From c022beedb174f4fd00ba1de284208ffe4872e8c8 Mon Sep 17 00:00:00 2001
From: Seungmin Kim <8457324+ehfd@users.noreply.github.com>
Date: Sun, 28 Jul 2024 20:23:33 +0900
Subject: [PATCH] Fix setuid/setgid for DBus

---
 addons/example/Dockerfile | 7 +++++--
 docs/development.md       | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/addons/example/Dockerfile b/addons/example/Dockerfile
index a989f7a4..9a8a39c4 100644
--- a/addons/example/Dockerfile
+++ b/addons/example/Dockerfile
@@ -45,7 +45,10 @@ RUN apt-get clean && apt-get update && apt-get dist-upgrade -y && apt-get instal
     usermod -a -G adm,audio,cdrom,dialout,dip,fax,floppy,games,input,lp,plugdev,render,ssl-cert,sudo,tape,tty,video,voice ubuntu && \
     echo "ubuntu ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers && \
     echo "ubuntu:${PASSWD}" | chpasswd && \
-    chown -R -f -h --no-preserve-root ubuntu:ubuntu / || echo 'Failed to set filesystem ownership in some paths to ubuntu user'
+    chown -R -f -h --no-preserve-root ubuntu:ubuntu / || echo 'Failed to set filesystem ownership in some paths to ubuntu user' && \
+    # Preserve setuid/setgid removed by chown
+    chmod -f 4755 /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/bin/chfn /usr/bin/chsh /usr/bin/mount /usr/bin/gpasswd /usr/bin/passwd /usr/bin/newgrp /usr/bin/umount /usr/bin/su /usr/bin/sudo-root /usr/bin/fusermount || echo 'Failed to set chmod setuid for some paths' && \
+    chmod -f 2755 /var/local /var/mail /usr/sbin/unix_chkpwd /usr/sbin/pam_extrausers_chkpwd /usr/bin/expiry /usr/bin/chage || echo 'Failed to set chmod setgid for some paths'
 
 # Set locales
 ENV LANG="en_US.UTF-8"
@@ -298,7 +301,7 @@ USER 0
 # Enable sudo through sudo-root with uid 0
 RUN if [ -d "/usr/libexec/sudo" ]; then SUDO_LIB="/usr/libexec/sudo"; else SUDO_LIB="/usr/lib/sudo"; fi && \
     chown -R -f -h --no-preserve-root root:root /usr/bin/sudo-root /etc/sudo.conf /etc/sudoers /etc/sudoers.d /etc/sudo_logsrvd.conf "${SUDO_LIB}" || echo 'Failed to provide root permissions in some paths relevant to sudo' && \
-    chmod -f 4755 /usr/bin/sudo-root || echo 'Failed to set chmod for sudo-root'
+    chmod -f 4755 /usr/bin/sudo-root || echo 'Failed to set chmod setuid for sudo-root'
 USER 1000
 
 ENV PIPEWIRE_LATENCY="32/48000"
diff --git a/docs/development.md b/docs/development.md
index b2f80823..1e481848 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -112,7 +112,7 @@ USER 0
 # Enable sudo through sudo-root with uid 0
 RUN if [ -d "/usr/libexec/sudo" ]; then SUDO_LIB="/usr/libexec/sudo"; else SUDO_LIB="/usr/lib/sudo"; fi && \
     chown -R -f -h --no-preserve-root root:root /usr/bin/sudo-root /etc/sudo.conf /etc/sudoers /etc/sudoers.d /etc/sudo_logsrvd.conf "${SUDO_LIB}" || echo 'Failed to provide root permissions in some paths relevant to sudo' && \
-    chmod -f 4755 /usr/bin/sudo-root || echo 'Failed to set chmod for sudo-root'
+    chmod -f 4755 /usr/bin/sudo-root || echo 'Failed to set chmod setuid for sudo-root'
 
 USER 1000
 ENV SHELL=/bin/bash