From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6621153044585250816 X-Received: by 2002:a1c:9c55:: with SMTP id f82-v6mr225328wme.14.1541609470309; Wed, 07 Nov 2018 08:51:10 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a1c:3e47:: with SMTP id l68-v6ls2731217wma.6.gmail; Wed, 07 Nov 2018 08:51:09 -0800 (PST) X-Google-Smtp-Source: AJdET5eVC0Ebf+nfC9nbaYnaVyfIZee1F4C4wmMmBgmGmxVvlgPoJDTvtODbSSHVPiFOOymkxNZJ X-Received: by 2002:a1c:93d1:: with SMTP id v200-v6mr213370wmd.15.1541609469830; Wed, 07 Nov 2018 08:51:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541609469; cv=none; d=google.com; s=arc-20160816; b=RnAmtDw1+jra5Bro35kME/wxLgXYBNrJE4pFMVvUNFZRxbG5jVfCBK7D6C0uQTkMt7 Wh9X9kqNtGaLk/b3FrbCLDqbTcDk9kn1TbnEGVSBCub7UOHZkcHfcaOmI9TYaP4B7n1a wiZL61fdyE5WTkztkP9fU0edFsWH2MA95TOmivrUDu17V3wLCn01qdh1+KLc4j+syH7M fNaFvCmLhV2bu/j+kt71iAtgHVgWJ3DYxznkopN6oJTkJaHowHFp/vj9Jt586ffz3/Xi YHiw7iUMQJobKMtYOQSQBzhCIiW81VV3cqC0n1E00Fc+MvVuEUW/lTUS7PAj5HWBTwH5 HOlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject; bh=0UAIkLO9YSc7/89y6pbHUMcL0ST+UIsqSFecId3TYZc=; b=S5rh4oSwj/dcsmovzLYQ02yCpXM4hg1/rYjb6OQTLktAd1ydr2AHFmNOhxJneSgE1f h/WNZIkjPIOgo20B0l7p5cAja7viTj7ZYMHugirzt0XAlpSwP4TnJLuBsGMKx2pXPLUB zKld82gwxSp0H/V5lK3dG5sDzNCJangrnlVnXjnsWccHksX86+ufpVxjlvvOtCie/LmT oU7I+DNrnkjt9VCvNBRTSCvunCgh4qx8lKx4JAfwDIiaifxIwl1xr5M3IuOYC+NtXIf9 +6L0Sed1pwqtclwfTvD7BVnF3S6je2Cl5aC0nWvCm3NsOWNz3GCXD2wInuWj2PyVVMi2 c5bA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id p19-v6si195694wmc.1.2018.11.07.08.51.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Nov 2018 08:51:09 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id wA7Gp9Is020585 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 7 Nov 2018 17:51:09 +0100 Received: from [139.25.68.37] (md1q0hnc.ad001.siemens.net [139.25.68.37] (may be forged)) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id wA7Gp9nQ003543; Wed, 7 Nov 2018 17:51:09 +0100 Subject: Re: [PATCH v2] meta/dpkg-raw: fix raw package file ownership To: Henning Schild , isar-users Cc: Adriaan Schmidt References: <20181107164906.17219-1-henning.schild@siemens.com> From: Jan Kiszka Message-ID: <74071ed1-cb60-afdb-6ca9-08d2d10213be@siemens.com> Date: Wed, 7 Nov 2018 17:51:08 +0100 User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 MIME-Version: 1.0 In-Reply-To: <20181107164906.17219-1-henning.schild@siemens.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: b85YZBY54YUQ On 07.11.18 17:49, Henning Schild wrote: > Make sure the whole content of the package defaults to ownership > "root:root", deviations will have to be done in postinst. > Before the file ownership was coming from our build environment and > typically was "1000:1000". That was a security problem and the ids could > differ depending on how people build. > > Reported-by: Adriaan Schmidt > Signed-off-by: Henning Schild > --- > RECIPE-API-CHANGELOG.md | 5 +++++ > doc/user_manual.md | 1 + > meta/classes/dpkg-raw.bbclass | 2 +- > 3 files changed, 7 insertions(+), 1 deletion(-) > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index c7b7552..9a65b44 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -6,6 +6,11 @@ Baseline: Release v0.5 > Upcoming changes (v0.7) > ----------------------- > > +### dpkg-raw recipes chown all files to "root:root" > + > +if your recipes rely on any other ownership, you will have to change file > +ownership in the postinst script > + > ### more consistent artifact names > > multiconfig image artifacts are all placed in tmp/deploy/images. They include > diff --git a/doc/user_manual.md b/doc/user_manual.md > index 3b4ec48..5c46d5a 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -603,6 +603,7 @@ For the variables please have a look at the previous example, the following new > - `DEBIAN_DEPENDS` - Debian packages that the package depends on > > Have a look at the `example-raw` recipe to get an idea how the `dpkg-raw` class can be used to customize your image. > +Note that all files you install will be owned by "root:root". If you want to change that, call chown in the postinst script. > > ## Isar Cross-compilation > > diff --git a/meta/classes/dpkg-raw.bbclass b/meta/classes/dpkg-raw.bbclass > index c848f3d..d662422 100644 > --- a/meta/classes/dpkg-raw.bbclass > +++ b/meta/classes/dpkg-raw.bbclass > @@ -54,6 +54,6 @@ do_prepare_build() { > } > > dpkg_runbuild() { > - sudo chown -R root:root ${D}/DEBIAN/ > + sudo chown -R root:root ${D} > sudo chroot ${BUILDCHROOT_DIR} dpkg-deb --build ${PP}/image ${PP} > } > Looks good! Thanks, Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux