[OE-core] [PATCH 0/3] pseudo+image.bbclass: changes to avoid host contamination

Peter A. Bigot pab at pabigot.com
Sun Oct 12 23:49:52 UTC 2014 

While determining that an anomaly was self-induced, I found some issues
with pseudo that, with low probability, could result in mis-use of the
build host /etc/passwd and /etc/group to resolve target uid/gid/names.

The red herring I was fishing was that pseudo, in its default
configuration, will fall back to the build host passwd/group files if it
can't access ones in the chroot or specified by PSEUDO_PASSWD.  To rule
out this as a cause of my anomaly, I added --without-passwd-fallback to
the pseudo configuration.

This unexpectedly resulted in failed builds that I tracked down to
pseudo adding an unnecessary directory prefix to the .pwd.lck file,
causing failures in the attempt to lock /etc/passwd.  The first patch
fixes pseudo to support --without-passwd-fallback.

The next problem is that pseudo required the fallback path to be
specified when pseudo itself was configured, and only allowed a single
runtime-specified path.  This breaks image formation: the preferred path
should be ${IMAGE_ROOT}, but etc/passwd doesn't exist in that path until
base-passwd runs pkg_postinst.  Until that happens the version in
${STAGING_DIR_TARGET} should be used as fallback.  The second patch
enhances pseudo with the ability to specify multiple search paths, and
the third uses the feature in image.bbclass to search both ${IMAGE_ROOT}
and ${STAGING_DIR_TARGET} for passwd/group files.

I believe OE should add --without-passwd-fallback to the pseudo 1.6.2
configuration flags early in the 1.8 development cycle, to ensure there
are no host contamination issues.  I can think of no reason why the
build host passwd and group files should ever be considered suitable for
use in determining target user/group characteristics.

However, if this is done various recipes that do things like "chown
root:root files" in their install fail because they don't currently
DEPEND on base-passwd.  How to cleanly add that dependency is a topic
for discussion, and I've left that final step out of the series for now.

Peter

Peter A. Bigot (3):
  pseudo: support --without-passwd-fallback configuration option
  pseudo: support multiple search directories in PSEUDO_PASSWD
  image.bbclass: search both rootfs and staging dir for passwd files

 meta/classes/image.bbclass                         |   4 +-
 ...do_client.c-protect-pwd_lck-against-magic.patch |  56 ++++++++++
 ..._util-modify-interface-to-pseudo_etc_file.patch |  70 +++++++++++++
 ...nt.c-support-multiple-directories-in-PSEU.patch | 115 +++++++++++++++++++++
 meta/recipes-devtools/pseudo/pseudo_1.6.2.bb       |   3 +
 5 files changed, 247 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/pseudo/pseudo-1.6.2/0001-pseudo_client.c-protect-pwd_lck-against-magic.patch
 create mode 100644 meta/recipes-devtools/pseudo/pseudo-1.6.2/0002-pseudo_util-modify-interface-to-pseudo_etc_file.patch
 create mode 100644 meta/recipes-devtools/pseudo/pseudo-1.6.2/0003-pseudo_client.c-support-multiple-directories-in-PSEU.patch

-- 
1.8.5.5

More information about the Openembedded-core mailing list