[OE-core] Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission

Charles Chan charles.wh.chan at gmail.com
Wed Apr 6 05:03:59 UTC 2016 

(This is my first post to OE list, hopefully I am posting to the right
mailing list.)

Background: During the process of trying to configure SSH keys for root
user login via dropbear, we realized the permission for /home/root
directory is set too loose for group and other members [1]. As a result,
dropbears fails when we try to put the key under /home/root/.ssh

---------

In the image, /home/root directory is set to 0755:

$ stat /home/root
  File: /home/root
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: b302h/45826d    Inode: 13268       Links: 4
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-04-05 22:21:13.000000000
Modify: 2016-04-05 22:08:57.000000000
Change: 2016-04-05 22:08:57.000000000


After some debugging, we believe the permission (0755) is initialized in
base-files_3.0.14.bb (in line 35) [2].

A few questions:
1. I tried looking at the git log for the history, but wasn't able to find
any background on why the permission was set this way. eg. on a desktop
Linux (Ubuntu), /root is set to 0700:

$ sudo stat /root
  File: `/root'
  Size: 4096       Blocks: 8          IO Block: 4096   directory
Device: 801h/2049d Inode: 1441793     Links: 3
Access: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2016-04-05 21:29:17.389725228 -0700
Modify: 2016-03-22 17:11:54.912479000 -0700
Change: 2016-03-22 17:11:54.912479000 -0700
 Birth: -


2. If we would like to override the directory permission for /home/root in
our image, what is the best way to do it? I am not an expert with bitbake,
should I be patching the base-files_3.0.14.bb? using *_append? or I should
be looking at some other recipe altogether?

Sorry for the long email. Thanks in advance.
Charles

[1]
https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting

[2]
http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20160405/7027c94b/attachment-0002.html>

More information about the Openembedded-core mailing list