[OE-core] Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission
Charles Chan
charles.wh.chan at gmail.com
Wed Apr 6 05:03:59 UTC 2016
(This is my first post to OE list, hopefully I am posting to the right
mailing list.)
Background: During the process of trying to configure SSH keys for root
user login via dropbear, we realized the permission for /home/root
directory is set too loose for group and other members [1]. As a result,
dropbears fails when we try to put the key under /home/root/.ssh
---------
In the image, /home/root directory is set to 0755:
$ stat /home/root
File: /home/root
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: b302h/45826d Inode: 13268 Links: 4
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-04-05 22:21:13.000000000
Modify: 2016-04-05 22:08:57.000000000
Change: 2016-04-05 22:08:57.000000000
After some debugging, we believe the permission (0755) is initialized in
base-files_3.0.14.bb (in line 35) [2].
A few questions:
1. I tried looking at the git log for the history, but wasn't able to find
any background on why the permission was set this way. eg. on a desktop
Linux (Ubuntu), /root is set to 0700:
$ sudo stat /root
File: `/root'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 1441793 Links: 3
Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-04-05 21:29:17.389725228 -0700
Modify: 2016-03-22 17:11:54.912479000 -0700
Change: 2016-03-22 17:11:54.912479000 -0700
Birth: -
2. If we would like to override the directory permission for /home/root in
our image, what is the best way to do it? I am not an expert with bitbake,
should I be patching the base-files_3.0.14.bb? using *_append? or I should
be looking at some other recipe altogether?
Sorry for the long email. Thanks in advance.
Charles
[1]
https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting
[2]
http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20160405/7027c94b/attachment-0002.html>
More information about the Openembedded-core
mailing list