From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from xenon.active-elements.de ([88.99.59.87]) by metis.ext.pengutronix.de with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jjGYK-0004Da-2I for ptxdist@pengutronix.de; Thu, 11 Jun 2020 08:19:05 +0200 Received: from Mail-10-6.ATS-Intranet.local (p57800e76.dip0.t-ipconnect.de [87.128.14.118]) by xenon.active-elements.de (Postfix) with ESMTPSA id EC3944023B80 for ; Thu, 11 Jun 2020 08:19:02 +0200 (CEST) Date: Thu, 11 Jun 2020 08:19:00 +0200 From: Nico Lastzka Message-ID: <20200611061900.GI4898@develop-10-146> References: <20200610093524.GG4898@develop-10-146> <20200611054639.GM9599@pengutronix.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200611054639.GM9599@pengutronix.de> Subject: Re: [ptxdist] Hard-coded directory permissions List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de On Thu 11/06/20 07:46, Michael Olbrich wrote: >On Wed, Jun 10, 2020 at 01:42:25PM +0200, Nico Lastzka wrote: >> On Wed 10/06/20 11:32, Bruno Thomsen wrote: >> > > From: ptxdist on behalf of Nico Las= tzka >> > > Sent: Wednesday, June 10, 2020 11:35 >> > > To: ptxdist@pengutronix.de >> > > Subject: [ptxdist] Hard-coded directory permissions >> > > >> > > Hi, >> > > >> > > I ran into a problem with the latest ptxdist 2020.06 when trying to = install an ssh key to >> > > "/root/.ssh/authorized_keys". >> > > >> > > >> > > Here, the "image-enhancements rule" contains the following code whic= h breaks the image creation: >> > > >> > > =A0=A0=A0=A0 @$(call install_copy, image_enhancements, 0, 0, 0400, $= (PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/a= uthorized_keys ) >> > >> > I think you need to create the parent directory first with correct per= missions. >> > >> > @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh) >> > >> >> Already tried that without success. > >You need to explicitly create the directory, the error complains about, >with the correct permissions: > > @$(call install_copy, image_enhancements, 0, 0, 0700, /root) > Thanks for the quick reply. I tried your solution but it did not work eithe= r. Although I can create folders like '/root' and '/root/.ssh' without a problem, the issue comes fr= om the fact that the awk script uses hardcoded permissions for folders within a given file path. Now= I have the following in my rule: --8<-------------------- @$(call install_copy, image_enhancements, 0, 0, 0700, /root) @$(call install_copy, image_enhancements, 0, 0, 0700, /root/.ssh) @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMCON= FIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) -------------------->8-- This leads to the following results: 1. '/root' is checked ok, since it uses the same permissions as defined by = the rootfs 2. '/root/.ssh is checked ok, since it is not included by any other package= (I can even change permissions here) 3. '/root/.ssh/authorized_keys' is split into the following checks by the s= cript: 3a. '/root/.ssh/authorized_keys' is checked ok because no other package = defines it 3b. '/root/.ssh is checked ok although the permissions checked for are n= ow 0755, since it is not included by any other package 3c. '/root' check fails, since it now uses the hardcoded permissions 075= 5, whereas the rootfs defines 0700) I think rather to use the hardcoded values for these folders the script sho= uld try to look it up from 'perms[path]' first and only use the 0755 as a fallback. >Michael > >-- = >Pengutronix e.K. | | >Steuerwalder Str. 21 | http://www.pengutronix.de/ | >31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | >Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | > >_______________________________________________ >ptxdist mailing list >ptxdist@pengutronix.de >To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@= pengutronix.de > > > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@p= engutronix.de