* [ptxdist] [PATCH] bugfix: kernel: install modules with 755 permission
@ 2020-07-06 15:24 Bruno Thomsen
2020-07-06 16:56 ` Michael Olbrich
0 siblings, 1 reply; 5+ messages in thread
From: Bruno Thomsen @ 2020-07-06 15:24 UTC (permalink / raw)
To: ptxdist; +Cc: Bruno Thomsen, bth
Added install_copy fixes errors like this:
Incompatible ownership or permissions for '/usr/lib/modules/5.6.13-gb44726ddbb7c':
kernel-modules: 0.0 0755 (implicit from /usr/lib/modules/5.6.13-gb44726ddbb7c/kernel/net/ipv6/ip6_udp_tunnel.ko)
kernel-modules: 0.0 0775
Modified install_glob fixes this error:
Collected errors:
* check_data_file_clashes: Package usr-rootfs wants to install file ../platform-x/build-target/image-root-tgz/lib
But that path is currently a directory
* opkg_solver_install: Cannot install package usr-rootfs.
Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
---
rules/kernel.make | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/rules/kernel.make b/rules/kernel.make
index 0d9710828..66222f386 100644
--- a/rules/kernel.make
+++ b/rules/kernel.make
@@ -308,8 +308,9 @@ ifdef PTXCONF_KERNEL_MODULES_INSTALL
@$(call install_fixup, kernel-modules, AUTHOR,"Robert Schwebel <r.schwebel@pengutronix.de>")
@$(call install_fixup, kernel-modules, DESCRIPTION,missing)
- @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules, *.ko,, k)
- @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules,, *.ko */build */source, n)
+ @$(call install_copy, kernel-modules, 0, 0, 755, /usr/lib/modules)
+ @$(call install_glob, kernel-modules, 0, 0, /lib/modules, /usr/lib/modules, *.ko,, k)
+ @$(call install_glob, kernel-modules, 0, 0, /lib/modules, /usr/lib/modules,, *.ko */build */source, n)
@$(call install_finish, kernel-modules)
endif
base-commit: 1ec4ca50586575426ed9732c8e335b05df0b4f6a
--
2.26.2
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [PATCH] bugfix: kernel: install modules with 755 permission
2020-07-06 15:24 [ptxdist] [PATCH] bugfix: kernel: install modules with 755 permission Bruno Thomsen
@ 2020-07-06 16:56 ` Michael Olbrich
2020-07-07 6:26 ` Bruno Thomsen
0 siblings, 1 reply; 5+ messages in thread
From: Michael Olbrich @ 2020-07-06 16:56 UTC (permalink / raw)
To: ptxdist
On Mon, Jul 06, 2020 at 05:24:41PM +0200, Bruno Thomsen wrote:
> Added install_copy fixes errors like this:
>
> Incompatible ownership or permissions for '/usr/lib/modules/5.6.13-gb44726ddbb7c':
> kernel-modules: 0.0 0755 (implicit from /usr/lib/modules/5.6.13-gb44726ddbb7c/kernel/net/ipv6/ip6_udp_tunnel.ko)
> kernel-modules: 0.0 0775
Hmmm, you're running ptxdist with a 0002 umask, right?[1]
Also, the fix is not clear to me. The error is for
/usr/lib/modules/5.6.13-gb44726ddbb7c but you're creating
/usr/lib/modules explicitly. How does that fix the problem?
Michael
[1] https://www.ptxdist.org/doc/daily_work_section.html#umask-pitfall
>
> Modified install_glob fixes this error:
>
> Collected errors:
> * check_data_file_clashes: Package usr-rootfs wants to install file ../platform-x/build-target/image-root-tgz/lib
> But that path is currently a directory
> * opkg_solver_install: Cannot install package usr-rootfs.
>
> Signed-off-by: Bruno Thomsen <bruno.thomsen@gmail.com>
> ---
> rules/kernel.make | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/rules/kernel.make b/rules/kernel.make
> index 0d9710828..66222f386 100644
> --- a/rules/kernel.make
> +++ b/rules/kernel.make
> @@ -308,8 +308,9 @@ ifdef PTXCONF_KERNEL_MODULES_INSTALL
> @$(call install_fixup, kernel-modules, AUTHOR,"Robert Schwebel <r.schwebel@pengutronix.de>")
> @$(call install_fixup, kernel-modules, DESCRIPTION,missing)
>
> - @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules, *.ko,, k)
> - @$(call install_glob, kernel-modules, 0, 0, -, /lib/modules,, *.ko */build */source, n)
> + @$(call install_copy, kernel-modules, 0, 0, 755, /usr/lib/modules)
> + @$(call install_glob, kernel-modules, 0, 0, /lib/modules, /usr/lib/modules, *.ko,, k)
> + @$(call install_glob, kernel-modules, 0, 0, /lib/modules, /usr/lib/modules,, *.ko */build */source, n)
>
> @$(call install_finish, kernel-modules)
> endif
>
> base-commit: 1ec4ca50586575426ed9732c8e335b05df0b4f6a
> --
> 2.26.2
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [PATCH] bugfix: kernel: install modules with 755 permission
2020-07-06 16:56 ` Michael Olbrich
@ 2020-07-07 6:26 ` Bruno Thomsen
2020-07-07 10:06 ` Michael Olbrich
0 siblings, 1 reply; 5+ messages in thread
From: Bruno Thomsen @ 2020-07-07 6:26 UTC (permalink / raw)
To: ptxdist
Den man. 6. jul. 2020 kl. 18.56 skrev Michael Olbrich
<m.olbrich@pengutronix.de>:
>
> On Mon, Jul 06, 2020 at 05:24:41PM +0200, Bruno Thomsen wrote:
> > Added install_copy fixes errors like this:
> >
> > Incompatible ownership or permissions for '/usr/lib/modules/5.6.13-gb44726ddbb7c':
> > kernel-modules: 0.0 0755 (implicit from /usr/lib/modules/5.6.13-gb44726ddbb7c/kernel/net/ipv6/ip6_udp_tunnel.ko)
> > kernel-modules: 0.0 0775
>
> Hmmm, you're running ptxdist with a 0002 umask, right?[1]
>
> Also, the fix is not clear to me. The error is for
> /usr/lib/modules/5.6.13-gb44726ddbb7c but you're creating
> /usr/lib/modules explicitly. How does that fix the problem?
>
I have done some more testing and you are right, the added install_copy
can be dropped. It also works with only the updated install_globs.
Yes, I am running ptxdist with 0002 umask as a user.
On Fedora users run with 0002 umask and root runs with 0022 umask,
but ptxdist does not support building as root, e.g. rootless
containers (podman).
$ podman run --rm -it fedora:32
[root@7940c80a5df2 /]# whoami
root
[root@7940c80a5df2 /]# umask
0022
So requiring that umask seems a little counter intuitive to me.
/Bruno
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [PATCH] bugfix: kernel: install modules with 755 permission
2020-07-07 6:26 ` Bruno Thomsen
@ 2020-07-07 10:06 ` Michael Olbrich
2020-07-07 10:56 ` Bruno Thomsen
0 siblings, 1 reply; 5+ messages in thread
From: Michael Olbrich @ 2020-07-07 10:06 UTC (permalink / raw)
To: ptxdist
On Tue, Jul 07, 2020 at 08:26:37AM +0200, Bruno Thomsen wrote:
> Den man. 6. jul. 2020 kl. 18.56 skrev Michael Olbrich
> <m.olbrich@pengutronix.de>:
> > On Mon, Jul 06, 2020 at 05:24:41PM +0200, Bruno Thomsen wrote:
> > > Added install_copy fixes errors like this:
> > >
> > > Incompatible ownership or permissions for '/usr/lib/modules/5.6.13-gb44726ddbb7c':
> > > kernel-modules: 0.0 0755 (implicit from /usr/lib/modules/5.6.13-gb44726ddbb7c/kernel/net/ipv6/ip6_udp_tunnel.ko)
> > > kernel-modules: 0.0 0775
> >
> > Hmmm, you're running ptxdist with a 0002 umask, right?[1]
> >
> > Also, the fix is not clear to me. The error is for
> > /usr/lib/modules/5.6.13-gb44726ddbb7c but you're creating
> > /usr/lib/modules explicitly. How does that fix the problem?
> >
>
> I have done some more testing and you are right, the added install_copy
> can be dropped. It also works with only the updated install_globs.
>
> Yes, I am running ptxdist with 0002 umask as a user.
>
> On Fedora users run with 0002 umask and root runs with 0022 umask,
> but ptxdist does not support building as root, e.g. rootless
> containers (podman).
>
> $ podman run --rm -it fedora:32
> [root@7940c80a5df2 /]# whoami
> root
> [root@7940c80a5df2 /]# umask
> 0022
>
> So requiring that umask seems a little counter intuitive to me.
The problem is, that a lot of packages don't explicitly set the permissions
when creating files or directories during 'make install'.
Especially directories are often created with a simple 'mkdir'.
As a result, the permissions depend on your current umask.
And then install_tree looks just takes that permission. At that point
PTXdist cannot know, if the permission was explicitly set like this or not,
so we cannot do a fixup.
We could change the umask during the ptxdist run, but I'm reluctant to do
this because the umask is a security feature and just changing it feels
wrong to me.
Hmm, maybe we could just make it strikter:
mask="$(umask)"
if [ "$(( (mask | 0022) & 0755))" -eq 0 ]; then
umask 0022
else
# fail here?
fi
or something like that?
Michael
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [ptxdist] [PATCH] bugfix: kernel: install modules with 755 permission
2020-07-07 10:06 ` Michael Olbrich
@ 2020-07-07 10:56 ` Bruno Thomsen
0 siblings, 0 replies; 5+ messages in thread
From: Bruno Thomsen @ 2020-07-07 10:56 UTC (permalink / raw)
To: ptxdist
Den tir. 7. jul. 2020 kl. 12.06 skrev Michael Olbrich
<m.olbrich@pengutronix.de>:
> > > Hmmm, you're running ptxdist with a 0002 umask, right?[1]
> >
> > Yes, I am running ptxdist with 0002 umask as a user.
> >
> > On Fedora users run with 0002 umask and root runs with 0022 umask,
> > but ptxdist does not support building as root, e.g. rootless
> > containers (podman).
> >
> > $ podman run --rm -it fedora:32
> > [root@7940c80a5df2 /]# whoami
> > root
> > [root@7940c80a5df2 /]# umask
> > 0022
> >
> > So requiring that umask seems a little counter intuitive to me.
>
> The problem is, that a lot of packages don't explicitly set the permissions
> when creating files or directories during 'make install'.
> Especially directories are often created with a simple 'mkdir'.
> As a result, the permissions depend on your current umask.
>
> And then install_tree looks just takes that permission. At that point
> PTXdist cannot know, if the permission was explicitly set like this or not,
> so we cannot do a fixup.
>
> We could change the umask during the ptxdist run, but I'm reluctant to do
> this because the umask is a security feature and just changing it feels
> wrong to me.
> Hmm, maybe we could just make it strikter:
>
> mask="$(umask)"
> if [ "$(( (mask | 0022) & 0755))" -eq 0 ]; then
> umask 0022
> else
> # fail here?
> fi
>
> or something like that?
Given the use-case I think your suggestion makes sense; Make umask
stricter when ptxdist is started with something like 0000 or 0002. Keep
umask 0022, and fail in case it's started with another umask.
This will make it consistent with how ptxdist handles being started with
UID = 0.
Fail trace suggestion:
ptxdist: error: refusing to run PTXdist with umask ${mask}.
/Bruno
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-07-07 10:56 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-06 15:24 [ptxdist] [PATCH] bugfix: kernel: install modules with 755 permission Bruno Thomsen
2020-07-06 16:56 ` Michael Olbrich
2020-07-07 6:26 ` Bruno Thomsen
2020-07-07 10:06 ` Michael Olbrich
2020-07-07 10:56 ` Bruno Thomsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox