KumiSystems/openwrtv3
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

image: don't modify file permissions before rootfs generation

Browse source 
Modifying the file permissions can be harmful, as it would make files
world-readable even if they weren't in the ipk packages. The
Image/mkfs/prepare step is removed completely, as it is redundant now (/tmp
and /overlay are already provided by base-files with the correct
permissions).

It has been verified that this change does not affect any permissions of
files in the default package set except /etc/ppp/chap-secrets, which was
world-readable before. All packages not in the default set are more likely
to be installed via opkg than being part of a base image and thus were
usually not affected by the permission modification anyways.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This commit is contained in:
Matthias Schiffer 2016-09-26 15:25:37 +02:00
parent 6c1542787d
commit a16a8814ea
No known key found for this signature in database
GPG key ID: 16EF3F64CB201D9C
2 changed files with 3 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
include/image-legacy.mk
View file

@ -41,7 +41,7 @@ define LegacyDevice/Check
_TARGET := $$(if $$(_PROFILE_SET),legacy-images,install-disabled) _TARGET := $$(if $$(_PROFILE_SET),legacy-images,install-disabled)
$$(if $$(_PROFILE_SET),install: legacy-images-make) $$(if $$(_PROFILE_SET),install: legacy-images-make)
ifndef IB ifndef IB
$$(if $$(_PROFILE_SET),mkfs_prepare: legacy-images-prepare-make) $$(if $$(_PROFILE_SET),kernel_prepare: legacy-images-prepare-make)
endif endif
endef endef
@ -90,5 +90,3 @@ define LegacyDevice
$(call LegacyDevice/$(if $(DUMP),Dump,Build),$(1)) $(call LegacyDevice/$(if $(DUMP),Dump,Build),$(1))
endef endef

21
include/image.mk
View file

@ -251,19 +251,6 @@ define Image/mkfs/ext4
$@ $(call mkfs_target_dir,$(1))/ $@ $(call mkfs_target_dir,$(1))/
endef endef
define Image/mkfs/prepare/default
# Use symbolic permissions to avoid clobbering SUID/SGID/sticky bits
- $(FIND) $(1) -type f -not -perm /0100 -not -name 'ssh_host*' -not -name 'shadow' -print0 | $(XARGS) -0 chmod u+rw,g+r,o+r
- $(FIND) $(1) -type f -perm /0100 -print0 | $(XARGS) -0 chmod u+rwx,g+rx,o+rx
- $(FIND) $(1) -type d -print0 | $(XARGS) -0 chmod u+rwx,g+rx,o+rx
$(INSTALL_DIR) $(1)/tmp $(1)/overlay
chmod 1777 $(1)/tmp
endef
define Image/mkfs/prepare
$(call Image/mkfs/prepare/default,$(1))
endef
define Image/Manifest define Image/Manifest
$(STAGING_DIR_HOST)/bin/opkg \ $(STAGING_DIR_HOST)/bin/opkg \
--offline-root $(TARGET_DIR) \ --offline-root $(TARGET_DIR) \
@ -307,7 +294,6 @@ target-dir-%: FORCE
$(if $(mkfs_packages_remove), \ $(if $(mkfs_packages_remove), \
$(call opkg,$(mkfs_cur_target_dir)) remove \ $(call opkg,$(mkfs_cur_target_dir)) remove \
$(mkfs_packages_remove)) $(mkfs_packages_remove))
$(call Image/mkfs/prepare,$(mkfs_cur_target_dir))
$(call prepare_rootfs,$(mkfs_cur_target_dir)) $(call prepare_rootfs,$(mkfs_cur_target_dir))
-mv $(mkfs_cur_target_dir).opkg $(mkfs_cur_target_dir)/etc/opkg -mv $(mkfs_cur_target_dir).opkg $(mkfs_cur_target_dir)/etc/opkg
rm -f $(mkfs_cur_target_dir).conf rm -f $(mkfs_cur_target_dir).conf
@ -530,7 +516,7 @@ define BuildImage
image_prepare: image_prepare:
ifeq ($(IB),) ifeq ($(IB),)
.PHONY: download prepare compile clean image_prepare mkfs_prepare kernel_prepare install install-images .PHONY: download prepare compile clean image_prepare kernel_prepare install install-images
compile: compile:
$(call Build/Compile) $(call Build/Compile)
@ -549,10 +535,7 @@ define BuildImage
mkdir -p $(BIN_DIR) $(KDIR)/tmp mkdir -p $(BIN_DIR) $(KDIR)/tmp
endif endif
mkfs_prepare: image_prepare kernel_prepare: image_prepare
$(call Image/mkfs/prepare,$(TARGET_DIR))
kernel_prepare: mkfs_prepare
$(call Image/Build/targz) $(call Image/Build/targz)
$(call Image/Build/cpiogz) $(call Image/Build/cpiogz)
$(call Image/BuildKernel) $(call Image/BuildKernel)