Re: [OpenWrt-Devel] Extra file permissions

2015-11-03 Thread David Madden 
[Sorry for the delay---I missed your reply]

>>> On Tue Oct 27 09:15:53 CET 2015, Bastian Bittorf wrote:
> IMHO it is better to explicitely set 0700 for the SSH stuff?
> so the user can just copy the files without tweaking the bits.

That's sort of what used to happen -- the permission fix would exclude
files named "ssh_host*" and "shadow," and afterward it set /tmp to 1777.

The problem is that if you want specific permissions for a specific
extra file, you have to fiddle with .../include/image.mk before the
image is made so that the general permission fixing leaves those files
alone.

I think it's easier just to leave the user's extra-file permissions
alone.  If there's nothing special on a file (i.e., -rw-rw-r--) then
it'll get copied in with reasonable values.  But for some files, it's
really important NOT to add read or execute permissions.  /etc/shadow is
an obvious one, but I also build images with HTTPS certificates and
keys.  The machine.key file MUST be -r or the key will be public.

Further, imagine that you build the image normally and the key file gets
installed as -rw-rw-r-- (on /rom).  Then you go in and change the
permission, so the file gets copied to /overlay/upper/etc/httpd.key with
the desired permissions.

The key file is _still_ _accessible_ under /rom/etc/httpd.key with the
old permissions.  So it doesn't even help to change the permission on
the target machine after installation.

if you want to have keys (and other security-sensitive items) built into
the sysimage, the permissions must be set the right way at build time.

Regards,
-- 
Mersenne Law LLP  ·  www.mersenne.com  ·  +1-503-679-1671
- Small Business, Startup and Intellectual Property Law -
9600 S.W. Oak Street · Suite 500 · Tigard, Oregon  97223



smime.p7s
Description: S/MIME Cryptographic Signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] Extra file permissions

2015-10-27 Thread Bastian Bittorf 
* David H. Madden  [27.10.2015 08:16]:
> I have been adding ssh authorized_keys files to my OpenWRT devices,
> and would like to have them built into the sysupgrade image, rather
> than adding to /overlay afterward.  However, the process that copies
> files from .../files to the final image resets permissions to
> u+rw,g+r,o+r, which wrecks the 700 permission for ~root/.ssh.  I
> modified include/image.mk to not do the permission "fixing."  This

IMHO it is better to explicitely set 0700 for the SSH stuff?
so the user can just copy the files without tweaking the bits.

bye, bastian
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] Extra file permissions

2015-10-26 Thread David H. Madden 
I have been adding ssh authorized_keys files to my OpenWRT devices, and 
would like to have them built into the sysupgrade image, rather than 
adding to /overlay afterward.  However, the process that copies files 
from .../files to the final image resets permissions to u+rw,g+r,o+r, 
which wrecks the 700 permission for ~root/.ssh.  I modified 
include/image.mk to not do the permission "fixing."  This works OK for 
me, but I don't know whether it would break things for anybody else.  (I 
think I tested to see whether anything was actually having its 
permissions changed, but I don't remember the exact results.  I 
definitely didn't see anything that looked problematic.)


Here is the patch:

diff --git a/include/image.mk b/include/image.mk
index a92b13e..c22e287 100644
--- a/include/image.mk
+++ b/include/image.mk
@@ -243,10 +243,7 @@ define Image/mkfs/ext4
 endef

 define Image/mkfs/prepare/default
-   # Use symbolic permissions to avoid clobbering SUID/SGID/sticky bits
-   - $(FIND) $(TARGET_DIR) -type f -not -perm /0100 -not -name 
'ssh_host*' -not -name 'shadow' -print0 | $(XARGS) -0 chmod u+rw,g+r,o+r
-   - $(FIND) $(TARGET_DIR) -type f -perm /0100 -print0 | $(XARGS) 
-0 chmod u+rwx,g+rx,o+rx
-   - $(FIND) $(TARGET_DIR) -type d -print0 | $(XARGS) -0 chmod 
u+rwx,g+rx,o+rx
+   # We used to do something like "chmod -R go+rX" but it wasn't 
necessary

$(INSTALL_DIR) $(TARGET_DIR)/tmp $(TARGET_DIR)/overlay
chmod 1777 $(TARGET_DIR)/tmp
 endef




smime.p7s
Description: S/MIME Cryptographic Signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel