From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Date: Fri, 12 Jun 2020 08:51:28 +0200 From: Michael Olbrich Message-ID: <20200612065128.GA13274@pengutronix.de> References: <20200610093524.GG4898@develop-10-146> <20200611054639.GM9599@pengutronix.de> <20200611061900.GI4898@develop-10-146> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200611061900.GI4898@develop-10-146> Subject: Re: [ptxdist] Hard-coded directory permissions List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Nico Lastzka On Thu, Jun 11, 2020 at 08:19:00AM +0200, Nico Lastzka wrote: > On Thu 11/06/20 07:46, Michael Olbrich wrote: > > On Wed, Jun 10, 2020 at 01:42:25PM +0200, Nico Lastzka wrote: > > > On Wed 10/06/20 11:32, Bruno Thomsen wrote: > > > > > From: ptxdist on behalf of Nico = Lastzka > > > > > Sent: Wednesday, June 10, 2020 11:35 > > > > > To: ptxdist@pengutronix.de > > > > > Subject: [ptxdist] Hard-coded directory permissions > > > > > > > > > > Hi, > > > > > > > > > > I ran into a problem with the latest ptxdist 2020.06 when trying = to install an ssh key to > > > > > "/root/.ssh/authorized_keys". > > > > > > > > > > > > > > > Here, the "image-enhancements rule" contains the following code w= hich breaks the image creation: > > > > > > > > > > =A0=A0=A0=A0 @$(call install_copy, image_enhancements, 0, 0, 0400= , $(PTXDIST_PLATFORMCONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ss= h/authorized_keys ) > > > > > > > > I think you need to create the parent directory first with correct = permissions. > > > > > > > > @$(call install_copy, image_enhancements, 0, 0, 0400, /root/.ssh) > > > > > > > = > > > Already tried that without success. > > = > > You need to explicitly create the directory, the error complains about, > > with the correct permissions: > > = > > @$(call install_copy, image_enhancements, 0, 0, 0700, /root) > > = > = > Thanks for the quick reply. I tried your solution but it did not work eit= her. Although I can create > folders like '/root' and '/root/.ssh' without a problem, the issue comes = from the fact that the awk > script uses hardcoded permissions for folders within a given file path. N= ow I have the following in > my rule: > = > --8<-------------------- > @$(call install_copy, image_enhancements, 0, 0, 0700, /root) > @$(call install_copy, image_enhancements, 0, 0, 0700, /root/.ssh) > @$(call install_copy, image_enhancements, 0, 0, 0400, $(PTXDIST_PLATFORMC= ONFIGDIR)/access/key-develop_id_ed25519.pub, /root/.ssh/authorized_keys ) > -------------------->8-- > = > This leads to the following results: > = > 1. '/root' is checked ok, since it uses the same permissions as defined b= y the rootfs > 2. '/root/.ssh is checked ok, since it is not included by any other packa= ge (I can even change > permissions here) > 3. '/root/.ssh/authorized_keys' is split into the following checks by the= script: > 3a. '/root/.ssh/authorized_keys' is checked ok because no other package= defines it > 3b. '/root/.ssh is checked ok although the permissions checked for are = now 0755, since it is not included by any other package > 3c. '/root' check fails, since it now uses the hardcoded permissions 07= 55, whereas the rootfs defines 0700) > = > I think rather to use the hardcoded values for these folders the script s= hould try to look it up > from 'perms[path]' first and only use the 0755 as a fallback. Right, I have no idea how I missed this during testing. I think I only used directories for some tests and the parent directories are not checked there :-/. Anyway, I have this in my test queue now: diff --git a/scripts/lib/ptxd_lib_check_dir_permissions.awk b/scripts/lib/p= txd_lib_check_dir_permissions.awk index 9bd009f04881..a02ccb552526 100644 --- a/scripts/lib/ptxd_lib_check_dir_permissions.awk +++ b/scripts/lib/ptxd_lib_check_dir_permissions.awk @@ -10,6 +10,8 @@ FNR =3D=3D 1 { = function check(path, perm, implicit) { if ((path in perms) && (perms[path] !=3D perm)) { + if (implicit && (pkg =3D=3D names[path])) + return; print("\nIncompatible ownership or permissions for '" path "':") print(names[path] ": " perms[path] (imp[path] ? " (implicit)" : "")) print(pkg ": " perm (implicit ? " (implicit)" : "")) I think that should help. I have some more stuff to check parent dirs for directories as well, but this is the important part. Fyi, if you put a modified scripts/lib/ptxd_lib_check_dir_permissions.awk into your BSP, then it will be used instead of the version from PTXdist. This way you can still use the current PTXdist release without modifying it. Regards, Michael -- = Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@p= engutronix.de