[PATCH v2] meta/dpkg-raw: fix raw package file ownership

[PATCH v2] meta/dpkg-raw: fix raw package file ownership

[Henning Schild]

Make sure the whole content of the package defaults to ownership
"root:root", deviations will have to be done in postinst.
Before the file ownership was coming from our build environment and
typically was "1000:1000". That was a security problem and the ids could
differ depending on how people build.

Reported-by: Adriaan Schmidt <adriaan.schmidt@siemens.com>
Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
 RECIPE-API-CHANGELOG.md       | 5 +++++
 doc/user_manual.md            | 1 +
 meta/classes/dpkg-raw.bbclass | 2 +-
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index c7b7552..9a65b44 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -6,6 +6,11 @@ Baseline: Release v0.5
 Upcoming changes (v0.7)
 -----------------------
 
+### dpkg-raw recipes chown all files to "root:root"
+
+if your recipes rely on any other ownership, you will have to change file
+ownership in the postinst script
+
 ### more consistent artifact names
 
 multiconfig image artifacts are all placed in tmp/deploy/images. They include
diff --git a/doc/user_manual.md b/doc/user_manual.md
index 3b4ec48..5c46d5a 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -603,6 +603,7 @@ For the variables please have a look at the previous example, the following new
  - `DEBIAN_DEPENDS` - Debian packages that the package depends on
 
 Have a look at the `example-raw` recipe to get an idea how the `dpkg-raw` class can be used to customize your image.
+Note that all files you install will be owned by "root:root". If you want to change that, call chown in the postinst script.
 
 ## Isar Cross-compilation
 
diff --git a/meta/classes/dpkg-raw.bbclass b/meta/classes/dpkg-raw.bbclass
index c848f3d..d662422 100644
--- a/meta/classes/dpkg-raw.bbclass
+++ b/meta/classes/dpkg-raw.bbclass
@@ -54,6 +54,6 @@ do_prepare_build() {
 }
 
 dpkg_runbuild() {
-	sudo chown -R root:root ${D}/DEBIAN/
+	sudo chown -R root:root ${D}
 	sudo chroot ${BUILDCHROOT_DIR} dpkg-deb --build ${PP}/image ${PP}
 }
-- 
2.19.1

Re: [PATCH v2] meta/dpkg-raw: fix raw package file ownership

[Jan Kiszka]

On 07.11.18 17:49, Henning Schild wrote:
> Make sure the whole content of the package defaults to ownership
> "root:root", deviations will have to be done in postinst.
> Before the file ownership was coming from our build environment and
> typically was "1000:1000". That was a security problem and the ids could
> differ depending on how people build.
> 
> Reported-by: Adriaan Schmidt <adriaan.schmidt@siemens.com>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>   RECIPE-API-CHANGELOG.md       | 5 +++++
>   doc/user_manual.md            | 1 +
>   meta/classes/dpkg-raw.bbclass | 2 +-
>   3 files changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index c7b7552..9a65b44 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -6,6 +6,11 @@ Baseline: Release v0.5
>   Upcoming changes (v0.7)
>   -----------------------
>   
> +### dpkg-raw recipes chown all files to "root:root"
> +
> +if your recipes rely on any other ownership, you will have to change file
> +ownership in the postinst script
> +
>   ### more consistent artifact names
>   
>   multiconfig image artifacts are all placed in tmp/deploy/images. They include
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index 3b4ec48..5c46d5a 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -603,6 +603,7 @@ For the variables please have a look at the previous example, the following new
>    - `DEBIAN_DEPENDS` - Debian packages that the package depends on
>   
>   Have a look at the `example-raw` recipe to get an idea how the `dpkg-raw` class can be used to customize your image.
> +Note that all files you install will be owned by "root:root". If you want to change that, call chown in the postinst script.
>   
>   ## Isar Cross-compilation
>   
> diff --git a/meta/classes/dpkg-raw.bbclass b/meta/classes/dpkg-raw.bbclass
> index c848f3d..d662422 100644
> --- a/meta/classes/dpkg-raw.bbclass
> +++ b/meta/classes/dpkg-raw.bbclass
> @@ -54,6 +54,6 @@ do_prepare_build() {
>   }
>   
>   dpkg_runbuild() {
> -	sudo chown -R root:root ${D}/DEBIAN/
> +	sudo chown -R root:root ${D}
>   	sudo chroot ${BUILDCHROOT_DIR} dpkg-deb --build ${PP}/image ${PP}
>   }
> 

Looks good!

Thanks,
Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [PATCH v2] meta/dpkg-raw: fix raw package file ownership

[Maxim Yu. Osipov]

On 11/7/18 7:49 PM, Henning Schild wrote:
> Make sure the whole content of the package defaults to ownership
> "root:root", deviations will have to be done in postinst.
> Before the file ownership was coming from our build environment and
> typically was "1000:1000". That was a security problem and the ids could
> differ depending on how people build.

Applied to the 'next'

Thanks,
Maxim.

> Reported-by: Adriaan Schmidt <adriaan.schmidt@siemens.com>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>   RECIPE-API-CHANGELOG.md       | 5 +++++
>   doc/user_manual.md            | 1 +
>   meta/classes/dpkg-raw.bbclass | 2 +-
>   3 files changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index c7b7552..9a65b44 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -6,6 +6,11 @@ Baseline: Release v0.5
>   Upcoming changes (v0.7)
>   -----------------------
>   
> +### dpkg-raw recipes chown all files to "root:root"
> +
> +if your recipes rely on any other ownership, you will have to change file
> +ownership in the postinst script
> +
>   ### more consistent artifact names
>   
>   multiconfig image artifacts are all placed in tmp/deploy/images. They include
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index 3b4ec48..5c46d5a 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -603,6 +603,7 @@ For the variables please have a look at the previous example, the following new
>    - `DEBIAN_DEPENDS` - Debian packages that the package depends on
>   
>   Have a look at the `example-raw` recipe to get an idea how the `dpkg-raw` class can be used to customize your image.
> +Note that all files you install will be owned by "root:root". If you want to change that, call chown in the postinst script.
>   
>   ## Isar Cross-compilation
>   
> diff --git a/meta/classes/dpkg-raw.bbclass b/meta/classes/dpkg-raw.bbclass
> index c848f3d..d662422 100644
> --- a/meta/classes/dpkg-raw.bbclass
> +++ b/meta/classes/dpkg-raw.bbclass
> @@ -54,6 +54,6 @@ do_prepare_build() {
>   }
>   
>   dpkg_runbuild() {
> -	sudo chown -R root:root ${D}/DEBIAN/
> +	sudo chown -R root:root ${D}
>   	sudo chroot ${BUILDCHROOT_DIR} dpkg-deb --build ${PP}/image ${PP}
>   }
> 


-- 
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov