From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 18 Jun 2026 17:24:50 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-lf1-f58.google.com (mail-lf1-f58.google.com [209.85.167.58]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 65IFOnAV028892 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 18 Jun 2026 17:24:49 +0200 Received: by mail-lf1-f58.google.com with SMTP id 2adb3069b0e04-5aa68d9308bsf712931e87.1 for ; Thu, 18 Jun 2026 08:24:49 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1781796284; cv=pass; d=google.com; s=arc-20240605; b=NqO6eGhEl53jfosSPmzpmrYsWxKQ6Sy0VVLdLcWQOyKW3dRyDDqN1cXXQN4Gif6hYw o3wn2MDdZ0PT2fSGFXc6EVQnt2YsCvD/57xnxu1iFFsmOWdG6IK4jX6AUvkwNy4Zy5JK a4PfItbb00EH/3kMBX3yqPcCn4wGzPW682INHkh0RGJsXKVfe83AuHMG2yydQHwo2z9g zgXtKo+6sUa6ljPtnG3/+wtipAx/HuRgG40M86zQPGqUFiKsLW/VnQXhxuw3M3RamcvN ovZRXI7T+2wZvezAknSQXXcIC2/hQ1BE0srAYaABZLzZYAaOdSQvEEYNwCnyTWIjU9F+ CDWA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:sender:dkim-signature; bh=WjdVnO+3n2JkqTtUon6IFMqk1knv/42XJtcyVpLgTuE=; fh=n3XXuZbWUqfZprZR/grzXJGrYbSLpSJXjbkSE+PDZuA=; b=F7sCNns3XMp7eIOFAONTj75w1KeNVJEo2U5qzb3JAE2l7h9UVvSaSowBRXyQSIS0AF jRpc8RUMC4ZZ061BCEkEUJea3OhIpFtrfgbxmwSHX/iOfHgmWp9pGDnbF4Q2T/Y+jCJc JqhbsV/FJf1rFGEpu7u/5aRf+klrflyVjDivsuRzjdOaobhXnKsEsmcIHT2cQAjJ6sOX ALZxX9P8hL99F/hbYW852c/DE9Sg4a7Ded2dZFxjfZ+N/F0/7cbgbbGCNYfNkqPuK4jf l0yiF4NR/Czjv5gp77hJlgL1YZSRFIZG9npFqkObVEgpy1May9y1PBcPuL/15AC6vOaW Q8/w==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1781796284; x=1782401084; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:mime-version:references:in-reply-to:message-id :date:subject:cc:to:from:sender:from:to:cc:subject:date:message-id :reply-to; bh=WjdVnO+3n2JkqTtUon6IFMqk1knv/42XJtcyVpLgTuE=; b=Xm4sldgt9z3LhTvg2DPevWWnUGzPy8Kc54sJfGTpPyEYLCPRwSK/Md+pGfGt007Erp QOPEI9nGK23qVMvxl5H0JOO2OLBoz5QQjZqLuemL7FPnNraHtp6Thk/0S4RSMYAc0PYJ 72neiwSczBEVXuhjaE8vBF6dUk2kqZHy2OXTRfFPKkBaDcdKbXrkuTHEoWb5oSDFapjg xvs8psZ94RzZ6s/s/4RDElpohHaF7aBENYLWHSrpM3mJ5h5996b6eS82dCYjyuS91oWN DdR803M/gtS4Und98YqeTAjOPbDC6+G/Tvfr5IkzN23oG9aUfINJpKHpHvHnJ9iaD9mu HyZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781796284; x=1782401084; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date :message-id:reply-to; bh=WjdVnO+3n2JkqTtUon6IFMqk1knv/42XJtcyVpLgTuE=; b=b1xvQa8pC6cyxXxmWKmwafvx6D1P4t32X5BqbR/kxmZQbRpSgmHJAQoNGqtiXepI3w SQRDhYG1RB8pIf31MUKh2X9yAeevWUViOZsxAyHhHRTjHTd+pHzq3CtV7Eih/WldROWX mCHmxPP0PYkQUILPwnCe8i12muNez55MQmOfXWMINwIsbZ2KuotJsipPNTZZ1Sv17u7F wJDU3euVgw/u8xjYOJ4N/bv9/++9qxUB3c9+Mvo9ctwB18H7Humcx6v2lGTHO5yyT6p/ VWTI9T31EoqIvBxt8THmullNAOPV0rVIxJcTFwNTB07yM2Hgwlk3UoaVdJBwBwGpEZRM p24A== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=2; AFNElJ/jADvdcBXdQ5bA8E1xYuTbW0dkF1s68mMfDKnQNVsvhPYXSRub1vBRVx1p/f5+VnTXot1b@ilbers.de X-Gm-Message-State: AOJu0YwgYx0I8v7dzQtzY4fUBGbDWVKRRQW5kXiYzqIZzyJWQpoMpBdN A09oDo0475lgGKIUClIPOl51SA/wujgjIZ+UMjF8bjxJT/VRWp0UrSbp X-Received: by 2002:a05:6512:618c:b0:5aa:6b8b:8c9c with SMTP id 2adb3069b0e04-5ad562c4209mr14644e87.42.1781796283626; Thu, 18 Jun 2026 08:24:43 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="AX0PUUenswxzrLNsKVOKCcdxuKeD8hY0mzZKiHnlW0bmGZd41A==" Received: by 2002:a05:6512:3105:b0:5a8:eb13:4faa with SMTP id 2adb3069b0e04-5ad4dae3117ls453818e87.2.-pod-prod-05-eu; Thu, 18 Jun 2026 08:24:41 -0700 (PDT) X-Received: by 2002:a05:6512:128b:b0:5aa:6a5c:be4d with SMTP id 2adb3069b0e04-5ad5627b06dmr42184e87.9.1781796281066; Thu, 18 Jun 2026 08:24:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781796281; cv=none; d=google.com; s=arc-20240605; b=bTqO/Al7hyaFQ17oHeewgtefw8O/lw3ri7i3FfH+aL5OlQXJ10XhxoWljXTphxrjT6 n8iGDIxfIMb6+YeL5In6+i65qE0neZ0GtWXYZYXceAOii40olGz5eBoPgBghs1NOp1tC jZxxHlYmts+s7qPcrluzDQJbyxpVVEe/avgqQ0S0BARlX+oAcrHSHvFU/Bp5mq4XpsOY eBIai/jCMlSDG25Vph49n/uxJLjH0PiYuY9JVbsw9QYSwZTTmQltPREtQjByrdeCc4KL V1a06aC1CS8BniGB5hxi3Sz3irraR1+/lUHwlX2O9qJ0dBeVKFXY0wYTENaaqQuVyIIo upMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=Bv10eyHiEIxtHJInSZ85PH/hkzLQhOwPGVVbtmdMirQ=; fh=dLKbFY1nCVs0gw4Ot3U35lUCgkKClbVzBSGiWA5AeLc=; b=KYV0w2+YO4HHo3Ok36d3x+A8EO9yvtOjBl4MIQbt5SJdFw58bAzDvAsIjr30DrXSC3 2YA+304bBizb8P5J0CpoktT8z2TbFmqsS3i1O0rp9MyEU2HT4Hc+TyZ+9n4QIF/N9pYk 1GYkyI+5eegjOcnn9r/Vy+hL8bf/qm9h0+5nkJUn8bHgqeqXAbQcoTPBvNVRidHMTIg2 yElf/EkXrzsPm4cBjE+cG/72nqwW2JXcLl4Wtxxa0WOUq+tE9uJbyX3rLubJB3Zf3Nhe p20Dc+OKGlUik8GZ/9DEvO3b4wnVwllOvJ+cL9Ar1/v1GfbNOl3PaLsOHnTkOFHQd2qV SIMw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id 38308e7fff4ca-39979353714si687121fa.7.2026.06.18.08.24.40 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 18 Jun 2026 08:24:40 -0700 (PDT) Received-SPF: pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Received: from debian-zwei.m.ilbers.de ([88.130.203.42]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPA id 65IFOdSl028871; Thu, 18 Jun 2026 17:24:39 +0200 From: Zhihang Wei To: isar-users@googlegroups.com Cc: felix.moessbauer@siemens.com Subject: [PATCH 1/1] mmdebstrap: ensure apt keystore is owned by root Date: Thu, 18 Jun 2026 17:24:39 +0200 Message-Id: <20260618152439.3884748-2-wzh@ilbers.de> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20260618152439.3884748-1-wzh@ilbers.de> References: <20260618152439.3884748-1-wzh@ilbers.de> MIME-Version: 1.0 X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-Original-Sender: wzh@ilbers.de X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-TUID: 9p6vpkiUyQyF From: Felix Moessbauer We currently create the /etc/apt/trusted.gpg.d manually during bootstrap setup to be able to deploy local keys. By that, the directory is owned by the calling user (the one that executes isar) instead of root. If the calling user's id is identical to one of an unprivileged user inside the image, this user is able to alter existing keys and deploy new ones, silently breaking the apt repo integrity protection. We fix this by manually chowning the directory to root:root in the setup step. Fixes: 9ae41e03 ("mmdebstrap: Move preparations to hooks") Signed-off-by: Felix Moessbauer --- meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc index cef953ef..e746f469 100644 --- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc +++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc @@ -232,6 +232,7 @@ do_bootstrap() { --setup-hook='upload "${WORKDIR}/locale" /etc/locale' \ --setup-hook='mkdir -p "$1/etc/apt/trusted.gpg.d"' \ --setup-hook='sync-in "${WORKDIR}/trusted.gpg.d" /etc/apt/trusted.gpg.d' \ + --setup-hook='chown -R root:root "$1/etc/apt/trusted.gpg.d"' \ --setup-hook='install -v -m755 "${WORKDIR}/chroot-setup.sh" "$1/chroot-setup.sh"' \ --extract-hook="$extra_extract" \ --essential-hook="$extra_essential" \ -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260618152439.3884748-2-wzh%40ilbers.de.