Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Robert Yang <liezhi.yang@windriver.com>
To: Charles Chan <charles.wh.chan@gmail.com>,
	<openembedded-core@lists.openembedded.org>
Subject: Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission
Date: Wed, 6 Apr 2016 13:33:51 +0800	[thread overview]
Message-ID: <57049FBF.1010504@windriver.com> (raw)
In-Reply-To: <CAEDY82g1SD-4C1BVH6X2OJFkG9-KiqKSkRZzTKMUwu38dphvuw@mail.gmail.com>


I think that it should be a bug, would you please try this patch?

diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb 
b/meta/recipes-core/base-files/base-files_3.0.14.bb
index d391707..2082ed4 100644
--- a/meta/recipes-core/base-files/base-files_3.0.14.bb
+++ b/meta/recipes-core/base-files/base-files_3.0.14.bb
@@ -95,6 +95,7 @@ do_install () {
         for d in ${dirs755}; do
                 install -m 0755 -d ${D}$d
         done
+       chmod 0700 ${D}${ROOT_HOME}
         for d in ${dirs1777}; do
                 install -m 1777 -d ${D}$d
         done

// Robert

On 04/06/2016 01:03 PM, Charles Chan wrote:
> (This is my first post to OE list, hopefully I am posting to the right mailing
> list.)
>
> Background: During the process of trying to configure SSH keys for root user
> login via dropbear, we realized the permission for /home/root directory is set
> too loose for group and other members [1]. As a result, dropbears fails when we
> try to put the key under /home/root/.ssh
>
> ---------
>
> In the image, /home/root directory is set to 0755:
>
>     $ stat /home/root
>        File: /home/root
>        Size: 4096            Blocks: 8          IO Block: 4096   directory
>     Device: b302h/45826d    Inode: 13268       Links: 4
>     Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
>     Access: 2016-04-05 22:21:13.000000000
>     Modify: 2016-04-05 22:08:57.000000000
>     Change: 2016-04-05 22:08:57.000000000
>
>
> After some debugging, we believe the permission (0755) is initialized in
> base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2].
>
> A few questions:
> 1. I tried looking at the git log for the history, but wasn't able to find any
> background on why the permission was set this way. eg. on a desktop Linux
> (Ubuntu), /root is set to 0700:
>
>     $ sudo stat /root
>        File: `/root'
>        Size: 4096 Blocks: 8          IO Block: 4096   directory
>     Device: 801h/2049dInode: 1441793     Links: 3
>     Access: (0700/drwx------)  Uid: (    0/    root)   Gid: (    0/    root)
>     Access: 2016-04-05 21:29:17.389725228 -0700
>     Modify: 2016-03-22 17:11:54.912479000 -0700
>     Change: 2016-03-22 17:11:54.912479000 -0700
>       Birth: -
>
>
> 2. If we would like to override the directory permission for /home/root in our
> image, what is the best way to do it? I am not an expert with bitbake, should I
> be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using
> *_append? or I should be looking at some other recipe altogether?
>
> Sorry for the long email. Thanks in advance.
> Charles
>
> [1] https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting
>
> [2]
> http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
>
>

next prev parent reply	other threads:[~2016-04-06  5:33 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-04-06  5:03 Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission Charles Chan
2016-04-06  5:33 ` Robert Yang [this message]
2016-04-06 19:39   ` Charles Chan
2016-04-06 23:17     ` Dan McGregor
2016-04-07  3:01       ` Robert Yang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d391707 dfblob:2082ed4 )
 OR (
bs:"Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=57049FBF.1010504@windriver.com \
    --to=liezhi.yang@windriver.com \
    --cc=charles.wh.chan@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox