but fakeroot pretends it succeeds, and remembers the changed ownership

  • ...

  • archive those files, still owned by root — when tar (or whatever archiver is being used) asks the system what the file ownership is, fakeroot changes the answer to match the ownership it recorded earlier

Thus you can run a package build without being root, while obtaining the same results you’d get if you were really running as root. Using fakeroot is safer: the system still can’t do anything your user can’t do, so a rogue installation process can’t damage your system (beyond touching your files).



In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot. This is supported by dpkg directly with the Rules-Requires-Root directive (see rootless-builds.txt).



To understand the purpose of fakeroot, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:



  1. build the software (which can be done without privileges)

  2. install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)

When you package a piece of software, you’re delaying the second part; but to do so successfully, you still need to “install” the software, into the package rather than onto the system. So when you package software, the process becomes:



  1. build the software (with no special privileges)

  2. pretend to install the software (again with no special privileges)

  3. capture the software installation as a package (ditto)

  4. make the package available (ditto)

Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.



fakeroot helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.







share|improve this answer















share|improve this answer



share|improve this answer








edited Jul 11 at 15:41


























answered Jul 11 at 12:50









Stephen Kitt

139k22296359




139k22296359







  • 1




    @ng.newbie see my updated answer. When you are not root, you can’t change the ownership of a file to root (or anyone else). Because fakeroot pretends, it doesn’t need to be root (same as when an actor pretends to be someone else, he or she isn’t that person).
    – Stephen Kitt
    Jul 11 at 13:07






  • 3




    @ng.newbie I’m afraid I don’t understand why you’re confused. fakeroot can’t do anything more than the user; it doesn’t have any ability to “hack” anything or perform any action that only root can do. It tells the programs it’s running that they’re running as root, but it’s lying; it doesn’t have any special privilege. A hacker using fakeroot (or similar techniques) couldn’t do anything special either, he or she could only lie about doing so.
    – Stephen Kitt
    Jul 11 at 15:03







  • 5




    It doesn’t happen because tar running as you can’t set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesn’t mean that you can extract them with those permissions (unless you’re running as root).
    – Stephen Kitt
    Jul 11 at 15:34






  • 1




    @ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
    – mbrig
    Jul 11 at 21:44






  • 2




    @ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for using tar --mode --owner for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
    – ilkkachu
    Jul 12 at 9:22












  • 1




    @ng.newbie see my updated answer. When you are not root, you can’t change the ownership of a file to root (or anyone else). Because fakeroot pretends, it doesn’t need to be root (same as when an actor pretends to be someone else, he or she isn’t that person).
    – Stephen Kitt
    Jul 11 at 13:07






  • 3




    @ng.newbie I’m afraid I don’t understand why you’re confused. fakeroot can’t do anything more than the user; it doesn’t have any ability to “hack” anything or perform any action that only root can do. It tells the programs it’s running that they’re running as root, but it’s lying; it doesn’t have any special privilege. A hacker using fakeroot (or similar techniques) couldn’t do anything special either, he or she could only lie about doing so.
    – Stephen Kitt
    Jul 11 at 15:03







  • 5




    It doesn’t happen because tar running as you can’t set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesn’t mean that you can extract them with those permissions (unless you’re running as root).
    – Stephen Kitt
    Jul 11 at 15:34






  • 1




    @ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
    – mbrig
    Jul 11 at 21:44






  • 2




    @ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for using tar --mode --owner for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
    – ilkkachu
    Jul 12 at 9:22







1




1




@ng.newbie see my updated answer. When you are not root, you can’t change the ownership of a file to root (or anyone else). Because fakeroot pretends, it doesn’t need to be root (same as when an actor pretends to be someone else, he or she isn’t that person).
– Stephen Kitt
Jul 11 at 13:07




@ng.newbie see my updated answer. When you are not root, you can’t change the ownership of a file to root (or anyone else). Because fakeroot pretends, it doesn’t need to be root (same as when an actor pretends to be someone else, he or she isn’t that person).
– Stephen Kitt
Jul 11 at 13:07




3




3




@ng.newbie I’m afraid I don’t understand why you’re confused. fakeroot can’t do anything more than the user; it doesn’t have any ability to “hack” anything or perform any action that only root can do. It tells the programs it’s running that they’re running as root, but it’s lying; it doesn’t have any special privilege. A hacker using fakeroot (or similar techniques) couldn’t do anything special either, he or she could only lie about doing so.
– Stephen Kitt
Jul 11 at 15:03





@ng.newbie I’m afraid I don’t understand why you’re confused. fakeroot can’t do anything more than the user; it doesn’t have any ability to “hack” anything or perform any action that only root can do. It tells the programs it’s running that they’re running as root, but it’s lying; it doesn’t have any special privilege. A hacker using fakeroot (or similar techniques) couldn’t do anything special either, he or she could only lie about doing so.
– Stephen Kitt
Jul 11 at 15:03





5




5




It doesn’t happen because tar running as you can’t set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesn’t mean that you can extract them with those permissions (unless you’re running as root).
– Stephen Kitt
Jul 11 at 15:34




It doesn’t happen because tar running as you can’t set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesn’t mean that you can extract them with those permissions (unless you’re running as root).
– Stephen Kitt
Jul 11 at 15:34




1




1




@ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
– mbrig
Jul 11 at 21:44




@ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
– mbrig
Jul 11 at 21:44




2




2




@ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for using tar --mode --owner for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
– ilkkachu
Jul 12 at 9:22




@ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for using tar --mode --owner for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
– ilkkachu
Jul 12 at 9:22












up vote
7
down vote













NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.



It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.



It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls) without it.



It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown, chmod, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.



Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.



It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.






share|improve this answer























  • @ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
    – ng.newbie
    Jul 11 at 13:02










  • @ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
    – ng.newbie
    Jul 11 at 13:06










  • @ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
    – ng.newbie
    Jul 11 at 15:25






  • 1




    No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
    – ctrl-alt-delor
    Jul 11 at 15:48














up vote
7
down vote













NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.



It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.



It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls) without it.



It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown, chmod, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.



Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.



It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.






share|improve this answer























  • @ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
    – ng.newbie
    Jul 11 at 13:02










  • @ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
    – ng.newbie
    Jul 11 at 13:06










  • @ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
    – ng.newbie
    Jul 11 at 15:25






  • 1




    No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
    – ctrl-alt-delor
    Jul 11 at 15:48












up vote
7
down vote










up vote
7
down vote









NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.



It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.



It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls) without it.



It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown, chmod, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.



Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.



It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.






share|improve this answer















NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.



It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.



It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls) without it.



It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown, chmod, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.



Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.



It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.







share|improve this answer















share|improve this answer



share|improve this answer








edited Jul 11 at 13:18


























answered Jul 11 at 12:49









ctrl-alt-delor

8,64331946




8,64331946











  • @ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
    – ng.newbie
    Jul 11 at 13:02










  • @ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
    – ng.newbie
    Jul 11 at 13:06










  • @ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
    – ng.newbie
    Jul 11 at 15:25






  • 1




    No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
    – ctrl-alt-delor
    Jul 11 at 15:48
















  • @ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
    – ng.newbie
    Jul 11 at 13:02










  • @ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
    – ng.newbie
    Jul 11 at 13:06










  • @ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
    – ng.newbie
    Jul 11 at 15:25






  • 1




    No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
    – ctrl-alt-delor
    Jul 11 at 15:48















@ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
– ng.newbie
Jul 11 at 13:02




@ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
– ng.newbie
Jul 11 at 13:02












@ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
– ng.newbie
Jul 11 at 13:06




@ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
– ng.newbie
Jul 11 at 13:06












@ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
– ng.newbie
Jul 11 at 15:25




@ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
– ng.newbie
Jul 11 at 15:25




1




1




No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
– ctrl-alt-delor
Jul 11 at 15:48




No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
– ctrl-alt-delor
Jul 11 at 15:48










up vote
4
down vote













There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot man page1 actually explains it pretty clearly and concisely:




fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.




Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2



But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step — where a fakeroot-assisted archive containing "root" files is extracted by a privileged user — is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.



Notes



  1. Fakeroot has spawned some competitors/imitators that will masquerade as fakeroot if installed, including fakeroot-ng and pseudo. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and only fakeroot O.G.


  2. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring fakeroot. It's all done within the user's $HOME/rpmbuild/ space, and normally-privileged steps like make install get redirected (via mechanisms like --prefix and DESTDIR) to a $HOME/rpmbuild/BUILDROOT/ hierarchy that could be considered a sort of "fakechroot" space (without actually using fakechroot).



    But even during make install, everything is executed as and owned by the
    unprivileged user. Extracted file ownership and permissions will be set to root,root and 0644 (or 0755 for executables) by default, unless overridden in the package definition (.spec) file in which case they're stored as metadata within the final package.
    Because no permissions or ownership are actually applied until the rpm package's (privileged)
    installation process, neither root nor fakeroot is needed during packaging. But fakeroot is really just a different
    path to that same result.







share|improve this answer



















  • 1




    Regarding your first note, fakeroot-ng claims to supersede fakeroot, but in practice it hasn’t replaced it, and AFAIK fakeroot is still the tool used in Debian by default (when necessary).
    – Stephen Kitt
    Jul 12 at 13:04











  • @StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for the fakeroot manpage, and Google dumped me at fakeroot-ng's (masquerading as fakeroot(1)), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
    – FeRD
    Jul 12 at 13:12






  • 1




    Yeah I was confused at first too, since the fakeroot manpage on Debian’s site leads to fakeroot-ng’s version by default. Check out the last paragraph of the fakeroot-ng for an amusing twist ;-).
    – Stephen Kitt
    Jul 12 at 13:25














up vote
4
down vote













There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot man page1 actually explains it pretty clearly and concisely:




fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.




Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2



But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step — where a fakeroot-assisted archive containing "root" files is extracted by a privileged user — is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.



Notes



  1. Fakeroot has spawned some competitors/imitators that will masquerade as fakeroot if installed, including fakeroot-ng and pseudo. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and only fakeroot O.G.


  2. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring fakeroot. It's all done within the user's $HOME/rpmbuild/ space, and normally-privileged steps like make install get redirected (via mechanisms like --prefix and DESTDIR) to a $HOME/rpmbuild/BUILDROOT/ hierarchy that could be considered a sort of "fakechroot" space (without actually using fakechroot).



    But even during make install, everything is executed as and owned by the
    unprivileged user. Extracted file ownership and permissions will be set to root,root and 0644 (or 0755 for executables) by default, unless overridden in the package definition (.spec) file in which case they're stored as metadata within the final package.
    Because no permissions or ownership are actually applied until the rpm package's (privileged)
    installation process, neither root nor fakeroot is needed during packaging. But fakeroot is really just a different
    path to that same result.







share|improve this answer



















  • 1




    Regarding your first note, fakeroot-ng claims to supersede fakeroot, but in practice it hasn’t replaced it, and AFAIK fakeroot is still the tool used in Debian by default (when necessary).
    – Stephen Kitt
    Jul 12 at 13:04











  • @StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for the fakeroot manpage, and Google dumped me at fakeroot-ng's (masquerading as fakeroot(1)), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
    – FeRD
    Jul 12 at 13:12






  • 1




    Yeah I was confused at first too, since the fakeroot manpage on Debian’s site leads to fakeroot-ng’s version by default. Check out the last paragraph of the fakeroot-ng for an amusing twist ;-).
    – Stephen Kitt
    Jul 12 at 13:25












up vote
4
down vote










up vote
4
down vote









There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot man page1 actually explains it pretty clearly and concisely:




fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.




Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2



But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step — where a fakeroot-assisted archive containing "root" files is extracted by a privileged user — is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.



Notes



  1. Fakeroot has spawned some competitors/imitators that will masquerade as fakeroot if installed, including fakeroot-ng and pseudo. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and only fakeroot O.G.


  2. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring fakeroot. It's all done within the user's $HOME/rpmbuild/ space, and normally-privileged steps like make install get redirected (via mechanisms like --prefix and DESTDIR) to a $HOME/rpmbuild/BUILDROOT/ hierarchy that could be considered a sort of "fakechroot" space (without actually using fakechroot).



    But even during make install, everything is executed as and owned by the
    unprivileged user. Extracted file ownership and permissions will be set to root,root and 0644 (or 0755 for executables) by default, unless overridden in the package definition (.spec) file in which case they're stored as metadata within the final package.
    Because no permissions or ownership are actually applied until the rpm package's (privileged)
    installation process, neither root nor fakeroot is needed during packaging. But fakeroot is really just a different
    path to that same result.







share|improve this answer















There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot man page1 actually explains it pretty clearly and concisely:




fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.




Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2



But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step — where a fakeroot-assisted archive containing "root" files is extracted by a privileged user — is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.



Notes



  1. Fakeroot has spawned some competitors/imitators that will masquerade as fakeroot if installed, including fakeroot-ng and pseudo. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and only fakeroot O.G.


  2. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring fakeroot. It's all done within the user's $HOME/rpmbuild/ space, and normally-privileged steps like make install get redirected (via mechanisms like --prefix and DESTDIR) to a $HOME/rpmbuild/BUILDROOT/ hierarchy that could be considered a sort of "fakechroot" space (without actually using fakechroot).



    But even during make install, everything is executed as and owned by the
    unprivileged user. Extracted file ownership and permissions will be set to root,root and 0644 (or 0755 for executables) by default, unless overridden in the package definition (.spec) file in which case they're stored as metadata within the final package.
    Because no permissions or ownership are actually applied until the rpm package's (privileged)
    installation process, neither root nor fakeroot is needed during packaging. But fakeroot is really just a different
    path to that same result.








share|improve this answer















share|improve this answer



share|improve this answer








edited Jul 16 at 12:42


























answered Jul 12 at 8:42









FeRD

344210




344210







  • 1




    Regarding your first note, fakeroot-ng claims to supersede fakeroot, but in practice it hasn’t replaced it, and AFAIK fakeroot is still the tool used in Debian by default (when necessary).
    – Stephen Kitt
    Jul 12 at 13:04











  • @StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for the fakeroot manpage, and Google dumped me at fakeroot-ng's (masquerading as fakeroot(1)), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
    – FeRD
    Jul 12 at 13:12






  • 1




    Yeah I was confused at first too, since the fakeroot manpage on Debian’s site leads to fakeroot-ng’s version by default. Check out the last paragraph of the fakeroot-ng for an amusing twist ;-).
    – Stephen Kitt
    Jul 12 at 13:25












  • 1




    Regarding your first note, fakeroot-ng claims to supersede fakeroot, but in practice it hasn’t replaced it, and AFAIK fakeroot is still the tool used in Debian by default (when necessary).
    – Stephen Kitt
    Jul 12 at 13:04











  • @StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for the fakeroot manpage, and Google dumped me at fakeroot-ng's (masquerading as fakeroot(1)), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
    – FeRD
    Jul 12 at 13:12






  • 1




    Yeah I was confused at first too, since the fakeroot manpage on Debian’s site leads to fakeroot-ng’s version by default. Check out the last paragraph of the fakeroot-ng for an amusing twist ;-).
    – Stephen Kitt
    Jul 12 at 13:25







1




1




Regarding your first note, fakeroot-ng claims to supersede fakeroot, but in practice it hasn’t replaced it, and AFAIK fakeroot is still the tool used in Debian by default (when necessary).
– Stephen Kitt
Jul 12 at 13:04





Regarding your first note, fakeroot-ng claims to supersede fakeroot, but in practice it hasn’t replaced it, and AFAIK fakeroot is still the tool used in Debian by default (when necessary).
– Stephen Kitt
Jul 12 at 13:04













@StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for the fakeroot manpage, and Google dumped me at fakeroot-ng's (masquerading as fakeroot(1)), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
– FeRD
Jul 12 at 13:12




@StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for the fakeroot manpage, and Google dumped me at fakeroot-ng's (masquerading as fakeroot(1)), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
– FeRD
Jul 12 at 13:12




1




1




Yeah I was confused at first too, since the fakeroot manpage on Debian’s site leads to fakeroot-ng’s version by default. Check out the last paragraph of the fakeroot-ng for an amusing twist ;-).
– Stephen Kitt
Jul 12 at 13:25




Yeah I was confused at first too, since the fakeroot manpage on Debian’s site leads to fakeroot-ng’s version by default. Check out the last paragraph of the fakeroot-ng for an amusing twist ;-).
– Stephen Kitt
Jul 12 at 13:25












 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f454686%2fhow-fakeroot-is-not-a-security-breach-in-linux%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?