* [PATCH] scripts/make-erofs.sh: Standardize file modes in images
@ 2025-10-22 21:04 Demi Marie Obenour
2025-10-25 11:47 ` Alyssa Ross
0 siblings, 1 reply; 2+ messages in thread
From: Demi Marie Obenour @ 2025-10-22 21:04 UTC (permalink / raw)
To: Spectrum OS Development; +Cc: Alyssa Ross, Demi Marie Obenour
Enforce that anything under /var or /etc is 0755 for directories and
executable files and 0644 for anything else. Enforce that anything else
is 0555 for directories and executable files and 0444 for anything else.
This avoids depending on factors that may depend on the build
environment, such as the user's umask.
This requires that /var always exist, so add it to img/app/Makefile.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
host/rootfs/Makefile | 3 ++-
img/app/Makefile | 2 +-
scripts/make-erofs.sh | 21 +++++++++++++++++++++
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
index aa45ca1d5c18d0dfb78d19267f263cc4222e8e84..ba1beddabb46afa6b20e66177107fbe6b6f42bd2 100644
--- a/host/rootfs/Makefile
+++ b/host/rootfs/Makefile
@@ -40,7 +40,8 @@ DIRS = \
ext \
proc \
run \
- sys
+ sys \
+ var
FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
diff --git a/img/app/Makefile b/img/app/Makefile
index 981889ebe55d9ba03228977f3dc0ea3f26d5c4fb..2540075fbb2cdcbcde29853cb0ffe676de0b9063 100644
--- a/img/app/Makefile
+++ b/img/app/Makefile
@@ -30,7 +30,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie
build/rootfs.erofs:root:5460386f-2203-4911-8694-91400125c604:root
mv $@.tmp $@
-DIRS = dev run proc sys tmp \
+DIRS = dev run proc sys tmp var \
etc/s6-linux-init/run-image/service \
etc/s6-linux-init/run-image/user \
etc/s6-linux-init/run-image/wait
diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
index ad04844387c880047a79f2f05e1e985d8bd4229c..5e283a380dbdae3dbfb83d43915e5015a2ae6f04 100755
--- a/scripts/make-erofs.sh
+++ b/scripts/make-erofs.sh
@@ -68,4 +68,25 @@ while read -r arg1; do
cp -RT -- "$arg1" "$root/$arg2"
done
+# Ensure that the permissions in the image are independent
+# of those in the git repository or Nix store, except for
+# the executable bit. In particular, the mode of those
+# outside the Nix store might depend on the user's umask.
+# While the image itself is strictly read-only, it makes
+# sense to populate an overlayfs over /etc and /var, and
+# this overlayfs should be writable by root and readable
+# by all users. The remaining paths should not be writable
+# by anyone, but should be world-readable.
+find "$root" \
+ -path "$root/nix/store" -prune -o \
+ -path "$root/etc" -prune -o \
+ -path "$root/var" -prune -o \
+ -type l -o \
+ -type d -a -perm 0555 -o \
+ -type f -a -perm 0444 -o \
+ -execdir chmod ugo-w,ugo+rX -- '{}' +
+find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
+chmod 0755 "$root"
+
+# Make the erofs image.
mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
---
base-commit: c5d5786d3dc938af0b279c542d1e43bce381b4b9
change-id: 20251021-fix-permissions-4549d0653368
--
Sincerely,
Demi Marie Obenour (she/her/hers)
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] scripts/make-erofs.sh: Standardize file modes in images
2025-10-22 21:04 [PATCH] scripts/make-erofs.sh: Standardize file modes in images Demi Marie Obenour
@ 2025-10-25 11:47 ` Alyssa Ross
0 siblings, 0 replies; 2+ messages in thread
From: Alyssa Ross @ 2025-10-25 11:47 UTC (permalink / raw)
To: Demi Marie Obenour; +Cc: Spectrum OS Development
[-- Attachment #1: Type: text/plain, Size: 3780 bytes --]
Demi Marie Obenour <demiobenour@gmail.com> writes:
> Enforce that anything under /var or /etc is 0755 for directories and
> executable files and 0644 for anything else. Enforce that anything else
> is 0555 for directories and executable files and 0444 for anything else.
> This avoids depending on factors that may depend on the build
> environment, such as the user's umask.
>
> This requires that /var always exist, so add it to img/app/Makefile.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
> host/rootfs/Makefile | 3 ++-
> img/app/Makefile | 2 +-
> scripts/make-erofs.sh | 21 +++++++++++++++++++++
> 3 files changed, 24 insertions(+), 2 deletions(-)
This doesn't seem to have addressed the review comments from last
time[1] — the special handling for directories that might want to use
overlayfs in future is still there even though it's uncertain we'll ever
do that, and so is -execdir.
To save us both time, I've just gone ahead and made the changes, and
pushed a simplified version of this. Thanks for fixing it — I'm glad I
didn't have to work out that find command myself, and now we can move
forward with running things as non-root.
[1]: https://spectrum-os.org/lists/archives/spectrum-devel/877bxs570x.fsf@alyssa.is
> diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile
> index aa45ca1d5c18d0dfb78d19267f263cc4222e8e84..ba1beddabb46afa6b20e66177107fbe6b6f42bd2 100644
> --- a/host/rootfs/Makefile
> +++ b/host/rootfs/Makefile
> @@ -40,7 +40,8 @@ DIRS = \
> ext \
> proc \
> run \
> - sys
> + sys \
> + var
>
> FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo
>
> diff --git a/img/app/Makefile b/img/app/Makefile
> index 981889ebe55d9ba03228977f3dc0ea3f26d5c4fb..2540075fbb2cdcbcde29853cb0ffe676de0b9063 100644
> --- a/img/app/Makefile
> +++ b/img/app/Makefile
> @@ -30,7 +30,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie
> build/rootfs.erofs:root:5460386f-2203-4911-8694-91400125c604:root
> mv $@.tmp $@
>
> -DIRS = dev run proc sys tmp \
> +DIRS = dev run proc sys tmp var \
> etc/s6-linux-init/run-image/service \
> etc/s6-linux-init/run-image/user \
> etc/s6-linux-init/run-image/wait
> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh
> index ad04844387c880047a79f2f05e1e985d8bd4229c..5e283a380dbdae3dbfb83d43915e5015a2ae6f04 100755
> --- a/scripts/make-erofs.sh
> +++ b/scripts/make-erofs.sh
> @@ -68,4 +68,25 @@ while read -r arg1; do
> cp -RT -- "$arg1" "$root/$arg2"
> done
>
> +# Ensure that the permissions in the image are independent
> +# of those in the git repository or Nix store, except for
> +# the executable bit. In particular, the mode of those
> +# outside the Nix store might depend on the user's umask.
> +# While the image itself is strictly read-only, it makes
> +# sense to populate an overlayfs over /etc and /var, and
> +# this overlayfs should be writable by root and readable
> +# by all users. The remaining paths should not be writable
> +# by anyone, but should be world-readable.
> +find "$root" \
> + -path "$root/nix/store" -prune -o \
> + -path "$root/etc" -prune -o \
> + -path "$root/var" -prune -o \
> + -type l -o \
> + -type d -a -perm 0555 -o \
> + -type f -a -perm 0444 -o \
> + -execdir chmod ugo-w,ugo+rX -- '{}' +
> +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' +
> +chmod 0755 "$root"
> +
> +# Make the erofs image.
> mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
>
> ---
> base-commit: c5d5786d3dc938af0b279c542d1e43bce381b4b9
> change-id: 20251021-fix-permissions-4549d0653368
>
> --
> Sincerely,
> Demi Marie Obenour (she/her/hers)
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-10-25 11:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-22 21:04 [PATCH] scripts/make-erofs.sh: Standardize file modes in images Demi Marie Obenour
2025-10-25 11:47 ` Alyssa Ross
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).