On 9/8/25 04:46, Alyssa Ross wrote: > Demi Marie Obenour writes: > >> Enforce that anything under /var or /etc is 0755 for directories and >> executable files and 0644 for anything else. Enforce that anything else >> is 0555 for directories and executable files and 0444 for anything else. >> This avoids depending on factors that may depend on the build >> environment, such as the user's umask. > >> diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh >> index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755 >> --- a/scripts/make-erofs.sh >> +++ b/scripts/make-erofs.sh >> @@ -95,4 +95,25 @@ while read -r arg1; do >> cp -RT -- "$arg1" "$root/$arg2" >> done >> >> +# Ensure that the permissions in the image are independent >> +# of those in the git repository or Nix store, except for >> +# the executable bit. In particular, the mode of those >> +# outside the Nix store might depend on the user's umask. >> +# While the image itself is strictly read-only, it makes >> +# sense to populate an overlayfs over /etc and /var, and >> +# this overlayfs should be writable by root and readable >> +# by all users. The remaining paths should not be writable >> +# by anyone, but should be world-readable. > > So I get why, given the overlayfs idea, it's important for /etc and /var > to not be user-writeable, but what I don't understand is: why aren't we > checking permissions for other directories, like /bin or /lib? Other way around: /etc, /var, and /nix/store are skipped (via -prune -o) and the rest are checked. >> +find "$root" \ >> + -path "$root/nix/store" -prune -o \ >> + -path "$root/etc" -prune -o \ >> + -path "$root/var" -prune -o \ >> + -type l -o \ >> + -type d -a -perm 0555 -o \ >> + -type f -a -perm 0444 -o \ >> + -execdir chmod ugo-w,ugo+rX -- '{}' + >> +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + >> +chmod 0755 "$root" >> + >> +# Make the erofs image. >> mkfs.erofs -x-1 -b4096 --all-root "$@" "$root" >> >> -- >> 2.51.0 -- Sincerely, Demi Marie Obenour (she/her/hers)