Demi Marie Obenour writes: > Enforce that anything under /var or /etc is 0755 for directories and > executable files and 0644 for anything else. Enforce that anything else > is 0555 for directories and executable files and 0444 for anything else. > This avoids depending on factors that may depend on the build > environment, such as the user's umask. > diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh > index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755 > --- a/scripts/make-erofs.sh > +++ b/scripts/make-erofs.sh > @@ -95,4 +95,25 @@ while read -r arg1; do > cp -RT -- "$arg1" "$root/$arg2" > done > > +# Ensure that the permissions in the image are independent > +# of those in the git repository or Nix store, except for > +# the executable bit. In particular, the mode of those > +# outside the Nix store might depend on the user's umask. > +# While the image itself is strictly read-only, it makes > +# sense to populate an overlayfs over /etc and /var, and > +# this overlayfs should be writable by root and readable > +# by all users. The remaining paths should not be writable > +# by anyone, but should be world-readable. So I get why, given the overlayfs idea, it's important for /etc and /var to not be user-writeable, but what I don't understand is: why aren't we checking permissions for other directories, like /bin or /lib? > +find "$root" \ > + -path "$root/nix/store" -prune -o \ > + -path "$root/etc" -prune -o \ > + -path "$root/var" -prune -o \ > + -type l -o \ > + -type d -a -perm 0555 -o \ > + -type f -a -perm 0444 -o \ > + -execdir chmod ugo-w,ugo+rX -- '{}' + > +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + > +chmod 0755 "$root" > + > +# Make the erofs image. > mkfs.erofs -x-1 -b4096 --all-root "$@" "$root" > > -- > 2.51.0