[OE-core] [PATCH 0/3] pseudo+image.bbclass: changes to avoid host contamination
Peter A. Bigot
pab at pabigot.com
Sun Oct 12 23:49:52 UTC 2014
While determining that an anomaly was self-induced, I found some issues
with pseudo that, with low probability, could result in mis-use of the
build host /etc/passwd and /etc/group to resolve target uid/gid/names.
The red herring I was fishing was that pseudo, in its default
configuration, will fall back to the build host passwd/group files if it
can't access ones in the chroot or specified by PSEUDO_PASSWD. To rule
out this as a cause of my anomaly, I added --without-passwd-fallback to
the pseudo configuration.
This unexpectedly resulted in failed builds that I tracked down to
pseudo adding an unnecessary directory prefix to the .pwd.lck file,
causing failures in the attempt to lock /etc/passwd. The first patch
fixes pseudo to support --without-passwd-fallback.
The next problem is that pseudo required the fallback path to be
specified when pseudo itself was configured, and only allowed a single
runtime-specified path. This breaks image formation: the preferred path
should be ${IMAGE_ROOT}, but etc/passwd doesn't exist in that path until
base-passwd runs pkg_postinst. Until that happens the version in
${STAGING_DIR_TARGET} should be used as fallback. The second patch
enhances pseudo with the ability to specify multiple search paths, and
the third uses the feature in image.bbclass to search both ${IMAGE_ROOT}
and ${STAGING_DIR_TARGET} for passwd/group files.
I believe OE should add --without-passwd-fallback to the pseudo 1.6.2
configuration flags early in the 1.8 development cycle, to ensure there
are no host contamination issues. I can think of no reason why the
build host passwd and group files should ever be considered suitable for
use in determining target user/group characteristics.
However, if this is done various recipes that do things like "chown
root:root files" in their install fail because they don't currently
DEPEND on base-passwd. How to cleanly add that dependency is a topic
for discussion, and I've left that final step out of the series for now.
Peter
Peter A. Bigot (3):
pseudo: support --without-passwd-fallback configuration option
pseudo: support multiple search directories in PSEUDO_PASSWD
image.bbclass: search both rootfs and staging dir for passwd files
meta/classes/image.bbclass | 4 +-
...do_client.c-protect-pwd_lck-against-magic.patch | 56 ++++++++++
..._util-modify-interface-to-pseudo_etc_file.patch | 70 +++++++++++++
...nt.c-support-multiple-directories-in-PSEU.patch | 115 +++++++++++++++++++++
meta/recipes-devtools/pseudo/pseudo_1.6.2.bb | 3 +
5 files changed, 247 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-devtools/pseudo/pseudo-1.6.2/0001-pseudo_client.c-protect-pwd_lck-against-magic.patch
create mode 100644 meta/recipes-devtools/pseudo/pseudo-1.6.2/0002-pseudo_util-modify-interface-to-pseudo_etc_file.patch
create mode 100644 meta/recipes-devtools/pseudo/pseudo-1.6.2/0003-pseudo_client.c-support-multiple-directories-in-PSEU.patch
--
1.8.5.5
More information about the Openembedded-core
mailing list