On Thu, Oct 20, 2022 at 6:01 PM Peter Naulls <[email protected]> wrote: > > > Yes, I know. Bear with me. Laugh if you must. > > # ls -l /rom/ > ... > drwxr-xr-x 4 root root 98 Oct 20 13:53 www > > I'd like to remove the writable bits from the squashfs image - /www is > particular concern because of security paranoia. > > Now I realize that: > > 1. This is contrary to the design and operation of overlayfs - it doesn't > matter what you set the permissions to, overlayfs will make a copy and > let you "write" anyway (correct me if I'm wrong here) and besides there's only > root. > > 2. This is 100% security theater, but the optics have become important here. > > I don't see that mksquashfs has any options for removing these attributes. > It is possible to set the permissions on files that end up in the rootfs > before the image generation, but then you tend to run into permissions > problems on the host build system when you do it again and it needs to clean > things out.
On the contrary, this is fully supported by Mksquashfs using actions. Actions are modelled on the find command, and allow one or more tests to be performed on a file, and if the tests match, execute an action. What you probably want is the following % mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)" "perm(/ugo+w)" is a test that matches on any file that has a writable permission (either user, group or other). "chmod(ugo-w)" is an action that removes the writable permission for user, group and other. So if any file has a writable permission it is removed before generating the Squashfs filesystem. Worked example phillip@phoenix:/tmp$ ls -la test total 12 drwxr-xr-x 3 phillip users 4096 Oct 24 03:37 . drwxrwxrwt 11 root root 4096 Oct 24 04:17 .. drwxrwxrwx 2 phillip users 4096 Oct 24 03:32 example_dir -rw-rw-rw- 1 phillip users 0 Oct 24 03:32 example_file -r--r--r-- 1 phillip users 0 Oct 24 03:37 not_writable phillip@phoenix:/tmp$ mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)" phillip@phoenix:/tmp$ unsquashfs -lls test.sqsh dr-xr-xr-x phillip/users 74 2022-10-24 03:37 squashfs-root dr-xr-xr-x phillip/users 3 2022-10-24 03:32 squashfs-root/example_dir -r--r--r-- phillip/users 0 2022-10-24 03:32 squashfs-root/example_file -r--r--r-- phillip/users 0 2022-10-24 03:37 squashfs-root/not_writable If you only want the writable permission removed from directories, you can test the file type in addition to the writable permissions, e.g. % mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w) && type(d)" -quiet -no-progress Worked example phillip@phoenix:/tmp$ ls -la test total 12 drwxr-xr-x 3 phillip users 4096 Oct 24 03:37 . drwxrwxrwt 11 root root 4096 Oct 24 04:22 .. drwxrwxrwx 2 phillip users 4096 Oct 24 03:32 example_dir -rw-rw-rw- 1 phillip users 0 Oct 24 03:32 example_file -r--r--r-- 1 phillip users 0 Oct 24 03:37 not_writable phillip@phoenix:/tmp$ mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w) && type(d)" -quiet -no-progress phillip@phoenix:/tmp$ unsquashfs -lls test.sqsh dr-xr-xr-x phillip/users 74 2022-10-24 03:37 squashfs-root dr-xr-xr-x phillip/users 3 2022-10-24 03:32 squashfs-root/example_dir -rw-rw-rw- phillip/users 0 2022-10-24 03:32 squashfs-root/example_file -r--r--r-- phillip/users 0 2022-10-24 03:37 squashfs-root/not_writable More information on Mksquashfs actions is here https://github.com/plougher/squashfs-tools/blob/master/ACTIONS-README Please ask if you want more information. Phillip --- Squashfs author and maintainer. _______________________________________________ openwrt-devel mailing list [email protected] https://lists.openwrt.org/mailman/listinfo/openwrt-devel
