Re: [PATCH v6 4/5] img/app: Create needed directories in early boot

[Alyssa Ross <hi@alyssa.is>]

[-- Attachment #1: Type: text/plain, Size: 2234 bytes --]

Demi Marie Obenour <demiobenour@gmail.com> writes:

> This moves various calls to mkdir(1) to very early boot, before any
> services are running.  This has two advantages:
>
> 1. These directories are guaranteed to exist.  Code can just assume that
>    they are there without checking for them.
>
> 2. Malicious code running as an unprivileged user cannot create
>    directories under /tmp before legitimate code has done so.
>
> Also, it creates the various directories used by X11 with restrictive
> permissions to prevent untrusted code from writing to them, and sets up
> /run/user/0 to provide $XDG_RUNTIME_DIR.
>
> The copyright notice for directory creation is not kept because making
> four directories with well-known names and permissions is not
> copyrightable.

Missing S-o-b.

> ---
>  img/app/etc/s6-linux-init/scripts/rc.init  |  8 ++++++++
>  img/app/etc/s6-rc/wayland-proxy-virtwl/run | 10 ----------
>  2 files changed, 8 insertions(+), 10 deletions(-)
>
> diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init
> index c5a59245ff3761e94acb974edde967806fb3b234..6f2db32935332793faf47e3c68e42b0afd537a2d 100755
> --- a/img/app/etc/s6-linux-init/scripts/rc.init
> +++ b/img/app/etc/s6-linux-init/scripts/rc.init
> @@ -7,4 +7,12 @@ if { s6-rc-init -c /etc/s6-rc /run/service }
>  if { modprobe overlay }
>  if { mount -a --mkdir }
>  
> +# /tmp/.*-unix are used by X11 and exist on my machine with 1777 permissions.
> +# Use mode 0755 because no other user needs access to them.

0755 gives read access to other things — that what we want?

> +# Also, I have seen some software use /tmp/user, so create it as well.
> +if { mkdir -m 0755 /tmp/user /tmp/.X11-unix /tmp/.ICE-unix /tmp/.XIM-unix /tmp/.font-unix }

In general I'd prefer to avoid having anything in the VMs where we don't
totally understand what it's for.  If we want to create these anyway
just to make sure something evil doesn't create them with the wrong
owner/permissions before we can, rather than because we know they do
something useful that we want, maybe we should create them 0000?  But
given that this is the guest, I'm not sure that's necessary…

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]