Skip to content

Commit

Permalink
Explicitly set 0644 permissions when populating disk image (#387)
Browse files Browse the repository at this point in the history
The file permissions of `/etc/pam.d/system` was incorrect when using the minimal disk image. It prompts that:

```
2024-01-28T07:59:02.046161+00:00 - login 83 - - in openpam_check_desc_owner_perms(): /etc/pam.d/system: insecure ownership or permissions
2024-01-28T07:59:02.059751+00:00 - login 83 - - pam_start(): System error
```

Once logged out the system, it is impossible to log back in.

After ensuring the file permission of `/etc/pam.d/system` is `0644` when building the rootfs, logging out and logging in again works without any issue.

```
Logging in as root...
2024-01-28T09:27:25.194438+00:00 - login 83 - - login on console as root
exec /bin/sh
# ^D

CheriBSD/arm64 (Amnesiac) (ttyu0)

login: root
2024-01-28T09:32:54.297221+00:00 - login 86 - - login on ttyu0 as root
2024-01-28T09:32:54.305668+00:00 - login 86 - - ROOT LOGIN (root) ON ttyu0
#
```

This indicates that the inferred permissions on disk image files are not inferred correctly
when using the default mode argument. This PR fix the issue by explicitly passing mode
to all create_file_for_image calls.

---------

Co-authored-by: Alexander Richardson <Alexander.Richardson@cl.cam.ac.uk>
  • Loading branch information
cocoa-xu and arichardson authored Feb 9, 2024
1 parent adcb7da commit 8f168a5
Showing 1 changed file with 14 additions and 12 deletions.
26 changes: 14 additions & 12 deletions pycheribuild/projects/disk_image.py
Original file line number Diff line number Diff line change
Expand Up @@ -306,27 +306,29 @@ def prepare_rootfs(self):
if self.include_swap_partition:
fstab_contents += "/dev/gpt/swap none swap sw 0 0\n"
fstab_contents += self.file_templates.get_fstab_template()
self.create_file_for_image("/etc/fstab", contents=fstab_contents, show_contents_non_verbose=True)
self.create_file_for_image("/etc/fstab", contents=fstab_contents,
mode=0o644, show_contents_non_verbose=True)

# enable ssh and set hostname
# TODO: use separate file in /etc/rc.conf.d/ ?
rc_conf_contents = self.file_templates.get_rc_conf_template().format(hostname=self.hostname)
self.create_file_for_image("/etc/rc.conf", contents=rc_conf_contents, show_contents_non_verbose=False)
self.create_file_for_image("/etc/rc.conf", contents=rc_conf_contents,
mode=0o644, show_contents_non_verbose=False)

cshrc_contents = self.file_templates.get_cshrc_template().format(SRCPATH=self.config.source_root,
ROOTFS_DIR=self.rootfs_dir)
self.create_file_for_image("/etc/csh.cshrc", contents=cshrc_contents)
self.create_file_for_image("/etc/csh.cshrc", contents=cshrc_contents, mode=0o644)

# Basic .bashrc/.bash_profile template
dot_bashrc_contents = self.file_templates.get_dot_bashrc_template().format(SRCPATH=self.config.source_root,
ROOTFS_DIR=self.rootfs_dir)
self.create_file_for_image("/root/.bashrc", contents=dot_bashrc_contents)
self.create_file_for_image("/usr/share/skel/dot.bashrc", contents=dot_bashrc_contents)
self.create_file_for_image("/root/.bashrc", contents=dot_bashrc_contents, mode=0o644)
self.create_file_for_image("/usr/share/skel/dot.bashrc", contents=dot_bashrc_contents, mode=0o644)
dot_bash_profile_contents = self.file_templates.get_dot_bash_profile_template().format(
SRCPATH=self.config.source_root,
ROOTFS_DIR=self.rootfs_dir)
self.create_file_for_image("/root/.bash_profile", contents=dot_bash_profile_contents)
self.create_file_for_image("/usr/share/skel/dot.bash_profile", contents=dot_bash_profile_contents)
self.create_file_for_image("/root/.bash_profile", contents=dot_bash_profile_contents, mode=0o644)
self.create_file_for_image("/usr/share/skel/dot.bash_profile", contents=dot_bash_profile_contents, mode=0o644)

# Add the mount-source/mount-rootfs/do-reroot scripts (even in the minimal image)
# TODO: should we omit this from the minimal image?
Expand Down Expand Up @@ -390,7 +392,7 @@ def path_relative_to_outputroot(xtarget) -> Path:
new_kyua_config_contents = self.read_file(kyua_config)
new_kyua_config_contents += include_local_file("files/cheribsd/kyua.conf.append")
self.create_file_for_image("/" + kyua_config_path, contents=new_kyua_config_contents,
show_contents_non_verbose=False)
mode=0o644, show_contents_non_verbose=False)

# make sure that the disk image always has the same SSH host keys
# If they don't exist the system will generate one on first boot and we have to accept them every time
Expand All @@ -406,7 +408,7 @@ def path_relative_to_outputroot(xtarget) -> Path:
new_sshd_config_contents += "\n# Allow root login with pubkey auth:\nPermitRootLogin without-password\n"
new_sshd_config_contents += "\n# Major speedup to SSH performance:\n UseDNS no\n"
self.create_file_for_image("/etc/ssh/sshd_config", contents=new_sshd_config_contents,
show_contents_non_verbose=False)
mode=0o644, show_contents_non_verbose=False)
# now try adding the right ~/.ssh/authorized_keys
authorized_keys = self.extra_files_dir / "root/.ssh/authorized_keys"
if not authorized_keys.is_file():
Expand Down Expand Up @@ -1122,13 +1124,13 @@ def add_required_libraries(self, libdirs: "list[str]", ignore_required: bool = F
def prepare_rootfs(self):
super().prepare_rootfs()
# Add the additional sysctl configs
self.create_file_for_image("/etc/pam.d/system", show_contents_non_verbose=False,
self.create_file_for_image("/etc/pam.d/system", mode=0o644, show_contents_non_verbose=False,
contents=include_local_file("files/minimal-image/pam.d/system"))
# disable coredumps (since there is almost no space on the image)
self.create_file_for_image("/etc/sysctl.conf", show_contents_non_verbose=False,
self.create_file_for_image("/etc/sysctl.conf", mode=0o644, show_contents_non_verbose=False,
contents=include_local_file("files/minimal-image/etc/sysctl.conf"))
# The actual minimal startup file:
self.create_file_for_image("/etc/rc", show_contents_non_verbose=False,
self.create_file_for_image("/etc/rc", mode=0o644, show_contents_non_verbose=False,
contents=include_local_file("files/minimal-image/etc/rc"))

def make_rootfs_image(self, rootfs_img: Path):
Expand Down

0 comments on commit 8f168a5

Please sign in to comment.