Demi Marie Obenour writes: > Enforce that anything under /var or /etc is 0755 for directories and > executable files and 0644 for anything else. Enforce that anything else > is 0555 for directories and executable files and 0444 for anything else. > This avoids depending on factors that may depend on the build > environment, such as the user's umask. > > This requires that /var always exist, so add it to img/app/Makefile. > > Signed-off-by: Demi Marie Obenour > --- > host/rootfs/Makefile | 3 ++- > img/app/Makefile | 2 +- > scripts/make-erofs.sh | 21 +++++++++++++++++++++ > 3 files changed, 24 insertions(+), 2 deletions(-) This doesn't seem to have addressed the review comments from last time[1] — the special handling for directories that might want to use overlayfs in future is still there even though it's uncertain we'll ever do that, and so is -execdir. To save us both time, I've just gone ahead and made the changes, and pushed a simplified version of this. Thanks for fixing it — I'm glad I didn't have to work out that find command myself, and now we can move forward with running things as non-root. [1]: https://spectrum-os.org/lists/archives/spectrum-devel/877bxs570x.fsf@alyssa.is > diff --git a/host/rootfs/Makefile b/host/rootfs/Makefile > index aa45ca1d5c18d0dfb78d19267f263cc4222e8e84..ba1beddabb46afa6b20e66177107fbe6b6f42bd2 100644 > --- a/host/rootfs/Makefile > +++ b/host/rootfs/Makefile > @@ -40,7 +40,8 @@ DIRS = \ > ext \ > proc \ > run \ > - sys > + sys \ > + var > > FIFOS = etc/s6-linux-init/run-image/service/s6-svscan-log/fifo > > diff --git a/img/app/Makefile b/img/app/Makefile > index 981889ebe55d9ba03228977f3dc0ea3f26d5c4fb..2540075fbb2cdcbcde29853cb0ffe676de0b9063 100644 > --- a/img/app/Makefile > +++ b/img/app/Makefile > @@ -30,7 +30,7 @@ $(imgdir)/appvm/blk/root.img: ../../scripts/make-gpt.sh ../../scripts/sfdisk-fie > build/rootfs.erofs:root:5460386f-2203-4911-8694-91400125c604:root > mv $@.tmp $@ > > -DIRS = dev run proc sys tmp \ > +DIRS = dev run proc sys tmp var \ > etc/s6-linux-init/run-image/service \ > etc/s6-linux-init/run-image/user \ > etc/s6-linux-init/run-image/wait > diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh > index ad04844387c880047a79f2f05e1e985d8bd4229c..5e283a380dbdae3dbfb83d43915e5015a2ae6f04 100755 > --- a/scripts/make-erofs.sh > +++ b/scripts/make-erofs.sh > @@ -68,4 +68,25 @@ while read -r arg1; do > cp -RT -- "$arg1" "$root/$arg2" > done > > +# Ensure that the permissions in the image are independent > +# of those in the git repository or Nix store, except for > +# the executable bit. In particular, the mode of those > +# outside the Nix store might depend on the user's umask. > +# While the image itself is strictly read-only, it makes > +# sense to populate an overlayfs over /etc and /var, and > +# this overlayfs should be writable by root and readable > +# by all users. The remaining paths should not be writable > +# by anyone, but should be world-readable. > +find "$root" \ > + -path "$root/nix/store" -prune -o \ > + -path "$root/etc" -prune -o \ > + -path "$root/var" -prune -o \ > + -type l -o \ > + -type d -a -perm 0555 -o \ > + -type f -a -perm 0444 -o \ > + -execdir chmod ugo-w,ugo+rX -- '{}' + > +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + > +chmod 0755 "$root" > + > +# Make the erofs image. > mkfs.erofs -x-1 -b4096 --all-root "$@" "$root" > > --- > base-commit: c5d5786d3dc938af0b279c542d1e43bce381b4b9 > change-id: 20251021-fix-permissions-4549d0653368 > > -- > Sincerely, > Demi Marie Obenour (she/her/hers)