[ptxdist] Hard-coded directory permissions

[ptxdist] Hard-coded directory permissions

[Nico Lastzka]

Hi,

I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to
"/root/.ssh/authorized_keys".

--8<--------------------

#> ptxdist images

... # output skipped

Incompatible ownership or permissions for '/root':
image-enhancements: 0.0 0755 (implicit)
rootfs: 0.0 0700
One of these packages must be fixed!

-------------------->8--

Here, the "image-enhancements rule" contains the following code which breaks the image creation:

     @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys )

I found the code in "scripts/lib/ptxd_lib_check_dir_permissions.awk" to be responsible for this
issue. In this file the directory permissions are hardcoded. The following "patch" is my current
workaround for this problem:

--8<--------------------

diff --git a/scripts/lib/ptxd_lib_check_dir_permissions.awk b/scripts/lib/ptxd_lib_check_dir_permissions.awk
index 9bd009f04..4ad132561 100644                                                                           
--- a/scripts/lib/ptxd_lib_check_dir_permissions.awk                                                        
+++ b/scripts/lib/ptxd_lib_check_dir_permissions.awk                                                        
@@ -33,6 +33,9 @@ $1 ~ "f" {                                                                                
                 path = gensub(/\/[^/]*$/,"",1,path)                                                         
                 if (path == "")                                                                             
                         break;                                                                              
-               check(path, "0.0 0755", 1)                                                                  
+               if (path == "/root")                                                                        
+                       check(path, "0.0 0700", 1)                                                          
+               else                                                                                        
+                       check(path, "0.0 0755", 1)                                                          
         }                                                                                                   
  }                                                                                                          

-------------------->8--

What would be a proper solution to this problem?

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] Hard-coded directory permissions

[Bruno Thomsen]

> From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de>
> Sent: Wednesday, June 10, 2020 11:35
> To: ptxdist@pengutronix.de <ptxdist@pengutronix.de>
> Subject: [ptxdist] Hard-coded directory permissions 
>
> Hi,
>
> I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to
> "/root/.ssh/authorized_keys".
> 
> 
> Here, the "image-enhancements rule" contains the following code which breaks the image creation:
> 
>      @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys )

I think you need to create the parent directory first with correct permissions.

@$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh)

/Bruno
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] Hard-coded directory permissions

[Nico Lastzka]

On Wed 10/06/20 11:32, Bruno Thomsen wrote:
>> From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de>
>> Sent: Wednesday, June 10, 2020 11:35
>> To: ptxdist@pengutronix.de <ptxdist@pengutronix.de>
>> Subject: [ptxdist] Hard-coded directory permissions
>>
>> Hi,
>>
>> I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to
>> "/root/.ssh/authorized_keys".
>>
>>
>> Here, the "image-enhancements rule" contains the following code which breaks the image creation:
>>
>>      @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys )
>
>I think you need to create the parent directory first with correct permissions.
>
>@$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh)
>

Already tried that without success.


>/Bruno
>_______________________________________________
>ptxdist mailing list
>ptxdist@pengutronix.de
>To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
>
>

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] Hard-coded directory permissions

[Michael Olbrich]

On Wed, Jun 10, 2020 at 01:42:25PM +0200, Nico Lastzka wrote:
> On Wed 10/06/20 11:32, Bruno Thomsen wrote:
> > > From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de>
> > > Sent: Wednesday, June 10, 2020 11:35
> > > To: ptxdist@pengutronix.de <ptxdist@pengutronix.de>
> > > Subject: [ptxdist] Hard-coded directory permissions
> > > 
> > > Hi,
> > > 
> > > I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to
> > > "/root/.ssh/authorized_keys".
> > > 
> > > 
> > > Here, the "image-enhancements rule" contains the following code which breaks the image creation:
> > > 
> > >      @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys )
> > 
> > I think you need to create the parent directory first with correct permissions.
> > 
> > @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh)
> > 
> 
> Already tried that without success.

You need to explicitly create the directory, the error complains about,
with the correct permissions:

	@$(call install_copy, image_enhancements, 0, 0, 0700, /root)

Michael

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] Hard-coded directory permissions

[Nico Lastzka]

On Thu 11/06/20 07:46, Michael Olbrich wrote:
>On Wed, Jun 10, 2020 at 01:42:25PM +0200, Nico Lastzka wrote:
>> On Wed 10/06/20 11:32, Bruno Thomsen wrote:
>> > > From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de>
>> > > Sent: Wednesday, June 10, 2020 11:35
>> > > To: ptxdist@pengutronix.de <ptxdist@pengutronix.de>
>> > > Subject: [ptxdist] Hard-coded directory permissions
>> > >
>> > > Hi,
>> > >
>> > > I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to
>> > > "/root/.ssh/authorized_keys".
>> > >
>> > >
>> > > Here, the "image-enhancements rule" contains the following code which breaks the image creation:
>> > >
>> > >      @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys )
>> >
>> > I think you need to create the parent directory first with correct permissions.
>> >
>> > @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh)
>> >
>>
>> Already tried that without success.
>
>You need to explicitly create the directory, the error complains about,
>with the correct permissions:
>
>	@$(call install_copy, image_enhancements, 0, 0, 0700, /root)
>

Thanks for the quick reply. I tried your solution but it did not work either. Although I can create
folders like '/root' and '/root/.ssh' without a problem, the issue comes from the fact that the awk
script uses hardcoded permissions for folders within a given file path. Now I have the following in
my rule:

--8<--------------------
@$(call install_copy, image_enhancements, 0, 0, 0700, /root)
@$(call install_copy, image_enhancements, 0, 0, 0700, /root/.ssh)
@$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys )
-------------------->8--

This leads to the following results:

1. '/root' is checked ok, since it uses the same permissions as defined by the rootfs
2. '/root/.ssh is checked ok, since it is not included by any other package (I can even change
permissions here)
3. '/root/.ssh/authorized_keys' is split into the following checks by the script:
   3a. '/root/.ssh/authorized_keys' is checked ok because no other package defines it
   3b. '/root/.ssh is checked ok although the permissions checked for are now 0755, since it is not included by any other package
   3c. '/root' check fails, since it now uses the hardcoded permissions 0755, whereas the rootfs defines 0700)

I think rather to use the hardcoded values for these folders the script should try to look it up
from 'perms[path]' first and only use the 0755 as a fallback.

>Michael
>
>-- 
>Pengutronix e.K.                           |                             |
>Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
>31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
>Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
>
>_______________________________________________
>ptxdist mailing list
>ptxdist@pengutronix.de
>To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
>
>

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

Re: [ptxdist] Hard-coded directory permissions

[Michael Olbrich]

On Thu, Jun 11, 2020 at 08:19:00AM +0200, Nico Lastzka wrote:
> On Thu 11/06/20 07:46, Michael Olbrich wrote:
> > On Wed, Jun 10, 2020 at 01:42:25PM +0200, Nico Lastzka wrote:
> > > On Wed 10/06/20 11:32, Bruno Thomsen wrote:
> > > > > From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de>
> > > > > Sent: Wednesday, June 10, 2020 11:35
> > > > > To: ptxdist@pengutronix.de <ptxdist@pengutronix.de>
> > > > > Subject: [ptxdist] Hard-coded directory permissions
> > > > >
> > > > > Hi,
> > > > >
> > > > > I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to
> > > > > "/root/.ssh/authorized_keys".
> > > > >
> > > > >
> > > > > Here, the "image-enhancements rule" contains the following code which breaks the image creation:
> > > > >
> > > > >      @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys )
> > > >
> > > > I think you need to create the parent directory first with correct permissions.
> > > >
> > > > @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh)
> > > >
> > > 
> > > Already tried that without success.
> > 
> > You need to explicitly create the directory, the error complains about,
> > with the correct permissions:
> > 
> > 	@$(call install_copy, image_enhancements, 0, 0, 0700, /root)
> > 
> 
> Thanks for the quick reply. I tried your solution but it did not work either. Although I can create
> folders like '/root' and '/root/.ssh' without a problem, the issue comes from the fact that the awk
> script uses hardcoded permissions for folders within a given file path. Now I have the following in
> my rule:
> 
> --8<--------------------
> @$(call install_copy, image_enhancements, 0, 0, 0700, /root)
> @$(call install_copy, image_enhancements, 0, 0, 0700, /root/.ssh)
> @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys )
> -------------------->8--
> 
> This leads to the following results:
> 
> 1. '/root' is checked ok, since it uses the same permissions as defined by the rootfs
> 2. '/root/.ssh is checked ok, since it is not included by any other package (I can even change
> permissions here)
> 3. '/root/.ssh/authorized_keys' is split into the following checks by the script:
>   3a. '/root/.ssh/authorized_keys' is checked ok because no other package defines it
>   3b. '/root/.ssh is checked ok although the permissions checked for are now 0755, since it is not included by any other package
>   3c. '/root' check fails, since it now uses the hardcoded permissions 0755, whereas the rootfs defines 0700)
> 
> I think rather to use the hardcoded values for these folders the script should try to look it up
> from 'perms[path]' first and only use the 0755 as a fallback.

Right, I have no idea how I missed this during testing. I think I only used
directories for some tests and the parent directories are not checked
there :-/.

Anyway, I have this in my test queue now:

diff --git a/scripts/lib/ptxd_lib_check_dir_permissions.awk b/scripts/lib/ptxd_lib_check_dir_permissions.awk
index 9bd009f04881..a02ccb552526 100644
--- a/scripts/lib/ptxd_lib_check_dir_permissions.awk
+++ b/scripts/lib/ptxd_lib_check_dir_permissions.awk
@@ -10,6 +10,8 @@ FNR == 1 {
 
 function check(path, perm, implicit) {
 	if ((path in perms) && (perms[path] != perm)) {
+		if (implicit && (pkg == names[path]))
+			return;
 		print("\nIncompatible ownership or permissions for '" path "':")
 		print(names[path] ": " perms[path] (imp[path] ? " (implicit)" : ""))
 		print(pkg ": " perm (implicit ? " (implicit)" : ""))

I think that should help. I have some more stuff to check parent dirs for
directories as well, but this is the important part.

Fyi, if you put a modified scripts/lib/ptxd_lib_check_dir_permissions.awk
into your BSP, then it will be used instead of the version from PTXdist.
This way you can still use the current PTXdist release without modifying
it.

Regards,
Michael

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de