How fakeroot is not a security breach in Linux?
Clash Royale CLAN TAG#URR8PPP
up vote
17
down vote
favorite
After reading some pretty nice answers from this question, I am still fuzzy on why you would want to pretend that you are root without getting any of the benefits of actually being root.
So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?
A Google Groups discussion here points out that you need fakeroot to compile a Debian kernel (if you want to do it from an unprivileged user). My comment is that, the reason you need to be root in order to compile is probably because read permissions were not set for other users. If so isn't it a security violation that fakeroot allows for compilation(which means gcc can now read a file that was for root)?
This answer here describes that the actual system calls are made with real uid/gid of the user, so again where does fakeroot help?
How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?
From what I have gathered, fakeroot is just useful when you want to change the owner of any package files that you built to root. But you can do that with chown, so where am I lacking in my understanding of how this component is suppose to be used?
linux chown fakeroot
add a comment |Â
up vote
17
down vote
favorite
After reading some pretty nice answers from this question, I am still fuzzy on why you would want to pretend that you are root without getting any of the benefits of actually being root.
So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?
A Google Groups discussion here points out that you need fakeroot to compile a Debian kernel (if you want to do it from an unprivileged user). My comment is that, the reason you need to be root in order to compile is probably because read permissions were not set for other users. If so isn't it a security violation that fakeroot allows for compilation(which means gcc can now read a file that was for root)?
This answer here describes that the actual system calls are made with real uid/gid of the user, so again where does fakeroot help?
How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?
From what I have gathered, fakeroot is just useful when you want to change the owner of any package files that you built to root. But you can do that with chown, so where am I lacking in my understanding of how this component is suppose to be used?
linux chown fakeroot
1
You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
â Wumpus Q. Wumbley
Jul 11 at 12:45
@WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
â ng.newbie
Jul 11 at 12:51
Because fakeroot is a Debian thing, and Linux is more than Debian?
â Wumpus Q. Wumbley
Jul 11 at 13:10
@WumpusQ.Wumbley it should run on any distribution.
â immibis
Jul 12 at 4:38
add a comment |Â
up vote
17
down vote
favorite
up vote
17
down vote
favorite
After reading some pretty nice answers from this question, I am still fuzzy on why you would want to pretend that you are root without getting any of the benefits of actually being root.
So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?
A Google Groups discussion here points out that you need fakeroot to compile a Debian kernel (if you want to do it from an unprivileged user). My comment is that, the reason you need to be root in order to compile is probably because read permissions were not set for other users. If so isn't it a security violation that fakeroot allows for compilation(which means gcc can now read a file that was for root)?
This answer here describes that the actual system calls are made with real uid/gid of the user, so again where does fakeroot help?
How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?
From what I have gathered, fakeroot is just useful when you want to change the owner of any package files that you built to root. But you can do that with chown, so where am I lacking in my understanding of how this component is suppose to be used?
linux chown fakeroot
After reading some pretty nice answers from this question, I am still fuzzy on why you would want to pretend that you are root without getting any of the benefits of actually being root.
So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?
A Google Groups discussion here points out that you need fakeroot to compile a Debian kernel (if you want to do it from an unprivileged user). My comment is that, the reason you need to be root in order to compile is probably because read permissions were not set for other users. If so isn't it a security violation that fakeroot allows for compilation(which means gcc can now read a file that was for root)?
This answer here describes that the actual system calls are made with real uid/gid of the user, so again where does fakeroot help?
How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?
From what I have gathered, fakeroot is just useful when you want to change the owner of any package files that you built to root. But you can do that with chown, so where am I lacking in my understanding of how this component is suppose to be used?
linux chown fakeroot
edited Jul 12 at 9:47
asked Jul 11 at 12:24
ng.newbie
252211
252211
1
You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
â Wumpus Q. Wumbley
Jul 11 at 12:45
@WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
â ng.newbie
Jul 11 at 12:51
Because fakeroot is a Debian thing, and Linux is more than Debian?
â Wumpus Q. Wumbley
Jul 11 at 13:10
@WumpusQ.Wumbley it should run on any distribution.
â immibis
Jul 12 at 4:38
add a comment |Â
1
You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
â Wumpus Q. Wumbley
Jul 11 at 12:45
@WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
â ng.newbie
Jul 11 at 12:51
Because fakeroot is a Debian thing, and Linux is more than Debian?
â Wumpus Q. Wumbley
Jul 11 at 13:10
@WumpusQ.Wumbley it should run on any distribution.
â immibis
Jul 12 at 4:38
1
1
You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
â Wumpus Q. Wumbley
Jul 11 at 12:45
You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
â Wumpus Q. Wumbley
Jul 11 at 12:45
@WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
â ng.newbie
Jul 11 at 12:51
@WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
â ng.newbie
Jul 11 at 12:51
Because fakeroot is a Debian thing, and Linux is more than Debian?
â Wumpus Q. Wumbley
Jul 11 at 13:10
Because fakeroot is a Debian thing, and Linux is more than Debian?
â Wumpus Q. Wumbley
Jul 11 at 13:10
@WumpusQ.Wumbley it should run on any distribution.
â immibis
Jul 12 at 4:38
@WumpusQ.Wumbley it should run on any distribution.
â immibis
Jul 12 at 4:38
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
32
down vote
accepted
So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?
Because you canâÂÂt just do that with chown
, at least not as a non-root user. (And if youâÂÂre running as root, you donâÂÂt need fakeroot
.) ThatâÂÂs the whole point of fakeroot
: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.
This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root
, or install -o root
, etc.). fakeroot
remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar
runs for example to store files as owned by root.
How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?
fakeroot
doesnâÂÂt trick tar
into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You donâÂÂt need fakeroot
to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary
, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary
, as a regular user, will create a tarball containing evilbinary
, owned by root, and suid. However, you wonâÂÂt be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot
is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects âÂÂfor realâ always requires root privileges; fakeroot
doesnâÂÂt provide any method of acquiring them.
To understand the use of fakeroot
in more detail, consider that a typical distribution build involves the following operations (among many others):
- install files, owned by root
- ...
- archive those files, still owned by root, so that when theyâÂÂre extracted, theyâÂÂll be owned by root
The first part obviously fails if youâÂÂre not root. However, when running under fakeroot
, as a normal user, the process becomes
- install files, owned by root â this fails, but
fakeroot
pretends it succeeds, and remembers the changed ownership - ...
- archive those files, still owned by root â when
tar
(or whatever archiver is being used) asks the system what the file ownership is,fakeroot
changes the answer to match the ownership it recorded earlier
Thus you can run a package build without being root, while obtaining the same results youâÂÂd get if you were really running as root. Using fakeroot
is safer: the system still canâÂÂt do anything your user canâÂÂt do, so a rogue installation process canâÂÂt damage your system (beyond touching your files).
In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot
. This is supported by dpkg
directly with the Rules-Requires-Root
directive (see rootless-builds.txt
).
To understand the purpose of fakeroot
, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:
- build the software (which can be done without privileges)
- install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)
When you package a piece of software, youâÂÂre delaying the second part; but to do so successfully, you still need to âÂÂinstallâ the software, into the package rather than onto the system. So when you package software, the process becomes:
- build the software (with no special privileges)
- pretend to install the software (again with no special privileges)
- capture the software installation as a package (ditto)
- make the package available (ditto)
Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.
fakeroot
helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.
1
@ng.newbie see my updated answer. When you are not root, you canâÂÂt change the ownership of a file to root (or anyone else). Becausefakeroot
pretends, it doesnâÂÂt need to be root (same as when an actor pretends to be someone else, he or she isnâÂÂt that person).
â Stephen Kitt
Jul 11 at 13:07
3
@ng.newbie IâÂÂm afraid I donâÂÂt understand why youâÂÂre confused.fakeroot
canâÂÂt do anything more than the user; it doesnâÂÂt have any ability to âÂÂhackâ anything or perform any action that only root can do. It tells the programs itâÂÂs running that theyâÂÂre running as root, but itâÂÂs lying; it doesnâÂÂt have any special privilege. A hacker usingfakeroot
(or similar techniques) couldnâÂÂt do anything special either, he or she could only lie about doing so.
â Stephen Kitt
Jul 11 at 15:03
5
It doesnâÂÂt happen becausetar
running as you canâÂÂt set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesnâÂÂt mean that you can extract them with those permissions (unless youâÂÂre running as root).
â Stephen Kitt
Jul 11 at 15:34
1
@ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
â mbrig
Jul 11 at 21:44
2
@ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for usingtar --mode --owner
for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
â ilkkachu
Jul 12 at 9:22
 |Â
show 13 more comments
up vote
7
down vote
NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.
It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.
It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls
) without it.
It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown
, chmod
, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat
etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.
Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.
It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.
@ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
â ng.newbie
Jul 11 at 13:02
@ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
â ng.newbie
Jul 11 at 13:06
@ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
â ng.newbie
Jul 11 at 15:25
1
No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
â ctrl-alt-delor
Jul 11 at 15:48
add a comment |Â
up vote
4
down vote
There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot
man page1 actually explains it pretty clearly and concisely:
fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.
Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot
, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot
, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2
But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step â where a fakeroot
-assisted archive containing "root" files is extracted by a privileged user â is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.
Notes
- Fakeroot has spawned some competitors/imitators that will masquerade as
fakeroot
if installed, includingfakeroot-ng
andpseudo
. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and onlyfakeroot
O.G. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring
fakeroot
. It's all done within the user's$HOME/rpmbuild/
space, and normally-privileged steps likemake install
get redirected (via mechanisms like--prefix
andDESTDIR
) to a$HOME/rpmbuild/BUILDROOT/
hierarchy that could be considered a sort of "fakechroot" space (without actually usingfakechroot
).But even during
make install
, everything is executed as and owned by the
unprivileged user. Extracted file ownership and permissions will be set toroot,root
and0644
(or0755
for executables) by default, unless overridden in the package definition (.spec
) file in which case they're stored as metadata within the final package.
Because no permissions or ownership are actually applied until the rpm package's (privileged)
installation process, neither root norfakeroot
is needed during packaging. Butfakeroot
is really just a different
path to that same result.
1
Regarding your first note,fakeroot-ng
claims to supersedefakeroot
, but in practice it hasnâÂÂt replaced it, and AFAIKfakeroot
is still the tool used in Debian by default (when necessary).
â Stephen Kitt
Jul 12 at 13:04
@StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for thefakeroot
manpage, and Google dumped me atfakeroot-ng
's (masquerading asfakeroot(1)
), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
â FeRD
Jul 12 at 13:12
1
Yeah I was confused at first too, since thefakeroot
manpage on DebianâÂÂs site leads tofakeroot-ng
âÂÂs version by default. Check out the last paragraph of thefakeroot-ng
for an amusing twist ;-).
â Stephen Kitt
Jul 12 at 13:25
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
32
down vote
accepted
So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?
Because you canâÂÂt just do that with chown
, at least not as a non-root user. (And if youâÂÂre running as root, you donâÂÂt need fakeroot
.) ThatâÂÂs the whole point of fakeroot
: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.
This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root
, or install -o root
, etc.). fakeroot
remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar
runs for example to store files as owned by root.
How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?
fakeroot
doesnâÂÂt trick tar
into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You donâÂÂt need fakeroot
to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary
, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary
, as a regular user, will create a tarball containing evilbinary
, owned by root, and suid. However, you wonâÂÂt be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot
is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects âÂÂfor realâ always requires root privileges; fakeroot
doesnâÂÂt provide any method of acquiring them.
To understand the use of fakeroot
in more detail, consider that a typical distribution build involves the following operations (among many others):
- install files, owned by root
- ...
- archive those files, still owned by root, so that when theyâÂÂre extracted, theyâÂÂll be owned by root
The first part obviously fails if youâÂÂre not root. However, when running under fakeroot
, as a normal user, the process becomes
- install files, owned by root â this fails, but
fakeroot
pretends it succeeds, and remembers the changed ownership - ...
- archive those files, still owned by root â when
tar
(or whatever archiver is being used) asks the system what the file ownership is,fakeroot
changes the answer to match the ownership it recorded earlier
Thus you can run a package build without being root, while obtaining the same results youâÂÂd get if you were really running as root. Using fakeroot
is safer: the system still canâÂÂt do anything your user canâÂÂt do, so a rogue installation process canâÂÂt damage your system (beyond touching your files).
In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot
. This is supported by dpkg
directly with the Rules-Requires-Root
directive (see rootless-builds.txt
).
To understand the purpose of fakeroot
, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:
- build the software (which can be done without privileges)
- install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)
When you package a piece of software, youâÂÂre delaying the second part; but to do so successfully, you still need to âÂÂinstallâ the software, into the package rather than onto the system. So when you package software, the process becomes:
- build the software (with no special privileges)
- pretend to install the software (again with no special privileges)
- capture the software installation as a package (ditto)
- make the package available (ditto)
Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.
fakeroot
helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.
1
@ng.newbie see my updated answer. When you are not root, you canâÂÂt change the ownership of a file to root (or anyone else). Becausefakeroot
pretends, it doesnâÂÂt need to be root (same as when an actor pretends to be someone else, he or she isnâÂÂt that person).
â Stephen Kitt
Jul 11 at 13:07
3
@ng.newbie IâÂÂm afraid I donâÂÂt understand why youâÂÂre confused.fakeroot
canâÂÂt do anything more than the user; it doesnâÂÂt have any ability to âÂÂhackâ anything or perform any action that only root can do. It tells the programs itâÂÂs running that theyâÂÂre running as root, but itâÂÂs lying; it doesnâÂÂt have any special privilege. A hacker usingfakeroot
(or similar techniques) couldnâÂÂt do anything special either, he or she could only lie about doing so.
â Stephen Kitt
Jul 11 at 15:03
5
It doesnâÂÂt happen becausetar
running as you canâÂÂt set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesnâÂÂt mean that you can extract them with those permissions (unless youâÂÂre running as root).
â Stephen Kitt
Jul 11 at 15:34
1
@ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
â mbrig
Jul 11 at 21:44
2
@ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for usingtar --mode --owner
for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
â ilkkachu
Jul 12 at 9:22
 |Â
show 13 more comments
up vote
32
down vote
accepted
So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?
Because you canâÂÂt just do that with chown
, at least not as a non-root user. (And if youâÂÂre running as root, you donâÂÂt need fakeroot
.) ThatâÂÂs the whole point of fakeroot
: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.
This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root
, or install -o root
, etc.). fakeroot
remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar
runs for example to store files as owned by root.
How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?
fakeroot
doesnâÂÂt trick tar
into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You donâÂÂt need fakeroot
to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary
, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary
, as a regular user, will create a tarball containing evilbinary
, owned by root, and suid. However, you wonâÂÂt be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot
is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects âÂÂfor realâ always requires root privileges; fakeroot
doesnâÂÂt provide any method of acquiring them.
To understand the use of fakeroot
in more detail, consider that a typical distribution build involves the following operations (among many others):
- install files, owned by root
- ...
- archive those files, still owned by root, so that when theyâÂÂre extracted, theyâÂÂll be owned by root
The first part obviously fails if youâÂÂre not root. However, when running under fakeroot
, as a normal user, the process becomes
- install files, owned by root â this fails, but
fakeroot
pretends it succeeds, and remembers the changed ownership - ...
- archive those files, still owned by root â when
tar
(or whatever archiver is being used) asks the system what the file ownership is,fakeroot
changes the answer to match the ownership it recorded earlier
Thus you can run a package build without being root, while obtaining the same results youâÂÂd get if you were really running as root. Using fakeroot
is safer: the system still canâÂÂt do anything your user canâÂÂt do, so a rogue installation process canâÂÂt damage your system (beyond touching your files).
In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot
. This is supported by dpkg
directly with the Rules-Requires-Root
directive (see rootless-builds.txt
).
To understand the purpose of fakeroot
, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:
- build the software (which can be done without privileges)
- install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)
When you package a piece of software, youâÂÂre delaying the second part; but to do so successfully, you still need to âÂÂinstallâ the software, into the package rather than onto the system. So when you package software, the process becomes:
- build the software (with no special privileges)
- pretend to install the software (again with no special privileges)
- capture the software installation as a package (ditto)
- make the package available (ditto)
Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.
fakeroot
helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.
1
@ng.newbie see my updated answer. When you are not root, you canâÂÂt change the ownership of a file to root (or anyone else). Becausefakeroot
pretends, it doesnâÂÂt need to be root (same as when an actor pretends to be someone else, he or she isnâÂÂt that person).
â Stephen Kitt
Jul 11 at 13:07
3
@ng.newbie IâÂÂm afraid I donâÂÂt understand why youâÂÂre confused.fakeroot
canâÂÂt do anything more than the user; it doesnâÂÂt have any ability to âÂÂhackâ anything or perform any action that only root can do. It tells the programs itâÂÂs running that theyâÂÂre running as root, but itâÂÂs lying; it doesnâÂÂt have any special privilege. A hacker usingfakeroot
(or similar techniques) couldnâÂÂt do anything special either, he or she could only lie about doing so.
â Stephen Kitt
Jul 11 at 15:03
5
It doesnâÂÂt happen becausetar
running as you canâÂÂt set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesnâÂÂt mean that you can extract them with those permissions (unless youâÂÂre running as root).
â Stephen Kitt
Jul 11 at 15:34
1
@ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
â mbrig
Jul 11 at 21:44
2
@ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for usingtar --mode --owner
for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
â ilkkachu
Jul 12 at 9:22
 |Â
show 13 more comments
up vote
32
down vote
accepted
up vote
32
down vote
accepted
So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?
Because you canâÂÂt just do that with chown
, at least not as a non-root user. (And if youâÂÂre running as root, you donâÂÂt need fakeroot
.) ThatâÂÂs the whole point of fakeroot
: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.
This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root
, or install -o root
, etc.). fakeroot
remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar
runs for example to store files as owned by root.
How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?
fakeroot
doesnâÂÂt trick tar
into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You donâÂÂt need fakeroot
to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary
, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary
, as a regular user, will create a tarball containing evilbinary
, owned by root, and suid. However, you wonâÂÂt be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot
is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects âÂÂfor realâ always requires root privileges; fakeroot
doesnâÂÂt provide any method of acquiring them.
To understand the use of fakeroot
in more detail, consider that a typical distribution build involves the following operations (among many others):
- install files, owned by root
- ...
- archive those files, still owned by root, so that when theyâÂÂre extracted, theyâÂÂll be owned by root
The first part obviously fails if youâÂÂre not root. However, when running under fakeroot
, as a normal user, the process becomes
- install files, owned by root â this fails, but
fakeroot
pretends it succeeds, and remembers the changed ownership - ...
- archive those files, still owned by root â when
tar
(or whatever archiver is being used) asks the system what the file ownership is,fakeroot
changes the answer to match the ownership it recorded earlier
Thus you can run a package build without being root, while obtaining the same results youâÂÂd get if you were really running as root. Using fakeroot
is safer: the system still canâÂÂt do anything your user canâÂÂt do, so a rogue installation process canâÂÂt damage your system (beyond touching your files).
In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot
. This is supported by dpkg
directly with the Rules-Requires-Root
directive (see rootless-builds.txt
).
To understand the purpose of fakeroot
, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:
- build the software (which can be done without privileges)
- install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)
When you package a piece of software, youâÂÂre delaying the second part; but to do so successfully, you still need to âÂÂinstallâ the software, into the package rather than onto the system. So when you package software, the process becomes:
- build the software (with no special privileges)
- pretend to install the software (again with no special privileges)
- capture the software installation as a package (ditto)
- make the package available (ditto)
Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.
fakeroot
helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.
So far, what I can gather is that fakeroot is used to give ownership to a file that needs to be root when it is unzip/tar'ed. My question, is why can't you just do that with chown?
Because you canâÂÂt just do that with chown
, at least not as a non-root user. (And if youâÂÂre running as root, you donâÂÂt need fakeroot
.) ThatâÂÂs the whole point of fakeroot
: to allow programs which expect to be run as root to run as a normal user, while pretending that the root-requiring operations succeed.
This is used typically when building a package, so that the installation process of the package being installed can proceed without error (even if it runs chown root:root
, or install -o root
, etc.). fakeroot
remembers the fake ownership which it pretended to give files, so subsequent operations looking at the ownership see this instead of the real one; this allows subsequent tar
runs for example to store files as owned by root.
How does fakeroot stop unwanted privilege escalations on Linux? If fakeroot can trick tar into making a file that was owned by root, why not do something similar with SUID?
fakeroot
doesnâÂÂt trick tar
into doing anything, it preserves changes the build wants to make without letting those changes take effect on the system hosting the build. You donâÂÂt need fakeroot
to produce a tarball containing a file owned by root and suid; if you have a binary evilbinary
, running tar cf evil.tar --mode=4755 --owner=root --group=root evilbinary
, as a regular user, will create a tarball containing evilbinary
, owned by root, and suid. However, you wonâÂÂt be able to extract that tarball and preserve those permissions unless you do so as root: there is no privilege escalation here. fakeroot
is a privilege de-escalation tool: it allows you to run a build as a regular user, while preserving the effects the build would have had if it had been run as root, allowing those effects to be replayed later. Applying the effects âÂÂfor realâ always requires root privileges; fakeroot
doesnâÂÂt provide any method of acquiring them.
To understand the use of fakeroot
in more detail, consider that a typical distribution build involves the following operations (among many others):
- install files, owned by root
- ...
- archive those files, still owned by root, so that when theyâÂÂre extracted, theyâÂÂll be owned by root
The first part obviously fails if youâÂÂre not root. However, when running under fakeroot
, as a normal user, the process becomes
- install files, owned by root â this fails, but
fakeroot
pretends it succeeds, and remembers the changed ownership - ...
- archive those files, still owned by root â when
tar
(or whatever archiver is being used) asks the system what the file ownership is,fakeroot
changes the answer to match the ownership it recorded earlier
Thus you can run a package build without being root, while obtaining the same results youâÂÂd get if you were really running as root. Using fakeroot
is safer: the system still canâÂÂt do anything your user canâÂÂt do, so a rogue installation process canâÂÂt damage your system (beyond touching your files).
In Debian, the build tools have been improved so as not to require this any more, and you can build packages without fakeroot
. This is supported by dpkg
directly with the Rules-Requires-Root
directive (see rootless-builds.txt
).
To understand the purpose of fakeroot
, and the security aspects of running as root or not, it might help to consider the purpose of packaging. When you install a piece of software from source, for use system-wide, you proceed as follows:
- build the software (which can be done without privileges)
- install the software (which needs to be done as root, or at least as a user allowed to write to the appropriate system locations)
When you package a piece of software, youâÂÂre delaying the second part; but to do so successfully, you still need to âÂÂinstallâ the software, into the package rather than onto the system. So when you package software, the process becomes:
- build the software (with no special privileges)
- pretend to install the software (again with no special privileges)
- capture the software installation as a package (ditto)
- make the package available (ditto)
Now a user completes the process by installing the package, which needs to be done as root (or again, a user with the appropriate privileges to write to the appropriate locations). This is where the delayed privileged process is realised, and is the only part of the process which needs special privileges.
fakeroot
helps with steps 2 and 3 above by allowing us to run software installation processes, and capture their behaviour, without running as root.
edited Jul 11 at 15:41
answered Jul 11 at 12:50
Stephen Kitt
139k22296359
139k22296359
1
@ng.newbie see my updated answer. When you are not root, you canâÂÂt change the ownership of a file to root (or anyone else). Becausefakeroot
pretends, it doesnâÂÂt need to be root (same as when an actor pretends to be someone else, he or she isnâÂÂt that person).
â Stephen Kitt
Jul 11 at 13:07
3
@ng.newbie IâÂÂm afraid I donâÂÂt understand why youâÂÂre confused.fakeroot
canâÂÂt do anything more than the user; it doesnâÂÂt have any ability to âÂÂhackâ anything or perform any action that only root can do. It tells the programs itâÂÂs running that theyâÂÂre running as root, but itâÂÂs lying; it doesnâÂÂt have any special privilege. A hacker usingfakeroot
(or similar techniques) couldnâÂÂt do anything special either, he or she could only lie about doing so.
â Stephen Kitt
Jul 11 at 15:03
5
It doesnâÂÂt happen becausetar
running as you canâÂÂt set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesnâÂÂt mean that you can extract them with those permissions (unless youâÂÂre running as root).
â Stephen Kitt
Jul 11 at 15:34
1
@ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
â mbrig
Jul 11 at 21:44
2
@ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for usingtar --mode --owner
for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
â ilkkachu
Jul 12 at 9:22
 |Â
show 13 more comments
1
@ng.newbie see my updated answer. When you are not root, you canâÂÂt change the ownership of a file to root (or anyone else). Becausefakeroot
pretends, it doesnâÂÂt need to be root (same as when an actor pretends to be someone else, he or she isnâÂÂt that person).
â Stephen Kitt
Jul 11 at 13:07
3
@ng.newbie IâÂÂm afraid I donâÂÂt understand why youâÂÂre confused.fakeroot
canâÂÂt do anything more than the user; it doesnâÂÂt have any ability to âÂÂhackâ anything or perform any action that only root can do. It tells the programs itâÂÂs running that theyâÂÂre running as root, but itâÂÂs lying; it doesnâÂÂt have any special privilege. A hacker usingfakeroot
(or similar techniques) couldnâÂÂt do anything special either, he or she could only lie about doing so.
â Stephen Kitt
Jul 11 at 15:03
5
It doesnâÂÂt happen becausetar
running as you canâÂÂt set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesnâÂÂt mean that you can extract them with those permissions (unless youâÂÂre running as root).
â Stephen Kitt
Jul 11 at 15:34
1
@ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
â mbrig
Jul 11 at 21:44
2
@ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for usingtar --mode --owner
for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.
â ilkkachu
Jul 12 at 9:22
1
1
@ng.newbie see my updated answer. When you are not root, you canâÂÂt change the ownership of a file to root (or anyone else). Because
fakeroot
pretends, it doesnâÂÂt need to be root (same as when an actor pretends to be someone else, he or she isnâÂÂt that person).â Stephen Kitt
Jul 11 at 13:07
@ng.newbie see my updated answer. When you are not root, you canâÂÂt change the ownership of a file to root (or anyone else). Because
fakeroot
pretends, it doesnâÂÂt need to be root (same as when an actor pretends to be someone else, he or she isnâÂÂt that person).â Stephen Kitt
Jul 11 at 13:07
3
3
@ng.newbie IâÂÂm afraid I donâÂÂt understand why youâÂÂre confused.
fakeroot
canâÂÂt do anything more than the user; it doesnâÂÂt have any ability to âÂÂhackâ anything or perform any action that only root can do. It tells the programs itâÂÂs running that theyâÂÂre running as root, but itâÂÂs lying; it doesnâÂÂt have any special privilege. A hacker using fakeroot
(or similar techniques) couldnâÂÂt do anything special either, he or she could only lie about doing so.â Stephen Kitt
Jul 11 at 15:03
@ng.newbie IâÂÂm afraid I donâÂÂt understand why youâÂÂre confused.
fakeroot
canâÂÂt do anything more than the user; it doesnâÂÂt have any ability to âÂÂhackâ anything or perform any action that only root can do. It tells the programs itâÂÂs running that theyâÂÂre running as root, but itâÂÂs lying; it doesnâÂÂt have any special privilege. A hacker using fakeroot
(or similar techniques) couldnâÂÂt do anything special either, he or she could only lie about doing so.â Stephen Kitt
Jul 11 at 15:03
5
5
It doesnâÂÂt happen because
tar
running as you canâÂÂt set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesnâÂÂt mean that you can extract them with those permissions (unless youâÂÂre running as root).â Stephen Kitt
Jul 11 at 15:34
It doesnâÂÂt happen because
tar
running as you canâÂÂt set the ownership of a file to root. Just because a tarball contains files with certain permissions, doesnâÂÂt mean that you can extract them with those permissions (unless youâÂÂre running as root).â Stephen Kitt
Jul 11 at 15:34
1
1
@ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
â mbrig
Jul 11 at 21:44
@ng.newbie If you want an alternative explanation: its entirely possible for me to use a hex editor to manually construct a tar file containing files owned by root or with any other possible permissions. Its just some information bundled up, after all, it doesn't have any power until the file actually exists on the system.
â mbrig
Jul 11 at 21:44
2
2
@ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for using
tar --mode --owner
for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.â ilkkachu
Jul 12 at 9:22
@ng.newbie, in addition, if you wanted to create a tarball with a suid-root binary for malicious purposes, you could do that on some other machine as real root, then copy it to the target. No need for fakeroot there. fakeroot is just a tool to help in creating the tar-file, it removes the need for using
tar --mode --owner
for each and every file added to the archive (and works with other programs too). The potential issues come if/when you unpack an untrusted tar-file or archive as root, not when creating it.â ilkkachu
Jul 12 at 9:22
 |Â
show 13 more comments
up vote
7
down vote
NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.
It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.
It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls
) without it.
It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown
, chmod
, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat
etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.
Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.
It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.
@ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
â ng.newbie
Jul 11 at 13:02
@ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
â ng.newbie
Jul 11 at 13:06
@ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
â ng.newbie
Jul 11 at 15:25
1
No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
â ctrl-alt-delor
Jul 11 at 15:48
add a comment |Â
up vote
7
down vote
NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.
It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.
It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls
) without it.
It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown
, chmod
, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat
etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.
Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.
It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.
@ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
â ng.newbie
Jul 11 at 13:02
@ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
â ng.newbie
Jul 11 at 13:06
@ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
â ng.newbie
Jul 11 at 15:25
1
No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
â ctrl-alt-delor
Jul 11 at 15:48
add a comment |Â
up vote
7
down vote
up vote
7
down vote
NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.
It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.
It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls
) without it.
It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown
, chmod
, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat
etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.
Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.
It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.
NO. Fake root allows you to run permission manipulation and reporting tools, it will report consistently. However it will not actually grant these permissions. It will just look like you have them (fake). It will not change anything outside of the environment.
It is useful, if you want to create a directory structure, that contains ownership and permissions, that could not be set by your user, that you will then tar, zip, or other package.
It does not really elevate permissions, it is fake. It does not let you do anything (delete, write, read) that you could not otherwise do. You could produce the package (in theory) without it. You could get a fake report (ls
) without it.
It is not a security flaw, because it does not allow access, or anything that you can't do without it. It runs without privilege. All it dose is intercept calls to chown
, chmod
, etc. It makes them a no-operation, except that it records what would have happened. It also intercepts calls to stat
etc. so that it reports permissions and ownership, from its own internal database, as if the other commands had been done. This is useful, because if you then zip the directory, it will have the fake permissions. If you then unzip, as root, then the permissions will become real.
Any files that are not readable/writable before, will remain not readable/writable. Any special files (e.g. devices) created, will have no special powers. Any set-uid (to another user), files will not set-uid. Any other privilege escalation will not work.
It is a type of virtual machine: A virtual machine, in general, can simulate any environment/OS, but can not do anything to the host, that any other application could not do. Within the Virtual machine, you can appear to do anything. You can reinvent the security system to be the same or different, However this will all exist on the host, as resources owned by the user/group of the process running the virtual environment.
edited Jul 11 at 13:18
answered Jul 11 at 12:49
ctrl-alt-delor
8,64331946
8,64331946
@ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
â ng.newbie
Jul 11 at 13:02
@ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
â ng.newbie
Jul 11 at 13:06
@ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
â ng.newbie
Jul 11 at 15:25
1
No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
â ctrl-alt-delor
Jul 11 at 15:48
add a comment |Â
@ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
â ng.newbie
Jul 11 at 13:02
@ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
â ng.newbie
Jul 11 at 13:06
@ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
â ng.newbie
Jul 11 at 15:25
1
No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
â ctrl-alt-delor
Jul 11 at 15:48
@ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
â ng.newbie
Jul 11 at 13:02
@ctrl-alt-decor As I have asked in the above comment, in *nix it is not possible to set the owner to root from another unprivileged user, correct? So there must a good reason for that if a program allows it, how is it not a security flaw?
â ng.newbie
Jul 11 at 13:02
@ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
â ng.newbie
Jul 11 at 13:06
@ctrl-alt-decor The fakeroot does not allow me to read/write/delete, but if I wrote a wrapper for the syscalls does it stand to reason that I can do those operations as well.
â ng.newbie
Jul 11 at 13:06
@ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
â ng.newbie
Jul 11 at 15:25
@ctrl-alt-decor So the only reason for fakeroot to exist is to set permissions to a file to root without being root. If that is not a security flaw then why would Linux disallow that in the first place?
â ng.newbie
Jul 11 at 15:25
1
1
No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
â ctrl-alt-delor
Jul 11 at 15:48
No it allows you to fake setting user to any user, and fake some other things. Try it: run fakeroot and look at the files from outside, try to access files, that you should not.
â ctrl-alt-delor
Jul 11 at 15:48
add a comment |Â
up vote
4
down vote
There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot
man page1 actually explains it pretty clearly and concisely:
fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.
Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot
, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot
, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2
But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step â where a fakeroot
-assisted archive containing "root" files is extracted by a privileged user â is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.
Notes
- Fakeroot has spawned some competitors/imitators that will masquerade as
fakeroot
if installed, includingfakeroot-ng
andpseudo
. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and onlyfakeroot
O.G. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring
fakeroot
. It's all done within the user's$HOME/rpmbuild/
space, and normally-privileged steps likemake install
get redirected (via mechanisms like--prefix
andDESTDIR
) to a$HOME/rpmbuild/BUILDROOT/
hierarchy that could be considered a sort of "fakechroot" space (without actually usingfakechroot
).But even during
make install
, everything is executed as and owned by the
unprivileged user. Extracted file ownership and permissions will be set toroot,root
and0644
(or0755
for executables) by default, unless overridden in the package definition (.spec
) file in which case they're stored as metadata within the final package.
Because no permissions or ownership are actually applied until the rpm package's (privileged)
installation process, neither root norfakeroot
is needed during packaging. Butfakeroot
is really just a different
path to that same result.
1
Regarding your first note,fakeroot-ng
claims to supersedefakeroot
, but in practice it hasnâÂÂt replaced it, and AFAIKfakeroot
is still the tool used in Debian by default (when necessary).
â Stephen Kitt
Jul 12 at 13:04
@StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for thefakeroot
manpage, and Google dumped me atfakeroot-ng
's (masquerading asfakeroot(1)
), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
â FeRD
Jul 12 at 13:12
1
Yeah I was confused at first too, since thefakeroot
manpage on DebianâÂÂs site leads tofakeroot-ng
âÂÂs version by default. Check out the last paragraph of thefakeroot-ng
for an amusing twist ;-).
â Stephen Kitt
Jul 12 at 13:25
add a comment |Â
up vote
4
down vote
There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot
man page1 actually explains it pretty clearly and concisely:
fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.
Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot
, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot
, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2
But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step â where a fakeroot
-assisted archive containing "root" files is extracted by a privileged user â is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.
Notes
- Fakeroot has spawned some competitors/imitators that will masquerade as
fakeroot
if installed, includingfakeroot-ng
andpseudo
. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and onlyfakeroot
O.G. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring
fakeroot
. It's all done within the user's$HOME/rpmbuild/
space, and normally-privileged steps likemake install
get redirected (via mechanisms like--prefix
andDESTDIR
) to a$HOME/rpmbuild/BUILDROOT/
hierarchy that could be considered a sort of "fakechroot" space (without actually usingfakechroot
).But even during
make install
, everything is executed as and owned by the
unprivileged user. Extracted file ownership and permissions will be set toroot,root
and0644
(or0755
for executables) by default, unless overridden in the package definition (.spec
) file in which case they're stored as metadata within the final package.
Because no permissions or ownership are actually applied until the rpm package's (privileged)
installation process, neither root norfakeroot
is needed during packaging. Butfakeroot
is really just a different
path to that same result.
1
Regarding your first note,fakeroot-ng
claims to supersedefakeroot
, but in practice it hasnâÂÂt replaced it, and AFAIKfakeroot
is still the tool used in Debian by default (when necessary).
â Stephen Kitt
Jul 12 at 13:04
@StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for thefakeroot
manpage, and Google dumped me atfakeroot-ng
's (masquerading asfakeroot(1)
), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
â FeRD
Jul 12 at 13:12
1
Yeah I was confused at first too, since thefakeroot
manpage on DebianâÂÂs site leads tofakeroot-ng
âÂÂs version by default. Check out the last paragraph of thefakeroot-ng
for an amusing twist ;-).
â Stephen Kitt
Jul 12 at 13:25
add a comment |Â
up vote
4
down vote
up vote
4
down vote
There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot
man page1 actually explains it pretty clearly and concisely:
fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.
Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot
, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot
, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2
But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step â where a fakeroot
-assisted archive containing "root" files is extracted by a privileged user â is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.
Notes
- Fakeroot has spawned some competitors/imitators that will masquerade as
fakeroot
if installed, includingfakeroot-ng
andpseudo
. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and onlyfakeroot
O.G. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring
fakeroot
. It's all done within the user's$HOME/rpmbuild/
space, and normally-privileged steps likemake install
get redirected (via mechanisms like--prefix
andDESTDIR
) to a$HOME/rpmbuild/BUILDROOT/
hierarchy that could be considered a sort of "fakechroot" space (without actually usingfakechroot
).But even during
make install
, everything is executed as and owned by the
unprivileged user. Extracted file ownership and permissions will be set toroot,root
and0644
(or0755
for executables) by default, unless overridden in the package definition (.spec
) file in which case they're stored as metadata within the final package.
Because no permissions or ownership are actually applied until the rpm package's (privileged)
installation process, neither root norfakeroot
is needed during packaging. Butfakeroot
is really just a different
path to that same result.
There are already two good, and very detailed answers here, but I'll just point out that the introductory paragraph of the original fakeroot
man page1 actually explains it pretty clearly and concisely:
fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation. This is useful for allowing users to create archives (tar, ar, .deb etc.) with files in them with root permissions/ownership. Without fakeroot one would need to have root privileges to create the constituent files of the archives with the correct permissions and ownership, and then pack them up, or one would have to construct the archives directly, without using the archiver.
Fakeroot allows a non-root user to create archives containing root-owned files, which is a critical part of generating and distributing binary software packages in Linux. Without fakeroot
, package archives would have to be generated while running as actual root, so that they contain the correct file ownership and permissions. That would be a security risk. Building and packaging potentially-untrusted software is a huge exposure if done with root privs. Thanks to fakeroot
, an unprivileged user with unprivileged files can still generate archives containing files with root ownership.2
But it's not a security risk, because nothing in the archive is actually owned by root until the files are EXTRACTED. And even then, the files will only be extracted with their root permissions intact if it's done by a privileged user. That step â where a fakeroot
-assisted archive containing "root" files is extracted by a privileged user â is where the "fake" root finally becomes real. Up until that point, no actual root privileges are ever obtained or bypassed.
Notes
- Fakeroot has spawned some competitors/imitators that will masquerade as
fakeroot
if installed, includingfakeroot-ng
andpseudo
. But IMHO neither "imitator's" man page is nearly as clear about getting right to the point on this question. Stick with the original, one and onlyfakeroot
O.G. Other distros/packaging-systems overcome this by simply not using root ownership in their package archives. On Fedora, for instance, software can be compiled, installed, and packaged by an unprivileged user without requiring
fakeroot
. It's all done within the user's$HOME/rpmbuild/
space, and normally-privileged steps likemake install
get redirected (via mechanisms like--prefix
andDESTDIR
) to a$HOME/rpmbuild/BUILDROOT/
hierarchy that could be considered a sort of "fakechroot" space (without actually usingfakechroot
).But even during
make install
, everything is executed as and owned by the
unprivileged user. Extracted file ownership and permissions will be set toroot,root
and0644
(or0755
for executables) by default, unless overridden in the package definition (.spec
) file in which case they're stored as metadata within the final package.
Because no permissions or ownership are actually applied until the rpm package's (privileged)
installation process, neither root norfakeroot
is needed during packaging. Butfakeroot
is really just a different
path to that same result.
edited Jul 16 at 12:42
answered Jul 12 at 8:42
FeRD
344210
344210
1
Regarding your first note,fakeroot-ng
claims to supersedefakeroot
, but in practice it hasnâÂÂt replaced it, and AFAIKfakeroot
is still the tool used in Debian by default (when necessary).
â Stephen Kitt
Jul 12 at 13:04
@StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for thefakeroot
manpage, and Google dumped me atfakeroot-ng
's (masquerading asfakeroot(1)
), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
â FeRD
Jul 12 at 13:12
1
Yeah I was confused at first too, since thefakeroot
manpage on DebianâÂÂs site leads tofakeroot-ng
âÂÂs version by default. Check out the last paragraph of thefakeroot-ng
for an amusing twist ;-).
â Stephen Kitt
Jul 12 at 13:25
add a comment |Â
1
Regarding your first note,fakeroot-ng
claims to supersedefakeroot
, but in practice it hasnâÂÂt replaced it, and AFAIKfakeroot
is still the tool used in Debian by default (when necessary).
â Stephen Kitt
Jul 12 at 13:04
@StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for thefakeroot
manpage, and Google dumped me atfakeroot-ng
's (masquerading asfakeroot(1)
), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.
â FeRD
Jul 12 at 13:12
1
Yeah I was confused at first too, since thefakeroot
manpage on DebianâÂÂs site leads tofakeroot-ng
âÂÂs version by default. Check out the last paragraph of thefakeroot-ng
for an amusing twist ;-).
â Stephen Kitt
Jul 12 at 13:25
1
1
Regarding your first note,
fakeroot-ng
claims to supersede fakeroot
, but in practice it hasnâÂÂt replaced it, and AFAIK fakeroot
is still the tool used in Debian by default (when necessary).â Stephen Kitt
Jul 12 at 13:04
Regarding your first note,
fakeroot-ng
claims to supersede fakeroot
, but in practice it hasnâÂÂt replaced it, and AFAIK fakeroot
is still the tool used in Debian by default (when necessary).â Stephen Kitt
Jul 12 at 13:04
@StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for the
fakeroot
manpage, and Google dumped me at fakeroot-ng
's (masquerading as fakeroot(1)
), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.â FeRD
Jul 12 at 13:12
@StephenKitt Aha! Thanks. I was wondering about that. Initially I was confused because I went searching for the
fakeroot
manpage, and Google dumped me at fakeroot-ng
's (masquerading as fakeroot(1)
), and I guess I overpresumed. But I see now that fakeroot-ng hasn't been updated since 2014, whereas fakeroot is still active. There's apparently also pseudo which made a go of it a couple of years ago, but has now stalled. I'll tweak my answer accordingly.â FeRD
Jul 12 at 13:12
1
1
Yeah I was confused at first too, since the
fakeroot
manpage on DebianâÂÂs site leads to fakeroot-ng
âÂÂs version by default. Check out the last paragraph of the fakeroot-ng
for an amusing twist ;-).â Stephen Kitt
Jul 12 at 13:25
Yeah I was confused at first too, since the
fakeroot
manpage on DebianâÂÂs site leads to fakeroot-ng
âÂÂs version by default. Check out the last paragraph of the fakeroot-ng
for an amusing twist ;-).â Stephen Kitt
Jul 12 at 13:25
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f454686%2fhow-fakeroot-is-not-a-security-breach-in-linux%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
You don't need fakeroot to compile a kernel. The kernel build system isn't that crazy. The linked discussion is about making a Debian kernel package, in which the actual kernel build is just one step.
â Wumpus Q. Wumbley
Jul 11 at 12:45
@WumpusQ.Wumbley I will correct that, and could you tell me why that is the case?
â ng.newbie
Jul 11 at 12:51
Because fakeroot is a Debian thing, and Linux is more than Debian?
â Wumpus Q. Wumbley
Jul 11 at 13:10
@WumpusQ.Wumbley it should run on any distribution.
â immibis
Jul 12 at 4:38