BB_DEFAULT_UMASK leaks into generated rootfs

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Rasmus Villemoes <ravi@prevas.dk>
To: openembedded-core@lists.openembedded.org
Cc: emkan@prevas.dk
Subject: BB_DEFAULT_UMASK leaks into generated rootfs
Date: Wed, 04 Jun 2025 15:15:26 +0200	[thread overview]
Message-ID: <87wm9r1wcx.fsf@prevas.dk> (raw)

Hello

After setting BB_DEFAULT_UMASK = "002", we started getting

  sshd-session[1965]: error: Unsafe AuthorizedKeysCommand "/usr/bin/userdbctl": bad ownership or modes for directory /

on target. And true enough, the permissions of / are

# ls -ld /
drwxrwxr-x 15 root root 221 Apr  5  2011 /

A somewhat odd oberservation is that while the umask setting does make
various aux directories under ${WORKDIR} have the expected 0775
permissions, the directory 'rootfs' itself does not have write
permission for group:

  $ ls -ld deploy-source-date-epoch/ recipe-sysroot-native/ rootfs/ temp/
  drwxrwxr-x  2 ravi ravi  4096 Jun  4 14:42 deploy-source-date-epoch/
  drwxrwxr-x 12 ravi ravi  4096 Jun  4 14:42 recipe-sysroot-native/
  drwxr-xr-x 15 ravi ravi  4096 Mar  9  2018 rootfs/
  drwxrwxr-x  4 ravi ravi 12288 Jun  4 14:43 temp/

However, both the generated tar-ball and squashfs images have recorded
that 0775 mode for the root entry:

  $ tar tvf deploy-pil-rootfs-image-complete/pil-rootfs-rpi4.tar |head -n1
  drwxrwxr-x 0/0               0 2018-03-09 13:34 ./
  $ unsquashfs -lls deploy-pil-rootfs-image-complete/pil-rootfs-rpi4.squashfs | head -n1
  drwxrwxr-x root/root               221 2018-03-09 13:34 squashfs-root

so I assume that must come from the pseudo database.

And the problem seems to be much bigger than just / having wrong
permissions. We also have /etc/passwd being

  # ls -l /etc/passwd
  -rw-rw-r-- 1 root root 1060 Apr  5  2011 /etc/passwd

Other files/directories being affected include /usr/lib/clock-epoch,
/usr/share/common-licenses/ (but not any of the files in there), and all
the xml files, but not directories, under /usr/share/mime/.

Rasmus

                 reply	other threads:[~2025-06-04 13:15 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87wm9r1wcx.fsf@prevas.dk \
    --to=ravi@prevas.dk \
    --cc=emkan@prevas.dk \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox