[OE-core] Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission

Charles Chan charles.wh.chan at gmail.com
Wed Apr 6 19:39:35 UTC 2016 

Hi Robert,

Thanks for the patch. I tested it and it worked ... partially.

Taking an existing image and then using `opkg install base-files.ipk` will
correctly set the permission to 0700.

However, when I rebuild the full image rootfs, /home/root still ends up
with the wrong permission. I suspect another recipe is modifying the
permission. Is there a way (ie. bitbake command) to find out which recipe
is causing the change?

Thanks again,
Charles


On Tue, Apr 5, 2016 at 10:33 PM, Robert Yang <liezhi.yang at windriver.com>
wrote:

>
> I think that it should be a bug, would you please try this patch?
>
> diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb
> b/meta/recipes-core/base-files/base-files_3.0.14.bb
> index d391707..2082ed4 100644
> --- a/meta/recipes-core/base-files/base-files_3.0.14.bb
> +++ b/meta/recipes-core/base-files/base-files_3.0.14.bb
> @@ -95,6 +95,7 @@ do_install () {
>         for d in ${dirs755}; do
>                 install -m 0755 -d ${D}$d
>         done
> +       chmod 0700 ${D}${ROOT_HOME}
>         for d in ${dirs1777}; do
>                 install -m 1777 -d ${D}$d
>         done
>
> // Robert
>
> On 04/06/2016 01:03 PM, Charles Chan wrote:
>
>> (This is my first post to OE list, hopefully I am posting to the right
>> mailing
>> list.)
>>
>> Background: During the process of trying to configure SSH keys for root
>> user
>> login via dropbear, we realized the permission for /home/root directory
>> is set
>> too loose for group and other members [1]. As a result, dropbears fails
>> when we
>> try to put the key under /home/root/.ssh
>>
>> ---------
>>
>> In the image, /home/root directory is set to 0755:
>>
>>     $ stat /home/root
>>        File: /home/root
>>        Size: 4096            Blocks: 8          IO Block: 4096   directory
>>     Device: b302h/45826d    Inode: 13268       Links: 4
>>     Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/
>> root)
>>     Access: 2016-04-05 22:21:13.000000000
>>     Modify: 2016-04-05 22:08:57.000000000
>>     Change: 2016-04-05 22:08:57.000000000
>>
>>
>> After some debugging, we believe the permission (0755) is initialized in
>> base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2].
>>
>> A few questions:
>> 1. I tried looking at the git log for the history, but wasn't able to
>> find any
>> background on why the permission was set this way. eg. on a desktop Linux
>> (Ubuntu), /root is set to 0700:
>>
>>     $ sudo stat /root
>>        File: `/root'
>>        Size: 4096 Blocks: 8          IO Block: 4096   directory
>>     Device: 801h/2049dInode: 1441793     Links: 3
>>     Access: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/
>> root)
>>     Access: 2016-04-05 21:29:17.389725228 -0700
>>     Modify: 2016-03-22 17:11:54.912479000 -0700
>>     Change: 2016-03-22 17:11:54.912479000 -0700
>>       Birth: -
>>
>>
>> 2. If we would like to override the directory permission for /home/root
>> in our
>> image, what is the best way to do it? I am not an expert with bitbake,
>> should I
>> be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using
>> *_append? or I should be looking at some other recipe altogether?
>>
>> Sorry for the long email. Thanks in advance.
>> Charles
>>
>> [1]
>> https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting
>>
>> [2]
>>
>> http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20160406/977e886d/attachment-0002.html>

More information about the Openembedded-core mailing list