Re: [PATCH 01/16] meta: ext4-img: copy and keep attributes, always copy with sudo

[Henning Schild <henning.schild@siemens.com>]

Am Wed, 2 Aug 2017 10:48:13 +0300
schrieb Alexander Smirnov <alex.bluesman.smirnov@gmail.com>:

> Hi,
> 
> 2017-08-01 13:17 GMT+03:00 Henning Schild
> <henning.schild@siemens.com>:
> 
> > Some security enhancing packages can cause our initrd to be not
> > readable by a normal user. So we need to copy with sudo.
> >  
> 
> Please be more explicit which packages, it'd be nice to have examples
> here in the commit message.

It is one of there packages
IMAGE_PREINSTALL += "acl adduser apparmor apt attr babeltrace
base-files base-passwd bash bridge-utils busybox bzip2 cdebconf
console-setup coreutils cpio cron cryptsetup dash dbus debconf
debian-archive-keyring debianutils debootstrap dh-python dhcpcd5
diffutils dns-root-data dnsmasq dpkg dropbear e2fsprogs ebtables
elfutils ethtool expat file findutils fuse gcc-6 gdb gettext gnupg2
grep grub2 gzip hostname init-system-helpers initramfs-tools iproute2
iptables kbd keyutils kmod less libcap2 libgcrypt20
liblocale-gettext-perl libtasn1-6 libtext-charwidth-perl
libtext-iconv-perl libtext-wrapi18n-perl libxml2 linux-base lsb lsof
ltrace lvm2 mawk mime-support netbase netcat openssl os-prober p11-kit
parted patch pciutils perl procps python2.7 python3.5 rename rsync sed
sensible-utils setserial sgml-base shared-mime-info sqlite3
squashfs-tools strace systemd tar tcpdump trace-cmd tzdata ucf usbutils
util-linux vim wget xauth xdg-user-dirs xml-core xz-utils"

I did not investigate a lot which one, because it is a waste of time.

> In general Isar follows the way to reduce usage of 'sudo' as much as
> possible, so every new entry should have good reasons.

As Andreas reported last week we have libpseudo in the making and almost
ready, so the sudo problem will go away.

> 
> > Also regular cp would destroy ownership and other attributes of
> > files, possibly creating problems in the future.
> >  
> 
> Also an example is highly appreciated.

cd /tmp
touch foobar
chgrp cron foobar
chown mail foobar
chmod 600 foobar
cp foobar bla
cp -a foobar bla2

If any debian package brings files not owned by root, plain cp will
destroy the ownership. I do not have a concrete example at hand.

Henning

> >
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> >  meta/classes/ext4-img.bbclass | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/meta/classes/ext4-img.bbclass
> > b/meta/classes/ext4-img.bbclass index 65d4c11..6dc2039 100644
> > --- a/meta/classes/ext4-img.bbclass
> > +++ b/meta/classes/ext4-img.bbclass
> > @@ -21,16 +21,16 @@ do_ext4_image() {
> >
> >      mkdir -p ${WORKDIR}/mnt
> >      sudo mount -o loop ${EXT4_IMAGE_FILE} ${WORKDIR}/mnt
> > -    sudo cp -r ${S}/* ${WORKDIR}/mnt
> > +    sudo cp -a ${S}/* ${WORKDIR}/mnt
> >      sudo umount ${WORKDIR}/mnt
> >      rm -r ${WORKDIR}/mnt
> >
> >      if [ -n "${KERNEL_IMAGE}" ]; then
> > -        cp ${S}/boot/${KERNEL_IMAGE} ${DEPLOY_DIR_IMAGE}
> > +        sudo cp -a ${S}/boot/${KERNEL_IMAGE} ${DEPLOY_DIR_IMAGE}
> >  
> 
> 1. Ideally DEPLOY_DIR_IMAGE should not contain files with root
> permissions, the only multistrap filesystems should require them. Any
> spread of sudo significantly increases the probability to damage host
> system. Also I don't see the reason to keep kernel image undo
> supervisor permissions. 2. If KERNEL_IMAGE is symbolic link, 'cp -a'
> will copy symlink only.
> 
> 
> >      fi
> >
> >      if [ -n "${INITRD_IMAGE}" ]; then
> > -        cp ${S}/boot/${INITRD_IMAGE} ${DEPLOY_DIR_IMAGE}
> > +        sudo cp -a ${S}/boot/${INITRD_IMAGE} ${DEPLOY_DIR_IMAGE}
> >      fi
> >  
> 
> I think that closed initrd is more private case than mainstream. Can
> we cosider possibility to implement this as optional security feature?
> 
> 
> >  }
> >
> > --
> > 2.13.0
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "isar-users" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to isar-users+unsubscribe@googlegroups.com.
> > To post to this group, send email to isar-users@googlegroups.com.
> > To view this discussion on the web visit
> > https://groups.google.com/d/
> > msgid/isar-users/5e98880f61dba959ada0c9bc8feca65b0a5760e5.1501582237.git.
> > henning.schild%40siemens.com. For more options, visit
> > https://groups.google.com/d/optout.