Create dir with 700 permissions from recipe

Create dir with 700 permissions from recipe

[s hakkesteegt]

Hi,

For a recipe I want to use locally to enable public key authentication on my
images, I'm trying to create the .ssh dir with 700 permissions. But this
doesn't seem to work. It ends up in the rootfs and in the ipk with 775
permissions, although in the work dir it has the correct 700 permissions.
This is the recipe I created:


SRC_URI=" \
                    file://authorized_keys \
       "

FILES_${PN}=" /home/root/.ssh \
                       /home/root/.ssh/authorized_keys \
           "

do_install(){
       install -m 0700 -d ${D}/home/root/.ssh
       install -m 0600 ${WORKDIR}/authorized_keys
${D}/home/root/.ssh/authorized_keys
}


On irc was suggested to use postinst script. So I tried to add the next at
the end of the recipe.:


pkg_postinst_${PN}-chmodsshdir () {
        chmod 700 /home/root/.ssh
}


1. Do I understand it correct that this postinst script will run on the
target machine (after first boot)? Or is that wrong?

2. This doesn't seem to work either. Am I doing something wrong and is there
a better / right way to add my public key my created images.


Thanks in advance for a reaction,

Siebren

Re: Create dir with 700 permissions from recipe

[Graeme Gregory]

s hakkesteegt wrote:
> Hi,
>
> For a recipe I want to use locally to enable public key authentication on my
> images, I'm trying to create the .ssh dir with 700 permissions. But this
> doesn't seem to work. It ends up in the rootfs and in the ipk with 775
> permissions, although in the work dir it has the correct 700 permissions.
> This is the recipe I created:
>
>
> SRC_URI=" \
>                     file://authorized_keys \
>        "
>
> FILES_${PN}=" /home/root/.ssh \
>                        /home/root/.ssh/authorized_keys \
>            "
>
> do_install(){
>        install -m 0700 -d ${D}/home/root/.ssh
>        install -m 0600 ${WORKDIR}/authorized_keys
> ${D}/home/root/.ssh/authorized_keys
> }
>
>
> On irc was suggested to use postinst script. So I tried to add the next at
> the end of the recipe.:
>
>
> pkg_postinst_${PN}-chmodsshdir () {
>         chmod 700 /home/root/.ssh
> }
>
>   
You above recipe doesnt create a package called.

${PN}-chmodsshdir

you also need to add something like

if test "x$D" != "x"; then
    exit
fi

to the beginning of the postinst to stop it running during image creation.

Graeme

Re: Create dir with 700 permissions from recipe

[Koen Kooi]

On 18-08-09 15:52, s hakkesteegt wrote:
> Hi,
>
> For a recipe I want to use locally to enable public key authentication on my
> images, I'm trying to create the .ssh dir with 700 permissions. But this
> doesn't seem to work. It ends up in the rootfs and in the ipk with 775
> permissions, although in the work dir it has the correct 700 permissions.
> This is the recipe I created:

1) never ever install something into $HOME
2) fakeroot do_install() {}

regards,

Koen

Re: Create dir with 700 permissions from recipe

[Michael Smith]

s hakkesteegt wrote:

> For a recipe I want to use locally to enable public key authentication on my
> images, I'm trying to create the .ssh dir with 700 permissions. But this
> doesn't seem to work. It ends up in the rootfs and in the ipk with 775
> permissions, although in the work dir it has the correct 700 permissions.

Hi Siebren,

Try adding something like this to your recipe:

python populate_packages_append () {
         # Non-empty directory permissions don't get preserved by the
         # normal populate process.
         def dirperm_hack(d):
                 pkgdest = bb.data.getVar('PKGDEST', d, 1)
                 pn = bb.data.getVar('PN', d, 1)
                 os.chmod(os.path.join(pkgdest, pn, '/home/root/.ssh'), 
0700)

         dirperm_hack(d)
}

I made a failed attempt at fixing this in package_deb.bbclass, but it 
caused other problems; in the end I figured it was easier to work around 
it in the one recipe where I needed a non-empty directory with 0700 perms.

Mike

Re: Create dir with 700 permissions from recipe

[Phil Blundell]

On Tue, 2009-08-18 at 15:12 +0100, Graeme Gregory wrote:
> > pkg_postinst_${PN}-chmodsshdir () {
> >         chmod 700 /home/root/.ssh
> > }
> >
> >   
> You above recipe doesnt create a package called.
> 
> ${PN}-chmodsshdir
> 
> you also need to add something like
> 
> if test "x$D" != "x"; then
>     exit
> fi
> 
> to the beginning of the postinst to stop it running during image creation.

Or, perhaps even better, add ${D} to the chmod command's argument so
that it can run correctly during image creation.  Deferring this to boot
time would work, but it'd slow down the initial "ipkg configure" run for
no real gain.

p.

Re: Create dir with 700 permissions from recipe

[s hakkesteegt]

On Tue, Aug 18, 2009 at 4:17 PM, Koen Kooi <k.kooi@student.utwente.nl>wrote:

>
> 1) never ever install something into $HOME
> 2) fakeroot do_install() {}
>
> regards,
>
> Koen



1) Is there possibly something written why not to do that? (Someone on irc
already warned me not to do that, but he didn't remember the reason) and I
couldn't find anything on list / manual or wiki about it. (And I couldn't
find another way to add my public ssh key to an image, working with
dropbear.)

2) Should that make it possible to create a dir with 700 permissions? (When
I test it in this recipe, It doesn't change the result: workdir becomes 700,
but ipk content and rootfs becom 775.)


Siebren

Re: Create dir with 700 permissions from recipe

[s hakkesteegt]

On Tue, Aug 18, 2009 at 4:12 PM, Graeme Gregory <dp@xora.org.uk> wrote:
>
> You above recipe doesnt create a package called.
>
> ${PN}-chmodsshdir


Thanx, I missed that.

On Tue, Aug 18, 2009 at 4:40 PM, Phil Blundell <pb@reciva.com> wrote:
>
> Or, perhaps even better, add ${D} to the chmod command's argument so
> that it can run correctly during image creation.  Deferring this to boot
> time would work, but it'd slow down the initial "ipkg configure" run for
> no real gain.
>
> p.
>

I agree that I think there is no reason not to do this during image
creation.

So If I combine both these suggestions, this script should only run when $D
is defined (what will be during image creation), isn't it?

pkg_postinst_${PN}  () {
  if [ test x"$D" != "x" ]; then
    chmod 700 ${D}/home/root/.ssh
  fi
}

Unfortunately the result is still the same (after bitbake -c clean my-image,
updated the PR of the recipe and then rebuild my-image).

For testing I tried this as well:

pkg_postinst_${PN}  () {
    chmod 700 ${D}/home/root/.ssh
}

But that didn't change the permissions in the rootfs either.


By the way: I rechecked the result in the workdir and there the result in
the image/ dir has the correct 700 permissions, but the result in the
install/${PN}/ has the 'wrong' 775 permissions already. Am I right that it
might not be a problem from the package manager, but that the .ipk might be
created with the wrong input?


Siebren

Re: Create dir with 700 permissions from recipe

[Michael Smith]

On Wed, 19 Aug 2009, s hakkesteegt wrote:

> pkg_postinst_${PN}  () {
>   if [ test x"$D" != "x" ]; then
>     chmod 700 ${D}/home/root/.ssh
>   fi
> }

> pkg_postinst_${PN}  () {
>     chmod 700 ${D}/home/root/.ssh
> }
> 
> But that didn't change the permissions in the rootfs either.

Well, that's odd. I'd think one of those would do the trick. But:

> By the way: I rechecked the result in the workdir and there the result in
> the image/ dir has the correct 700 permissions, but the result in the
> install/${PN}/ has the 'wrong' 775 permissions already.

It's a buglet in the populate_packages process: permissions of 
non-empty directories are not preserved. You can work around it in your 
recipe with the hack I posted to the thread yesterday. It's how I create 
my ssh key package for deb (not tested with ipk).

Mike

Re: Create dir with 700 permissions from recipe

[marcin]

Dnia Wed, 19 Aug 2009 08:58:25 +0200 napisales[as]:

> > 1) never ever install something into $HOME
 
> 1) Is there possibly something written why not to do that?

Not every device has $HOME on same partition as / (for example most of Zaurus devices). And as those files ends in package what will happen if user will change file in $HOME and then package will overwrite it with other contents? What with users other then root?

I know that in your situation most of those reasons are nothing to worry about but this is why we do not touch anything in $HOME.

Re: Create dir with 700 permissions from recipe

[Denys Dmytriyenko]

On Wed, Aug 19, 2009 at 02:19:12PM +0200, marcin@juszkiewicz.com.pl wrote:
> Dnia Wed, 19 Aug 2009 08:58:25 +0200 napisales[as]:
> 
> > > 1) never ever install something into $HOME
>  
> > 1) Is there possibly something written why not to do that?
> 
> Not every device has $HOME on same partition as / (for example most of 
> Zaurus devices). And as those files ends in package what will happen if user 
> will change file in $HOME and then package will overwrite it with other 
> contents? What with users other then root?
> 
> I know that in your situation most of those reasons are nothing to worry 
> about but this is why we do not touch anything in $HOME.

This warning is only applicable to OE developers or distro maintainers. 
Doesn't really apply to anyone doing own custom images...

-- 
Denys