Re: [Buildroot] [PATCH] system: add optional rsync with preserved permissions

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Cc: "José Pekkarinen" <jose.pekkarinen@unikie.com>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] system: add optional rsync with preserved permissions
Date: Mon, 4 Oct 2021 17:10:21 +0200	[thread overview]
Message-ID: <20211004151021.GC1504958@scaer> (raw)
In-Reply-To: <20211004090036.65722dda@windsurf>

Thomas, José, All,

On 2021-10-04 09:00 +0200, Thomas Petazzoni spake thusly:
> On Mon,  4 Oct 2021 09:41:43 +0300
> José Pekkarinen <jose.pekkarinen@unikie.com> wrote:
> 
> > +config BR2_ROOTFS_OVERLAY_PRESERVED_PERMISSION
> > +	string "Preserve permissions of overlay directories"
> > +	depends on BR2_ROOTFS_OVERLAY
> > +	default "n"
> > +	help
> > +	  Preserve file permissions of specified overlay.
> 
> I'm afraid we probably won't want an option like this.

Agreed, we already have two mechanisms for that, see below.

> The question is why in the existing SYSTEM_RSYNC we don't preserve
> permissions? I can imagine because sometimes they can be wrong in the
> original overlay, for example with version control systems that put all
> files read-only.
> 
> Yann, Arnout: do you remember why SYSTEM_RSYNC has --chmod=u=rwX,go=rX ?

The reason is that indeed, we have no way to validate the access modes
and ownership for those files. As the build will (most probably) be made
as a non-root user, there is no way we can set arbitrary modes or owners
to those files when we copy them, even if the source tree had proper
owenrship and modes etc...

So we can only enforce a known mode, that is reproducible, and let the
user provide a permission table (or even a fakeroot-script, although I
would personally highly favour a permission table, which could be
generated in a post-build script if needed).

This applies to file ownership and modes (think set-uid root), but also
to extended attributes (think SELinux security context set as extended
attributes). All of that can be set with a permission table.

> José: have you considered using a permission table to fixup the
> permissions ?

This is *the* mechanism to use to set arbitrary ownership, modes, and
extended attributes to arbitrary files.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot