From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6621153044585250816 X-Received: by 2002:a5d:4a89:: with SMTP id o9-v6mr37088wrq.32.1542014755968; Mon, 12 Nov 2018 01:25:55 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a1c:ae52:: with SMTP id x79-v6ls1640946wme.16.gmail; Mon, 12 Nov 2018 01:25:55 -0800 (PST) X-Google-Smtp-Source: AJdET5eWuPypuh8na+d2CaPMFZ7aAKrLcadzn817Lggk7OjMJ5aDElLN9gw/gx6bBKszV7QXsjap X-Received: by 2002:a1c:e583:: with SMTP id c125-v6mr1937960wmh.21.1542014755588; Mon, 12 Nov 2018 01:25:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542014755; cv=none; d=google.com; s=arc-20160816; b=kJ1bnRJwqjwBsYa/+H39wp+I6wquJ2gcdq1XJJ2M1q/GJL0XZvQ7B1uw5oBJZC+9uF sInlixhqAlbErLB+9oHGfsTBi1BPCU6m8WiJOUUpUaeY2fPpThvKFLHcM6/zCM9L7MiP rXXr+QHOAprxxEzAVuQh0NmaJLi41fLaZLcRFzPAaLYsxEXYQ6n6t2P0Y6Pn5Ian5MuN erKtpPdjJAu1pcSYLUFjWQZPvxujxf9O6ZA3rP2FE5gLRanLt2+efgKcdFDJzTR0DyHT zutuLteqpfRaqtbe5VXIF4ah/4JKnt9w1Puo+oBHGP30r2lauBGexdTzOuDX927IkEhA 94Ng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:organization:from:references:cc:to :subject; bh=gUruT2ufeeE7YiTJLpJbG5PZvGa3Ip2z3EVYDutEcWo=; b=vq8qVbzCxQOgtCsuEOdJsPAXS/mnZRZFJzWO//a3R+zpfvD+94FZ7O67vM3k8TqVVZ I7y3ApoyHLr508jQ02Fne7T7pJbfvTk+IGLm9vhHGN4Zx32HGbNzTTgYD3D+NtayzzK8 DoPaInppdivINq/5cfn1QnUOhkYSB91CZ1VM+rUr7AyditZRpjEVSaaRkD7taGcxJWE2 +TClQfQfkyTQnMzGEc6aLz+KLte4AR1iQJTcAY4slvhVM33h433dGHJif7pgu1oK169s gn2ydJj7IAJddLaiPqWxdBIy9UhKd0TfEgIhUX1lgbhtkT8TzA0J0kHjTVNgulrTXZ18 O/Bw== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=mosipov@ilbers.de Return-Path: Received: from aqmola.ilbers.de (aqmola.ilbers.de. [85.214.62.211]) by gmr-mx.google.com with ESMTPS id j187-v6si388096wmf.3.2018.11.12.01.25.55 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 12 Nov 2018 01:25:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) client-ip=85.214.62.211; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: best guess record for domain of mosipov@ilbers.de designates 85.214.62.211 as permitted sender) smtp.mailfrom=mosipov@ilbers.de Received: from [192.168.0.18] ([46.39.55.21]) (authenticated bits=0) by aqmola.ilbers.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id wAC9Po8k024255 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 12 Nov 2018 10:25:54 +0100 Subject: Re: [PATCH v2] meta/dpkg-raw: fix raw package file ownership To: Henning Schild , isar-users Cc: Adriaan Schmidt , Jan Kiszka References: <20181107164906.17219-1-henning.schild@siemens.com> From: "Maxim Yu. Osipov" Organization: ilbers GmbH Message-ID: <121f9925-cf97-55e5-dbc9-ecf7b3595203@ilbers.de> Date: Mon, 12 Nov 2018 12:25:43 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 In-Reply-To: <20181107164906.17219-1-henning.schild@siemens.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: cC829mqUKXpF On 11/7/18 7:49 PM, Henning Schild wrote: > Make sure the whole content of the package defaults to ownership > "root:root", deviations will have to be done in postinst. > Before the file ownership was coming from our build environment and > typically was "1000:1000". That was a security problem and the ids could > differ depending on how people build. Applied to the 'next' Thanks, Maxim. > Reported-by: Adriaan Schmidt > Signed-off-by: Henning Schild > --- > RECIPE-API-CHANGELOG.md | 5 +++++ > doc/user_manual.md | 1 + > meta/classes/dpkg-raw.bbclass | 2 +- > 3 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index c7b7552..9a65b44 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -6,6 +6,11 @@ Baseline: Release v0.5 > Upcoming changes (v0.7) > ----------------------- > > +### dpkg-raw recipes chown all files to "root:root" > + > +if your recipes rely on any other ownership, you will have to change file > +ownership in the postinst script > + > ### more consistent artifact names > > multiconfig image artifacts are all placed in tmp/deploy/images. They include > diff --git a/doc/user_manual.md b/doc/user_manual.md > index 3b4ec48..5c46d5a 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -603,6 +603,7 @@ For the variables please have a look at the previous example, the following new > - `DEBIAN_DEPENDS` - Debian packages that the package depends on > > Have a look at the `example-raw` recipe to get an idea how the `dpkg-raw` class can be used to customize your image. > +Note that all files you install will be owned by "root:root". If you want to change that, call chown in the postinst script. > > ## Isar Cross-compilation > > diff --git a/meta/classes/dpkg-raw.bbclass b/meta/classes/dpkg-raw.bbclass > index c848f3d..d662422 100644 > --- a/meta/classes/dpkg-raw.bbclass > +++ b/meta/classes/dpkg-raw.bbclass > @@ -54,6 +54,6 @@ do_prepare_build() { > } > > dpkg_runbuild() { > - sudo chown -R root:root ${D}/DEBIAN/ > + sudo chown -R root:root ${D} > sudo chroot ${BUILDCHROOT_DIR} dpkg-deb --build ${PP}/image ${PP} > } > -- Maxim Osipov ilbers GmbH Maria-Merian-Str. 8 85521 Ottobrunn Germany +49 (151) 6517 6917 mosipov@ilbers.de http://ilbers.de/ Commercial register Munich, HRB 214197 General Manager: Baurzhan Ismagulov