From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: from xenon.active-elements.de ([88.99.59.87])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <Nico.Lastzka@ATSonline.de>) id 1jjGYK-0004Da-2I
 for ptxdist@pengutronix.de; Thu, 11 Jun 2020 08:19:05 +0200
Received: from Mail-10-6.ATS-Intranet.local (p57800e76.dip0.t-ipconnect.de
 [87.128.14.118])
 by xenon.active-elements.de (Postfix) with ESMTPSA id EC3944023B80
 for <ptxdist@pengutronix.de>; Thu, 11 Jun 2020 08:19:02 +0200 (CEST)
Date: Thu, 11 Jun 2020 08:19:00 +0200
From: Nico Lastzka <Nico.Lastzka@ATSonline.de>
Message-ID: <20200611061900.GI4898@develop-10-146>
References: <20200610093524.GG4898@develop-10-146>
 <20200611054639.GM9599@pengutronix.de>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20200611054639.GM9599@pengutronix.de>
Subject: Re: [ptxdist] Hard-coded directory permissions
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de

On Thu 11/06/20 07:46, Michael Olbrich wrote:
>On Wed, Jun 10, 2020 at 01:42:25PM +0200, Nico Lastzka wrote:
>> On Wed 10/06/20 11:32, Bruno Thomsen wrote:
>> > > From: ptxdist <ptxdist-bounces@pengutronix.de> on behalf of Nico Las=
tzka <Nico.Lastzka@ATSonline.de>
>> > > Sent: Wednesday, June 10, 2020 11:35
>> > > To: ptxdist@pengutronix.de <ptxdist@pengutronix.de>
>> > > Subject: [ptxdist] Hard-coded directory permissions
>> > >
>> > > Hi,
>> > >
>> > > I ran into a problem with the latest ptxdist 2020.06 when trying to =
install an ssh key to
>> > > "/root/.ssh/authorized_keys".
>> > >
>> > >
>> > > Here, the "image-enhancements rule" contains the following code whic=
h breaks the image creation:
>> > >
>> > > =A0=A0=A0=A0 @$(call install_copy, image_enhancements, 0, 0, 0400, $=
(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/a=
uthorized_keys )
>> >
>> > I think you need to create the parent directory first with correct per=
missions.
>> >
>> > @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh)
>> >
>>
>> Already tried that without success.
>
>You need to explicitly create the directory, the error complains about,
>with the correct permissions:
>
>	@$(call install_copy, image_enhancements, 0, 0, 0700, /root)
>

Thanks for the quick reply. I tried your solution but it did not work eithe=
r. Although I can create
folders like '/root' and '/root/.ssh' without a problem, the issue comes fr=
om the fact that the awk
script uses hardcoded permissions for folders within a given file path. Now=
 I have the following in
my rule:

--8<--------------------
@$(call install_copy, image_enhancements, 0, 0, 0700, /root)
@$(call install_copy, image_enhancements, 0, 0, 0700, /root/.ssh)
@$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCON=
FIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys )
-------------------->8--

This leads to the following results:

1. '/root' is checked ok, since it uses the same permissions as defined by =
the rootfs
2. '/root/.ssh is checked ok, since it is not included by any other package=
 (I can even change
permissions here)
3. '/root/.ssh/authorized_keys' is split into the following checks by the s=
cript:
   3a. '/root/.ssh/authorized_keys' is checked ok because no other package =
defines it
   3b. '/root/.ssh is checked ok although the permissions checked for are n=
ow 0755, since it is not included by any other package
   3c. '/root' check fails, since it now uses the hardcoded permissions 075=
5, whereas the rootfs defines 0700)

I think rather to use the hardcoded values for these folders the script sho=
uld try to look it up
from 'perms[path]' first and only use the 0755 as a fallback.

>Michael
>
>-- =

>Pengutronix e.K.                           |                             |
>Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
>31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
>Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
>
>_______________________________________________
>ptxdist mailing list
>ptxdist@pengutronix.de
>To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@=
pengutronix.de
>
>
>

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@p=
engutronix.de