* [ptxdist] Hard-coded directory permissions @ 2020-06-10 9:35 Nico Lastzka 2020-06-10 11:32 ` Bruno Thomsen 0 siblings, 1 reply; 6+ messages in thread From: Nico Lastzka @ 2020-06-10 9:35 UTC (permalink / raw) To: ptxdist Hi, I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to "/root/.ssh/authorized_keys". --8<-------------------- #> ptxdist images ... # output skipped Incompatible ownership or permissions for '/root': image-enhancements: 0.0 0755 (implicit) rootfs: 0.0 0700 One of these packages must be fixed! -------------------->8-- Here, the "image-enhancements rule" contains the following code which breaks the image creation: @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) I found the code in "scripts/lib/ptxd_lib_check_dir_permissions.awk" to be responsible for this issue. In this file the directory permissions are hardcoded. The following "patch" is my current workaround for this problem: --8<-------------------- diff --git a/scripts/lib/ptxd_lib_check_dir_permissions.awk b/scripts/lib/ptxd_lib_check_dir_permissions.awk index 9bd009f04..4ad132561 100644 --- a/scripts/lib/ptxd_lib_check_dir_permissions.awk +++ b/scripts/lib/ptxd_lib_check_dir_permissions.awk @@ -33,6 +33,9 @@ $1 ~ "f" { path = gensub(/\/[^/]*$/,"",1,path) if (path == "") break; - check(path, "0.0 0755", 1) + if (path == "/root") + check(path, "0.0 0700", 1) + else + check(path, "0.0 0755", 1) } } -------------------->8-- What would be a proper solution to this problem? _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] Hard-coded directory permissions 2020-06-10 9:35 [ptxdist] Hard-coded directory permissions Nico Lastzka @ 2020-06-10 11:32 ` Bruno Thomsen 2020-06-10 11:42 ` Nico Lastzka 0 siblings, 1 reply; 6+ messages in thread From: Bruno Thomsen @ 2020-06-10 11:32 UTC (permalink / raw) To: ptxdist > From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de> > Sent: Wednesday, June 10, 2020 11:35 > To: ptxdist@pengutronix.de <ptxdist@pengutronix.de> > Subject: [ptxdist] Hard-coded directory permissions > > Hi, > > I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to > "/root/.ssh/authorized_keys". > > > Here, the "image-enhancements rule" contains the following code which breaks the image creation: > > @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) I think you need to create the parent directory first with correct permissions. @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh) /Bruno _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] Hard-coded directory permissions 2020-06-10 11:32 ` Bruno Thomsen @ 2020-06-10 11:42 ` Nico Lastzka 2020-06-11 5:46 ` Michael Olbrich 0 siblings, 1 reply; 6+ messages in thread From: Nico Lastzka @ 2020-06-10 11:42 UTC (permalink / raw) To: ptxdist On Wed 10/06/20 11:32, Bruno Thomsen wrote: >> From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de> >> Sent: Wednesday, June 10, 2020 11:35 >> To: ptxdist@pengutronix.de <ptxdist@pengutronix.de> >> Subject: [ptxdist] Hard-coded directory permissions >> >> Hi, >> >> I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to >> "/root/.ssh/authorized_keys". >> >> >> Here, the "image-enhancements rule" contains the following code which breaks the image creation: >> >> @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) > >I think you need to create the parent directory first with correct permissions. > >@$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh) > Already tried that without success. >/Bruno >_______________________________________________ >ptxdist mailing list >ptxdist@pengutronix.de >To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > > > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] Hard-coded directory permissions 2020-06-10 11:42 ` Nico Lastzka @ 2020-06-11 5:46 ` Michael Olbrich 2020-06-11 6:19 ` Nico Lastzka 0 siblings, 1 reply; 6+ messages in thread From: Michael Olbrich @ 2020-06-11 5:46 UTC (permalink / raw) To: Nico Lastzka, ptxdist On Wed, Jun 10, 2020 at 01:42:25PM +0200, Nico Lastzka wrote: > On Wed 10/06/20 11:32, Bruno Thomsen wrote: > > > From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de> > > > Sent: Wednesday, June 10, 2020 11:35 > > > To: ptxdist@pengutronix.de <ptxdist@pengutronix.de> > > > Subject: [ptxdist] Hard-coded directory permissions > > > > > > Hi, > > > > > > I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to > > > "/root/.ssh/authorized_keys". > > > > > > > > > Here, the "image-enhancements rule" contains the following code which breaks the image creation: > > > > > > @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) > > > > I think you need to create the parent directory first with correct permissions. > > > > @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh) > > > > Already tried that without success. You need to explicitly create the directory, the error complains about, with the correct permissions: @$(call install_copy, image_enhancements, 0, 0, 0700, /root) Michael -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] Hard-coded directory permissions 2020-06-11 5:46 ` Michael Olbrich @ 2020-06-11 6:19 ` Nico Lastzka 2020-06-12 6:51 ` Michael Olbrich 0 siblings, 1 reply; 6+ messages in thread From: Nico Lastzka @ 2020-06-11 6:19 UTC (permalink / raw) To: ptxdist On Thu 11/06/20 07:46, Michael Olbrich wrote: >On Wed, Jun 10, 2020 at 01:42:25PM +0200, Nico Lastzka wrote: >> On Wed 10/06/20 11:32, Bruno Thomsen wrote: >> > > From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de> >> > > Sent: Wednesday, June 10, 2020 11:35 >> > > To: ptxdist@pengutronix.de <ptxdist@pengutronix.de> >> > > Subject: [ptxdist] Hard-coded directory permissions >> > > >> > > Hi, >> > > >> > > I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to >> > > "/root/.ssh/authorized_keys". >> > > >> > > >> > > Here, the "image-enhancements rule" contains the following code which breaks the image creation: >> > > >> > > @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) >> > >> > I think you need to create the parent directory first with correct permissions. >> > >> > @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh) >> > >> >> Already tried that without success. > >You need to explicitly create the directory, the error complains about, >with the correct permissions: > > @$(call install_copy, image_enhancements, 0, 0, 0700, /root) > Thanks for the quick reply. I tried your solution but it did not work either. Although I can create folders like '/root' and '/root/.ssh' without a problem, the issue comes from the fact that the awk script uses hardcoded permissions for folders within a given file path. Now I have the following in my rule: --8<-------------------- @$(call install_copy, image_enhancements, 0, 0, 0700, /root) @$(call install_copy, image_enhancements, 0, 0, 0700, /root/.ssh) @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) -------------------->8-- This leads to the following results: 1. '/root' is checked ok, since it uses the same permissions as defined by the rootfs 2. '/root/.ssh is checked ok, since it is not included by any other package (I can even change permissions here) 3. '/root/.ssh/authorized_keys' is split into the following checks by the script: 3a. '/root/.ssh/authorized_keys' is checked ok because no other package defines it 3b. '/root/.ssh is checked ok although the permissions checked for are now 0755, since it is not included by any other package 3c. '/root' check fails, since it now uses the hardcoded permissions 0755, whereas the rootfs defines 0700) I think rather to use the hardcoded values for these folders the script should try to look it up from 'perms[path]' first and only use the 0755 as a fallback. >Michael > >-- >Pengutronix e.K. | | >Steuerwalder Str. 21 | http://www.pengutronix.de/ | >31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | >Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > >_______________________________________________ >ptxdist mailing list >ptxdist@pengutronix.de >To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > > > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [ptxdist] Hard-coded directory permissions 2020-06-11 6:19 ` Nico Lastzka @ 2020-06-12 6:51 ` Michael Olbrich 0 siblings, 0 replies; 6+ messages in thread From: Michael Olbrich @ 2020-06-12 6:51 UTC (permalink / raw) To: ptxdist; +Cc: Nico Lastzka On Thu, Jun 11, 2020 at 08:19:00AM +0200, Nico Lastzka wrote: > On Thu 11/06/20 07:46, Michael Olbrich wrote: > > On Wed, Jun 10, 2020 at 01:42:25PM +0200, Nico Lastzka wrote: > > > On Wed 10/06/20 11:32, Bruno Thomsen wrote: > > > > > From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Lastzka <Nico.Lastzka@ATSonline.de> > > > > > Sent: Wednesday, June 10, 2020 11:35 > > > > > To: ptxdist@pengutronix.de <ptxdist@pengutronix.de> > > > > > Subject: [ptxdist] Hard-coded directory permissions > > > > > > > > > > Hi, > > > > > > > > > > I ran into a problem with the latest ptxdist 2020.06 when trying to install an ssh key to > > > > > "/root/.ssh/authorized_keys". > > > > > > > > > > > > > > > Here, the "image-enhancements rule" contains the following code which breaks the image creation: > > > > > > > > > > @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) > > > > > > > > I think you need to create the parent directory first with correct permissions. > > > > > > > > @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh) > > > > > > > > > > Already tried that without success. > > > > You need to explicitly create the directory, the error complains about, > > with the correct permissions: > > > > @$(call install_copy, image_enhancements, 0, 0, 0700, /root) > > > > Thanks for the quick reply. I tried your solution but it did not work either. Although I can create > folders like '/root' and '/root/.ssh' without a problem, the issue comes from the fact that the awk > script uses hardcoded permissions for folders within a given file path. Now I have the following in > my rule: > > --8<-------------------- > @$(call install_copy, image_enhancements, 0, 0, 0700, /root) > @$(call install_copy, image_enhancements, 0, 0, 0700, /root/.ssh) > @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) > -------------------->8-- > > This leads to the following results: > > 1. '/root' is checked ok, since it uses the same permissions as defined by the rootfs > 2. '/root/.ssh is checked ok, since it is not included by any other package (I can even change > permissions here) > 3. '/root/.ssh/authorized_keys' is split into the following checks by the script: > 3a. '/root/.ssh/authorized_keys' is checked ok because no other package defines it > 3b. '/root/.ssh is checked ok although the permissions checked for are now 0755, since it is not included by any other package > 3c. '/root' check fails, since it now uses the hardcoded permissions 0755, whereas the rootfs defines 0700) > > I think rather to use the hardcoded values for these folders the script should try to look it up > from 'perms[path]' first and only use the 0755 as a fallback. Right, I have no idea how I missed this during testing. I think I only used directories for some tests and the parent directories are not checked there :-/. Anyway, I have this in my test queue now: diff --git a/scripts/lib/ptxd_lib_check_dir_permissions.awk b/scripts/lib/ptxd_lib_check_dir_permissions.awk index 9bd009f04881..a02ccb552526 100644 --- a/scripts/lib/ptxd_lib_check_dir_permissions.awk +++ b/scripts/lib/ptxd_lib_check_dir_permissions.awk @@ -10,6 +10,8 @@ FNR == 1 { function check(path, perm, implicit) { if ((path in perms) && (perms[path] != perm)) { + if (implicit && (pkg == names[path])) + return; print("\nIncompatible ownership or permissions for '" path "':") print(names[path] ": " perms[path] (imp[path] ? " (implicit)" : "")) print(pkg ": " perm (implicit ? " (implicit)" : "")) I think that should help. I have some more stuff to check parent dirs for directories as well, but this is the important part. Fyi, if you put a modified scripts/lib/ptxd_lib_check_dir_permissions.awk into your BSP, then it will be used instead of the version from PTXdist. This way you can still use the current PTXdist release without modifying it. Regards, Michael -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-06-12 6:51 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-06-10 9:35 [ptxdist] Hard-coded directory permissions Nico Lastzka 2020-06-10 11:32 ` Bruno Thomsen 2020-06-10 11:42 ` Nico Lastzka 2020-06-11 5:46 ` Michael Olbrich 2020-06-11 6:19 ` Nico Lastzka 2020-06-12 6:51 ` Michael Olbrich
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox