* Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission
@ 2016-04-06 5:03 Charles Chan
2016-04-06 5:33 ` Robert Yang
0 siblings, 1 reply; 5+ messages in thread
From: Charles Chan @ 2016-04-06 5:03 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 2042 bytes --]
(This is my first post to OE list, hopefully I am posting to the right
mailing list.)
Background: During the process of trying to configure SSH keys for root
user login via dropbear, we realized the permission for /home/root
directory is set too loose for group and other members [1]. As a result,
dropbears fails when we try to put the key under /home/root/.ssh
---------
In the image, /home/root directory is set to 0755:
$ stat /home/root
File: /home/root
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: b302h/45826d Inode: 13268 Links: 4
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-04-05 22:21:13.000000000
Modify: 2016-04-05 22:08:57.000000000
Change: 2016-04-05 22:08:57.000000000
After some debugging, we believe the permission (0755) is initialized in
base-files_3.0.14.bb (in line 35) [2].
A few questions:
1. I tried looking at the git log for the history, but wasn't able to find
any background on why the permission was set this way. eg. on a desktop
Linux (Ubuntu), /root is set to 0700:
$ sudo stat /root
File: `/root'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: 801h/2049d Inode: 1441793 Links: 3
Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-04-05 21:29:17.389725228 -0700
Modify: 2016-03-22 17:11:54.912479000 -0700
Change: 2016-03-22 17:11:54.912479000 -0700
Birth: -
2. If we would like to override the directory permission for /home/root in
our image, what is the best way to do it? I am not an expert with bitbake,
should I be patching the base-files_3.0.14.bb? using *_append? or I should
be looking at some other recipe altogether?
Sorry for the long email. Thanks in advance.
Charles
[1]
https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting
[2]
http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35
[-- Attachment #2: Type: text/html, Size: 3242 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission 2016-04-06 5:03 Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission Charles Chan @ 2016-04-06 5:33 ` Robert Yang 2016-04-06 19:39 ` Charles Chan 0 siblings, 1 reply; 5+ messages in thread From: Robert Yang @ 2016-04-06 5:33 UTC (permalink / raw) To: Charles Chan, openembedded-core I think that it should be a bug, would you please try this patch? diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb b/meta/recipes-core/base-files/base-files_3.0.14.bb index d391707..2082ed4 100644 --- a/meta/recipes-core/base-files/base-files_3.0.14.bb +++ b/meta/recipes-core/base-files/base-files_3.0.14.bb @@ -95,6 +95,7 @@ do_install () { for d in ${dirs755}; do install -m 0755 -d ${D}$d done + chmod 0700 ${D}${ROOT_HOME} for d in ${dirs1777}; do install -m 1777 -d ${D}$d done // Robert On 04/06/2016 01:03 PM, Charles Chan wrote: > (This is my first post to OE list, hopefully I am posting to the right mailing > list.) > > Background: During the process of trying to configure SSH keys for root user > login via dropbear, we realized the permission for /home/root directory is set > too loose for group and other members [1]. As a result, dropbears fails when we > try to put the key under /home/root/.ssh > > --------- > > In the image, /home/root directory is set to 0755: > > $ stat /home/root > File: /home/root > Size: 4096 Blocks: 8 IO Block: 4096 directory > Device: b302h/45826d Inode: 13268 Links: 4 > Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) > Access: 2016-04-05 22:21:13.000000000 > Modify: 2016-04-05 22:08:57.000000000 > Change: 2016-04-05 22:08:57.000000000 > > > After some debugging, we believe the permission (0755) is initialized in > base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2]. > > A few questions: > 1. I tried looking at the git log for the history, but wasn't able to find any > background on why the permission was set this way. eg. on a desktop Linux > (Ubuntu), /root is set to 0700: > > $ sudo stat /root > File: `/root' > Size: 4096 Blocks: 8 IO Block: 4096 directory > Device: 801h/2049dInode: 1441793 Links: 3 > Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ root) > Access: 2016-04-05 21:29:17.389725228 -0700 > Modify: 2016-03-22 17:11:54.912479000 -0700 > Change: 2016-03-22 17:11:54.912479000 -0700 > Birth: - > > > 2. If we would like to override the directory permission for /home/root in our > image, what is the best way to do it? I am not an expert with bitbake, should I > be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using > *_append? or I should be looking at some other recipe altogether? > > Sorry for the long email. Thanks in advance. > Charles > > [1] https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting > > [2] > http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35 > > ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission 2016-04-06 5:33 ` Robert Yang @ 2016-04-06 19:39 ` Charles Chan 2016-04-06 23:17 ` Dan McGregor 0 siblings, 1 reply; 5+ messages in thread From: Charles Chan @ 2016-04-06 19:39 UTC (permalink / raw) To: Robert Yang; +Cc: openembedded-core [-- Attachment #1: Type: text/plain, Size: 3601 bytes --] Hi Robert, Thanks for the patch. I tested it and it worked ... partially. Taking an existing image and then using `opkg install base-files.ipk` will correctly set the permission to 0700. However, when I rebuild the full image rootfs, /home/root still ends up with the wrong permission. I suspect another recipe is modifying the permission. Is there a way (ie. bitbake command) to find out which recipe is causing the change? Thanks again, Charles On Tue, Apr 5, 2016 at 10:33 PM, Robert Yang <liezhi.yang@windriver.com> wrote: > > I think that it should be a bug, would you please try this patch? > > diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb > b/meta/recipes-core/base-files/base-files_3.0.14.bb > index d391707..2082ed4 100644 > --- a/meta/recipes-core/base-files/base-files_3.0.14.bb > +++ b/meta/recipes-core/base-files/base-files_3.0.14.bb > @@ -95,6 +95,7 @@ do_install () { > for d in ${dirs755}; do > install -m 0755 -d ${D}$d > done > + chmod 0700 ${D}${ROOT_HOME} > for d in ${dirs1777}; do > install -m 1777 -d ${D}$d > done > > // Robert > > On 04/06/2016 01:03 PM, Charles Chan wrote: > >> (This is my first post to OE list, hopefully I am posting to the right >> mailing >> list.) >> >> Background: During the process of trying to configure SSH keys for root >> user >> login via dropbear, we realized the permission for /home/root directory >> is set >> too loose for group and other members [1]. As a result, dropbears fails >> when we >> try to put the key under /home/root/.ssh >> >> --------- >> >> In the image, /home/root directory is set to 0755: >> >> $ stat /home/root >> File: /home/root >> Size: 4096 Blocks: 8 IO Block: 4096 directory >> Device: b302h/45826d Inode: 13268 Links: 4 >> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ >> root) >> Access: 2016-04-05 22:21:13.000000000 >> Modify: 2016-04-05 22:08:57.000000000 >> Change: 2016-04-05 22:08:57.000000000 >> >> >> After some debugging, we believe the permission (0755) is initialized in >> base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2]. >> >> A few questions: >> 1. I tried looking at the git log for the history, but wasn't able to >> find any >> background on why the permission was set this way. eg. on a desktop Linux >> (Ubuntu), /root is set to 0700: >> >> $ sudo stat /root >> File: `/root' >> Size: 4096 Blocks: 8 IO Block: 4096 directory >> Device: 801h/2049dInode: 1441793 Links: 3 >> Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ >> root) >> Access: 2016-04-05 21:29:17.389725228 -0700 >> Modify: 2016-03-22 17:11:54.912479000 -0700 >> Change: 2016-03-22 17:11:54.912479000 -0700 >> Birth: - >> >> >> 2. If we would like to override the directory permission for /home/root >> in our >> image, what is the best way to do it? I am not an expert with bitbake, >> should I >> be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using >> *_append? or I should be looking at some other recipe altogether? >> >> Sorry for the long email. Thanks in advance. >> Charles >> >> [1] >> https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting >> >> [2] >> >> http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35 >> >> >> [-- Attachment #2: Type: text/html, Size: 5344 bytes --] ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission 2016-04-06 19:39 ` Charles Chan @ 2016-04-06 23:17 ` Dan McGregor 2016-04-07 3:01 ` Robert Yang 0 siblings, 1 reply; 5+ messages in thread From: Dan McGregor @ 2016-04-06 23:17 UTC (permalink / raw) To: Charles Chan; +Cc: Patches and discussions about the oe-core layer On 6 April 2016 at 13:39, Charles Chan <charles.wh.chan@gmail.com> wrote: > Hi Robert, > > Thanks for the patch. I tested it and it worked ... partially. > > Taking an existing image and then using `opkg install base-files.ipk` will > correctly set the permission to 0700. > > However, when I rebuild the full image rootfs, /home/root still ends up with > the wrong permission. I suspect another recipe is modifying the permission. > Is there a way (ie. bitbake command) to find out which recipe is causing the > change? > > Thanks again, > Charles > I don't know what recipe is creating /home/root, but ${ROOT_HOME} should probably be added to files/fs-perms.txt with the correct permissions set. > > On Tue, Apr 5, 2016 at 10:33 PM, Robert Yang <liezhi.yang@windriver.com> > wrote: >> >> >> I think that it should be a bug, would you please try this patch? >> >> diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb >> b/meta/recipes-core/base-files/base-files_3.0.14.bb >> index d391707..2082ed4 100644 >> --- a/meta/recipes-core/base-files/base-files_3.0.14.bb >> +++ b/meta/recipes-core/base-files/base-files_3.0.14.bb >> @@ -95,6 +95,7 @@ do_install () { >> for d in ${dirs755}; do >> install -m 0755 -d ${D}$d >> done >> + chmod 0700 ${D}${ROOT_HOME} >> for d in ${dirs1777}; do >> install -m 1777 -d ${D}$d >> done >> >> // Robert >> >> On 04/06/2016 01:03 PM, Charles Chan wrote: >>> >>> (This is my first post to OE list, hopefully I am posting to the right >>> mailing >>> list.) >>> >>> Background: During the process of trying to configure SSH keys for root >>> user >>> login via dropbear, we realized the permission for /home/root directory >>> is set >>> too loose for group and other members [1]. As a result, dropbears fails >>> when we >>> try to put the key under /home/root/.ssh >>> >>> --------- >>> >>> In the image, /home/root directory is set to 0755: >>> >>> $ stat /home/root >>> File: /home/root >>> Size: 4096 Blocks: 8 IO Block: 4096 >>> directory >>> Device: b302h/45826d Inode: 13268 Links: 4 >>> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ >>> root) >>> Access: 2016-04-05 22:21:13.000000000 >>> Modify: 2016-04-05 22:08:57.000000000 >>> Change: 2016-04-05 22:08:57.000000000 >>> >>> >>> After some debugging, we believe the permission (0755) is initialized in >>> base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2]. >>> >>> A few questions: >>> 1. I tried looking at the git log for the history, but wasn't able to >>> find any >>> background on why the permission was set this way. eg. on a desktop Linux >>> (Ubuntu), /root is set to 0700: >>> >>> $ sudo stat /root >>> File: `/root' >>> Size: 4096 Blocks: 8 IO Block: 4096 directory >>> Device: 801h/2049dInode: 1441793 Links: 3 >>> Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ >>> root) >>> Access: 2016-04-05 21:29:17.389725228 -0700 >>> Modify: 2016-03-22 17:11:54.912479000 -0700 >>> Change: 2016-03-22 17:11:54.912479000 -0700 >>> Birth: - >>> >>> >>> 2. If we would like to override the directory permission for /home/root >>> in our >>> image, what is the best way to do it? I am not an expert with bitbake, >>> should I >>> be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using >>> *_append? or I should be looking at some other recipe altogether? >>> >>> Sorry for the long email. Thanks in advance. >>> Charles >>> >>> [1] >>> https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting >>> >>> [2] >>> >>> http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35 >>> >>> > > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission 2016-04-06 23:17 ` Dan McGregor @ 2016-04-07 3:01 ` Robert Yang 0 siblings, 0 replies; 5+ messages in thread From: Robert Yang @ 2016-04-07 3:01 UTC (permalink / raw) To: Dan McGregor, Charles Chan Cc: Patches and discussions about the oe-core layer On 04/07/2016 07:17 AM, Dan McGregor wrote: > On 6 April 2016 at 13:39, Charles Chan <charles.wh.chan@gmail.com> wrote: >> Hi Robert, >> >> Thanks for the patch. I tested it and it worked ... partially. >> >> Taking an existing image and then using `opkg install base-files.ipk` will >> correctly set the permission to 0700. >> >> However, when I rebuild the full image rootfs, /home/root still ends up with >> the wrong permission. I suspect another recipe is modifying the permission. >> Is there a way (ie. bitbake command) to find out which recipe is causing the >> change? I tried a fresh build, it works for me. >> >> Thanks again, >> Charles >> > > I don't know what recipe is creating /home/root, but ${ROOT_HOME} It is created by base-files > should probably be added to files/fs-perms.txt with the correct > permissions set. Sounds good to me. // Robert > > >> >> On Tue, Apr 5, 2016 at 10:33 PM, Robert Yang <liezhi.yang@windriver.com> >> wrote: >>> >>> >>> I think that it should be a bug, would you please try this patch? >>> >>> diff --git a/meta/recipes-core/base-files/base-files_3.0.14.bb >>> b/meta/recipes-core/base-files/base-files_3.0.14.bb >>> index d391707..2082ed4 100644 >>> --- a/meta/recipes-core/base-files/base-files_3.0.14.bb >>> +++ b/meta/recipes-core/base-files/base-files_3.0.14.bb >>> @@ -95,6 +95,7 @@ do_install () { >>> for d in ${dirs755}; do >>> install -m 0755 -d ${D}$d >>> done >>> + chmod 0700 ${D}${ROOT_HOME} >>> for d in ${dirs1777}; do >>> install -m 1777 -d ${D}$d >>> done >>> >>> // Robert >>> >>> On 04/06/2016 01:03 PM, Charles Chan wrote: >>>> >>>> (This is my first post to OE list, hopefully I am posting to the right >>>> mailing >>>> list.) >>>> >>>> Background: During the process of trying to configure SSH keys for root >>>> user >>>> login via dropbear, we realized the permission for /home/root directory >>>> is set >>>> too loose for group and other members [1]. As a result, dropbears fails >>>> when we >>>> try to put the key under /home/root/.ssh >>>> >>>> --------- >>>> >>>> In the image, /home/root directory is set to 0755: >>>> >>>> $ stat /home/root >>>> File: /home/root >>>> Size: 4096 Blocks: 8 IO Block: 4096 >>>> directory >>>> Device: b302h/45826d Inode: 13268 Links: 4 >>>> Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ >>>> root) >>>> Access: 2016-04-05 22:21:13.000000000 >>>> Modify: 2016-04-05 22:08:57.000000000 >>>> Change: 2016-04-05 22:08:57.000000000 >>>> >>>> >>>> After some debugging, we believe the permission (0755) is initialized in >>>> base-files_3.0.14.bb <http://base-files_3.0.14.bb> (in line 35) [2]. >>>> >>>> A few questions: >>>> 1. I tried looking at the git log for the history, but wasn't able to >>>> find any >>>> background on why the permission was set this way. eg. on a desktop Linux >>>> (Ubuntu), /root is set to 0700: >>>> >>>> $ sudo stat /root >>>> File: `/root' >>>> Size: 4096 Blocks: 8 IO Block: 4096 directory >>>> Device: 801h/2049dInode: 1441793 Links: 3 >>>> Access: (0700/drwx------) Uid: ( 0/ root) Gid: ( 0/ >>>> root) >>>> Access: 2016-04-05 21:29:17.389725228 -0700 >>>> Modify: 2016-03-22 17:11:54.912479000 -0700 >>>> Change: 2016-03-22 17:11:54.912479000 -0700 >>>> Birth: - >>>> >>>> >>>> 2. If we would like to override the directory permission for /home/root >>>> in our >>>> image, what is the best way to do it? I am not an expert with bitbake, >>>> should I >>>> be patching the base-files_3.0.14.bb <http://base-files_3.0.14.bb>? using >>>> *_append? or I should be looking at some other recipe altogether? >>>> >>>> Sorry for the long email. Thanks in advance. >>>> Charles >>>> >>>> [1] >>>> https://wiki.openwrt.org/doc/howto/dropbear.public-key.auth#troubleshooting >>>> >>>> [2] >>>> >>>> http://cgit.openembedded.org/cgit.cgi/openembedded-core/tree/meta/recipes-core/base-files/base-files_3.0.14.bb?h=master#n35 >>>> >>>> >> >> >> -- >> _______________________________________________ >> Openembedded-core mailing list >> Openembedded-core@lists.openembedded.org >> http://lists.openembedded.org/mailman/listinfo/openembedded-core >> > ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2016-04-07 3:01 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-06 5:03 Security question: base-files_3.0.14.bb and ${ROOT_HOME} directory permission Charles Chan
2016-04-06 5:33 ` Robert Yang
2016-04-06 19:39 ` Charles Chan
2016-04-06 23:17 ` Dan McGregor
2016-04-07 3:01 ` Robert Yang
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox