* Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission
@ 2016-04-06 5:03 Charles Chan
2016-04-06 5:33 ` Robert Yang
0 siblings, 1 reply; 5+ messages in thread
From: Charles Chan @ 2016-04-06 5:03 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2042 bytes --]
(This is my first post to OE list, hopefully I am posting to the right
mailing list.)
Background: During the process of trying to configure SSH keys for root
user login via dropbear, we realized the permission for /home/root
directory is set too loose for group and other members [1]. As a result,
dropbears fails when we try to put the key under /home/root/.ssh
---------
In the image, /home/root directory is set to 0755:
$ stat /home/root
File: /home/root
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: b302h/45826d Inode: 13268 Links: 4
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-04-05 22:21:13.000000000
Modify: 2016-04-05 22:08:57.000000000
Change: 2016-04-05 22:08:57.000000000
After some debugging, we believe the permission (0755) is initialized in
base-files_3.0.14.bb (in line 35) [2].
A few questions:
1. I tried looking at the git log for the history, but wasn't able to find
any background on why the permission was set this way. eg. on a desktop
Linux (Ubuntu), /root is set to 0700:
$ sudo stat /root
File: `/root'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 1441793 Links: 3
Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-04-05 21:29:17.389725228 -0700
Modify: 2016-03-22 17:11:54.912479000 -0700
Change: 2016-03-22 17:11:54.912479000 -0700
Birth: -
2. If we would like to override the directory permission for /home/root in
our image, what is the best way to do it? I am not an expert with bitbake,
should I be patching the base-files_3.0.14.bb? using *_append? or I should
be looking at some other recipe altogether?
Sorry for the long email. Thanks in advance.
Charles
[1]
https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting
[2]
http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
[-- Attachment #2: Type: text/html, Size: 3242 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission
2016-04-06 5:03 Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission Charles Chan
@ 2016-04-06 5:33 ` Robert Yang
2016-04-06 19:39 ` Charles Chan
0 siblings, 1 reply; 5+ messages in thread
From: Robert Yang @ 2016-04-06 5:33 UTC (permalink / raw)
To: Charles Chan, openembedded-core
I think that it should be a bug, would you please try this patch?
diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb
b/meta/recipes-core/base-files/base-files_3.0.14.bb
index d391707..2082ed4 100644
--- a/meta/recipes-core/base-files/base-files_3.0.14.bb
+++ b/meta/recipes-core/base-files/base-files_3.0.14.bb
@@ -95,6 +95,7 @@ do_install () {
for d in ${dirs755}; do
install -m 0755 -d ${D}$d
done
+ chmod 0700 ${D}${ROOT_HOME}
for d in ${dirs1777}; do
install -m 1777 -d ${D}$d
done
// Robert
On 04/06/2016 01:03 PM, Charles Chan wrote:
> (This is my first post to OE list, hopefully I am posting to the right mailing
> list.)
>
> Background: During the process of trying to configure SSH keys for root user
> login via dropbear, we realized the permission for /home/root directory is set
> too loose for group and other members [1]. As a result, dropbears fails when we
> try to put the key under /home/root/.ssh
>
> ---------
>
> In the image, /home/root directory is set to 0755:
>
> $ stat /home/root
> File: /home/root
> Size: 4096 Blocks: 8 IO Block: 4096 directory
> Device: b302h/45826d Inode: 13268 Links: 4
> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2016-04-05 22:21:13.000000000
> Modify: 2016-04-05 22:08:57.000000000
> Change: 2016-04-05 22:08:57.000000000
>
>
> After some debugging, we believe the permission (0755) is initialized in
> base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2].
>
> A few questions:
> 1. I tried looking at the git log for the history, but wasn't able to find any
> background on why the permission was set this way. eg. on a desktop Linux
> (Ubuntu), /root is set to 0700:
>
> $ sudo stat /root
> File: `/root'
> Size: 4096 Blocks: 8 IO Block: 4096 directory
> Device: 801h/2049dInode: 1441793 Links: 3
> Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2016-04-05 21:29:17.389725228 -0700
> Modify: 2016-03-22 17:11:54.912479000 -0700
> Change: 2016-03-22 17:11:54.912479000 -0700
> Birth: -
>
>
> 2. If we would like to override the directory permission for /home/root in our
> image, what is the best way to do it? I am not an expert with bitbake, should I
> be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using
> *_append? or I should be looking at some other recipe altogether?
>
> Sorry for the long email. Thanks in advance.
> Charles
>
> [1] https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting
>
> [2]
> http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
>
>
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission
2016-04-06 5:33 ` Robert Yang
@ 2016-04-06 19:39 ` Charles Chan
2016-04-06 23:17 ` Dan McGregor
0 siblings, 1 reply; 5+ messages in thread
From: Charles Chan @ 2016-04-06 19:39 UTC (permalink / raw)
To: Robert Yang; +Cc: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 3601 bytes --]
Hi Robert,
Thanks for the patch. I tested it and it worked ... partially.
Taking an existing image and then using `opkg install base-files.ipk` will
correctly set the permission to 0700.
However, when I rebuild the full image rootfs, /home/root still ends up
with the wrong permission. I suspect another recipe is modifying the
permission. Is there a way (ie. bitbake command) to find out which recipe
is causing the change?
Thanks again,
Charles
On Tue, Apr 5, 2016 at 10:33 PM, Robert Yang <liezhi.yang@windriver.com>
wrote:
>
> I think that it should be a bug, would you please try this patch?
>
> diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb
> b/meta/recipes-core/base-files/base-files_3.0.14.bb
> index d391707..2082ed4 100644
> --- a/meta/recipes-core/base-files/base-files_3.0.14.bb
> +++ b/meta/recipes-core/base-files/base-files_3.0.14.bb
> @@ -95,6 +95,7 @@ do_install () {
> for d in ${dirs755}; do
> install -m 0755 -d ${D}$d
> done
> + chmod 0700 ${D}${ROOT_HOME}
> for d in ${dirs1777}; do
> install -m 1777 -d ${D}$d
> done
>
> // Robert
>
> On 04/06/2016 01:03 PM, Charles Chan wrote:
>
>> (This is my first post to OE list, hopefully I am posting to the right
>> mailing
>> list.)
>>
>> Background: During the process of trying to configure SSH keys for root
>> user
>> login via dropbear, we realized the permission for /home/root directory
>> is set
>> too loose for group and other members [1]. As a result, dropbears fails
>> when we
>> try to put the key under /home/root/.ssh
>>
>> ---------
>>
>> In the image, /home/root directory is set to 0755:
>>
>> $ stat /home/root
>> File: /home/root
>> Size: 4096 Blocks: 8 IO Block: 4096 directory
>> Device: b302h/45826d Inode: 13268 Links: 4
>> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/
>> root)
>> Access: 2016-04-05 22:21:13.000000000
>> Modify: 2016-04-05 22:08:57.000000000
>> Change: 2016-04-05 22:08:57.000000000
>>
>>
>> After some debugging, we believe the permission (0755) is initialized in
>> base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2].
>>
>> A few questions:
>> 1. I tried looking at the git log for the history, but wasn't able to
>> find any
>> background on why the permission was set this way. eg. on a desktop Linux
>> (Ubuntu), /root is set to 0700:
>>
>> $ sudo stat /root
>> File: `/root'
>> Size: 4096 Blocks: 8 IO Block: 4096 directory
>> Device: 801h/2049dInode: 1441793 Links: 3
>> Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/
>> root)
>> Access: 2016-04-05 21:29:17.389725228 -0700
>> Modify: 2016-03-22 17:11:54.912479000 -0700
>> Change: 2016-03-22 17:11:54.912479000 -0700
>> Birth: -
>>
>>
>> 2. If we would like to override the directory permission for /home/root
>> in our
>> image, what is the best way to do it? I am not an expert with bitbake,
>> should I
>> be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using
>> *_append? or I should be looking at some other recipe altogether?
>>
>> Sorry for the long email. Thanks in advance.
>> Charles
>>
>> [1]
>> https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting
>>
>> [2]
>>
>> http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
>>
>>
>>
[-- Attachment #2: Type: text/html, Size: 5344 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission
2016-04-06 19:39 ` Charles Chan
@ 2016-04-06 23:17 ` Dan McGregor
2016-04-07 3:01 ` Robert Yang
0 siblings, 1 reply; 5+ messages in thread
From: Dan McGregor @ 2016-04-06 23:17 UTC (permalink / raw)
To: Charles Chan; +Cc: Patches and discussions about the oe-core layer
On 6 April 2016 at 13:39, Charles Chan <charles.wh.chan@gmail.com> wrote:
> Hi Robert,
>
> Thanks for the patch. I tested it and it worked ... partially.
>
> Taking an existing image and then using `opkg install base-files.ipk` will
> correctly set the permission to 0700.
>
> However, when I rebuild the full image rootfs, /home/root still ends up with
> the wrong permission. I suspect another recipe is modifying the permission.
> Is there a way (ie. bitbake command) to find out which recipe is causing the
> change?
>
> Thanks again,
> Charles
>
I don't know what recipe is creating /home/root, but ${ROOT_HOME}
should probably be added to files/fs-perms.txt with the correct
permissions set.
>
> On Tue, Apr 5, 2016 at 10:33 PM, Robert Yang <liezhi.yang@windriver.com>
> wrote:
>>
>>
>> I think that it should be a bug, would you please try this patch?
>>
>> diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb
>> b/meta/recipes-core/base-files/base-files_3.0.14.bb
>> index d391707..2082ed4 100644
>> --- a/meta/recipes-core/base-files/base-files_3.0.14.bb
>> +++ b/meta/recipes-core/base-files/base-files_3.0.14.bb
>> @@ -95,6 +95,7 @@ do_install () {
>> for d in ${dirs755}; do
>> install -m 0755 -d ${D}$d
>> done
>> + chmod 0700 ${D}${ROOT_HOME}
>> for d in ${dirs1777}; do
>> install -m 1777 -d ${D}$d
>> done
>>
>> // Robert
>>
>> On 04/06/2016 01:03 PM, Charles Chan wrote:
>>>
>>> (This is my first post to OE list, hopefully I am posting to the right
>>> mailing
>>> list.)
>>>
>>> Background: During the process of trying to configure SSH keys for root
>>> user
>>> login via dropbear, we realized the permission for /home/root directory
>>> is set
>>> too loose for group and other members [1]. As a result, dropbears fails
>>> when we
>>> try to put the key under /home/root/.ssh
>>>
>>> ---------
>>>
>>> In the image, /home/root directory is set to 0755:
>>>
>>> $ stat /home/root
>>> File: /home/root
>>> Size: 4096 Blocks: 8 IO Block: 4096
>>> directory
>>> Device: b302h/45826d Inode: 13268 Links: 4
>>> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/
>>> root)
>>> Access: 2016-04-05 22:21:13.000000000
>>> Modify: 2016-04-05 22:08:57.000000000
>>> Change: 2016-04-05 22:08:57.000000000
>>>
>>>
>>> After some debugging, we believe the permission (0755) is initialized in
>>> base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2].
>>>
>>> A few questions:
>>> 1. I tried looking at the git log for the history, but wasn't able to
>>> find any
>>> background on why the permission was set this way. eg. on a desktop Linux
>>> (Ubuntu), /root is set to 0700:
>>>
>>> $ sudo stat /root
>>> File: `/root'
>>> Size: 4096 Blocks: 8 IO Block: 4096 directory
>>> Device: 801h/2049dInode: 1441793 Links: 3
>>> Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/
>>> root)
>>> Access: 2016-04-05 21:29:17.389725228 -0700
>>> Modify: 2016-03-22 17:11:54.912479000 -0700
>>> Change: 2016-03-22 17:11:54.912479000 -0700
>>> Birth: -
>>>
>>>
>>> 2. If we would like to override the directory permission for /home/root
>>> in our
>>> image, what is the best way to do it? I am not an expert with bitbake,
>>> should I
>>> be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using
>>> *_append? or I should be looking at some other recipe altogether?
>>>
>>> Sorry for the long email. Thanks in advance.
>>> Charles
>>>
>>> [1]
>>> https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting
>>>
>>> [2]
>>>
>>> http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
>>>
>>>
>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission
2016-04-06 23:17 ` Dan McGregor
@ 2016-04-07 3:01 ` Robert Yang
0 siblings, 0 replies; 5+ messages in thread
From: Robert Yang @ 2016-04-07 3:01 UTC (permalink / raw)
To: Dan McGregor, Charles Chan
Cc: Patches and discussions about the oe-core layer
On 04/07/2016 07:17 AM, Dan McGregor wrote:
> On 6 April 2016 at 13:39, Charles Chan <charles.wh.chan@gmail.com> wrote:
>> Hi Robert,
>>
>> Thanks for the patch. I tested it and it worked ... partially.
>>
>> Taking an existing image and then using `opkg install base-files.ipk` will
>> correctly set the permission to 0700.
>>
>> However, when I rebuild the full image rootfs, /home/root still ends up with
>> the wrong permission. I suspect another recipe is modifying the permission.
>> Is there a way (ie. bitbake command) to find out which recipe is causing the
>> change?
I tried a fresh build, it works for me.
>>
>> Thanks again,
>> Charles
>>
>
> I don't know what recipe is creating /home/root, but ${ROOT_HOME}
It is created by base-files
> should probably be added to files/fs-perms.txt with the correct
> permissions set.
Sounds good to me.
// Robert
>
>
>>
>> On Tue, Apr 5, 2016 at 10:33 PM, Robert Yang <liezhi.yang@windriver.com>
>> wrote:
>>>
>>>
>>> I think that it should be a bug, would you please try this patch?
>>>
>>> diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb
>>> b/meta/recipes-core/base-files/base-files_3.0.14.bb
>>> index d391707..2082ed4 100644
>>> --- a/meta/recipes-core/base-files/base-files_3.0.14.bb
>>> +++ b/meta/recipes-core/base-files/base-files_3.0.14.bb
>>> @@ -95,6 +95,7 @@ do_install () {
>>> for d in ${dirs755}; do
>>> install -m 0755 -d ${D}$d
>>> done
>>> + chmod 0700 ${D}${ROOT_HOME}
>>> for d in ${dirs1777}; do
>>> install -m 1777 -d ${D}$d
>>> done
>>>
>>> // Robert
>>>
>>> On 04/06/2016 01:03 PM, Charles Chan wrote:
>>>>
>>>> (This is my first post to OE list, hopefully I am posting to the right
>>>> mailing
>>>> list.)
>>>>
>>>> Background: During the process of trying to configure SSH keys for root
>>>> user
>>>> login via dropbear, we realized the permission for /home/root directory
>>>> is set
>>>> too loose for group and other members [1]. As a result, dropbears fails
>>>> when we
>>>> try to put the key under /home/root/.ssh
>>>>
>>>> ---------
>>>>
>>>> In the image, /home/root directory is set to 0755:
>>>>
>>>> $ stat /home/root
>>>> File: /home/root
>>>> Size: 4096 Blocks: 8 IO Block: 4096
>>>> directory
>>>> Device: b302h/45826d Inode: 13268 Links: 4
>>>> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/
>>>> root)
>>>> Access: 2016-04-05 22:21:13.000000000
>>>> Modify: 2016-04-05 22:08:57.000000000
>>>> Change: 2016-04-05 22:08:57.000000000
>>>>
>>>>
>>>> After some debugging, we believe the permission (0755) is initialized in
>>>> base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2].
>>>>
>>>> A few questions:
>>>> 1. I tried looking at the git log for the history, but wasn't able to
>>>> find any
>>>> background on why the permission was set this way. eg. on a desktop Linux
>>>> (Ubuntu), /root is set to 0700:
>>>>
>>>> $ sudo stat /root
>>>> File: `/root'
>>>> Size: 4096 Blocks: 8 IO Block: 4096 directory
>>>> Device: 801h/2049dInode: 1441793 Links: 3
>>>> Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/
>>>> root)
>>>> Access: 2016-04-05 21:29:17.389725228 -0700
>>>> Modify: 2016-03-22 17:11:54.912479000 -0700
>>>> Change: 2016-03-22 17:11:54.912479000 -0700
>>>> Birth: -
>>>>
>>>>
>>>> 2. If we would like to override the directory permission for /home/root
>>>> in our
>>>> image, what is the best way to do it? I am not an expert with bitbake,
>>>> should I
>>>> be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using
>>>> *_append? or I should be looking at some other recipe altogether?
>>>>
>>>> Sorry for the long email. Thanks in advance.
>>>> Charles
>>>>
>>>> [1]
>>>> https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting
>>>>
>>>> [2]
>>>>
>>>> http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
>>>>
>>>>
>>
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-04-07 3:01 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-06 5:03 Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission Charles Chan
2016-04-06 5:33 ` Robert Yang
2016-04-06 19:39 ` Charles Chan
2016-04-06 23:17 ` Dan McGregor
2016-04-07 3:01 ` Robert Yang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox