From 8f168a5873bd1580c6ed88e43d4ee9915e508891 Mon Sep 17 00:00:00 2001 From: Cocoa Date: Fri, 9 Feb 2024 21:59:32 +0100 Subject: [PATCH] Explicitly set 0644 permissions when populating disk image (#387) The file permissions of `/etc/pam.d/system` was incorrect when using the minimal disk image. It prompts that: ``` 2024-01-28T07:59:02.046161+00:00 - login 83 - - in openpam_check_desc_owner_perms(): /etc/pam.d/system: insecure ownership or permissions 2024-01-28T07:59:02.059751+00:00 - login 83 - - pam_start(): System error ``` Once logged out the system, it is impossible to log back in. After ensuring the file permission of `/etc/pam.d/system` is `0644` when building the rootfs, logging out and logging in again works without any issue. ``` Logging in as root... 2024-01-28T09:27:25.194438+00:00 - login 83 - - login on console as root exec /bin/sh # ^D CheriBSD/arm64 (Amnesiac) (ttyu0) login: root 2024-01-28T09:32:54.297221+00:00 - login 86 - - login on ttyu0 as root 2024-01-28T09:32:54.305668+00:00 - login 86 - - ROOT LOGIN (root) ON ttyu0 # ``` This indicates that the inferred permissions on disk image files are not inferred correctly when using the default mode argument. This PR fix the issue by explicitly passing mode to all create_file_for_image calls. --------- Co-authored-by: Alexander Richardson --- pycheribuild/projects/disk_image.py | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/pycheribuild/projects/disk_image.py b/pycheribuild/projects/disk_image.py index cbeeb2925..c37cfed6b 100644 --- a/pycheribuild/projects/disk_image.py +++ b/pycheribuild/projects/disk_image.py @@ -306,27 +306,29 @@ def prepare_rootfs(self): if self.include_swap_partition: fstab_contents += "/dev/gpt/swap none swap sw 0 0\n" fstab_contents += self.file_templates.get_fstab_template() - self.create_file_for_image("/etc/fstab", contents=fstab_contents, show_contents_non_verbose=True) + self.create_file_for_image("/etc/fstab", contents=fstab_contents, + mode=0o644, show_contents_non_verbose=True) # enable ssh and set hostname # TODO: use separate file in /etc/rc.conf.d/ ? rc_conf_contents = self.file_templates.get_rc_conf_template().format(hostname=self.hostname) - self.create_file_for_image("/etc/rc.conf", contents=rc_conf_contents, show_contents_non_verbose=False) + self.create_file_for_image("/etc/rc.conf", contents=rc_conf_contents, + mode=0o644, show_contents_non_verbose=False) cshrc_contents = self.file_templates.get_cshrc_template().format(SRCPATH=self.config.source_root, ROOTFS_DIR=self.rootfs_dir) - self.create_file_for_image("/etc/csh.cshrc", contents=cshrc_contents) + self.create_file_for_image("/etc/csh.cshrc", contents=cshrc_contents, mode=0o644) # Basic .bashrc/.bash_profile template dot_bashrc_contents = self.file_templates.get_dot_bashrc_template().format(SRCPATH=self.config.source_root, ROOTFS_DIR=self.rootfs_dir) - self.create_file_for_image("/root/.bashrc", contents=dot_bashrc_contents) - self.create_file_for_image("/usr/share/skel/dot.bashrc", contents=dot_bashrc_contents) + self.create_file_for_image("/root/.bashrc", contents=dot_bashrc_contents, mode=0o644) + self.create_file_for_image("/usr/share/skel/dot.bashrc", contents=dot_bashrc_contents, mode=0o644) dot_bash_profile_contents = self.file_templates.get_dot_bash_profile_template().format( SRCPATH=self.config.source_root, ROOTFS_DIR=self.rootfs_dir) - self.create_file_for_image("/root/.bash_profile", contents=dot_bash_profile_contents) - self.create_file_for_image("/usr/share/skel/dot.bash_profile", contents=dot_bash_profile_contents) + self.create_file_for_image("/root/.bash_profile", contents=dot_bash_profile_contents, mode=0o644) + self.create_file_for_image("/usr/share/skel/dot.bash_profile", contents=dot_bash_profile_contents, mode=0o644) # Add the mount-source/mount-rootfs/do-reroot scripts (even in the minimal image) # TODO: should we omit this from the minimal image? @@ -390,7 +392,7 @@ def path_relative_to_outputroot(xtarget) -> Path: new_kyua_config_contents = self.read_file(kyua_config) new_kyua_config_contents += include_local_file("files/cheribsd/kyua.conf.append") self.create_file_for_image("/" + kyua_config_path, contents=new_kyua_config_contents, - show_contents_non_verbose=False) + mode=0o644, show_contents_non_verbose=False) # make sure that the disk image always has the same SSH host keys # If they don't exist the system will generate one on first boot and we have to accept them every time @@ -406,7 +408,7 @@ def path_relative_to_outputroot(xtarget) -> Path: new_sshd_config_contents += "\n# Allow root login with pubkey auth:\nPermitRootLogin without-password\n" new_sshd_config_contents += "\n# Major speedup to SSH performance:\n UseDNS no\n" self.create_file_for_image("/etc/ssh/sshd_config", contents=new_sshd_config_contents, - show_contents_non_verbose=False) + mode=0o644, show_contents_non_verbose=False) # now try adding the right ~/.ssh/authorized_keys authorized_keys = self.extra_files_dir / "root/.ssh/authorized_keys" if not authorized_keys.is_file(): @@ -1122,13 +1124,13 @@ def add_required_libraries(self, libdirs: "list[str]", ignore_required: bool = F def prepare_rootfs(self): super().prepare_rootfs() # Add the additional sysctl configs - self.create_file_for_image("/etc/pam.d/system", show_contents_non_verbose=False, + self.create_file_for_image("/etc/pam.d/system", mode=0o644, show_contents_non_verbose=False, contents=include_local_file("files/minimal-image/pam.d/system")) # disable coredumps (since there is almost no space on the image) - self.create_file_for_image("/etc/sysctl.conf", show_contents_non_verbose=False, + self.create_file_for_image("/etc/sysctl.conf", mode=0o644, show_contents_non_verbose=False, contents=include_local_file("files/minimal-image/etc/sysctl.conf")) # The actual minimal startup file: - self.create_file_for_image("/etc/rc", show_contents_non_verbose=False, + self.create_file_for_image("/etc/rc", mode=0o644, show_contents_non_verbose=False, contents=include_local_file("files/minimal-image/etc/rc")) def make_rootfs_image(self, rootfs_img: Path):