From: Demi Marie Obenour <demiobenour@gmail.com>
To: Spectrum OS Development <devel@spectrum-os.org>
Cc: Alyssa Ross <hi@alyssa.is>
Subject: [PATCH v7 1/2] img/app: Create needed directories in early boot
Date: Mon, 28 Jul 2025 02:01:39 -0400 [thread overview]
Message-ID: <b4af3cde-6977-414c-894f-f74787f1ce00@gmail.com> (raw)
In-Reply-To: <263f81f2-9e86-4bb1-be80-41f7731a9a63@gmail.com>
This moves various calls to mkdir(1) to very early boot, before any
services are running. This has two advantages:
1. These directories are guaranteed to exist. Code can just assume that
they are there without checking for them.
2. Malicious code running as an unprivileged user cannot create
directories under /tmp before legitimate code has done so.
The following directories are created under /tmp:
- /tmp/.font-unix (used by obsolete X Font Server) is created with mode
0000.
- The directories used by X11 are created with 1700 permissions:
- /tmp/.X11-unix (X server)
- /tmp/.ICE-unix (Inter-Client Exchange)
- /tmp/.XIM-unix (X Input Methods)
- $XDG_RUNTIME_DIR (/run/user/0) is created with 0700 permissions, as
expected by the XDG specification.
The copyright notice for directory creation is not kept because making
one directories with well-known names and permissions is not
copyrightable and the code has been rewritten.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
---
Changes since v6:
- Add missing S-o-b
- Add comments explaining why each directory needs to be created.
- Fix spelling errors in commit messages.
Changes since v5:
- Remove "directories" service in favor of creating the directories from
rc.init.
---
img/app/etc/s6-linux-init/scripts/rc.init | 13 +++++++++++++
img/app/etc/s6-rc/wayland-proxy-virtwl/run | 10 ----------
2 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init
index c5a59245ff3761e94acb974edde967806fb3b234..7744286d0282bb8e0cc40973c6a6eae4c9401630 100755
--- a/img/app/etc/s6-linux-init/scripts/rc.init
+++ b/img/app/etc/s6-linux-init/scripts/rc.init
@@ -1,10 +1,23 @@
#!/bin/execlineb -P
# SPDX-License-Identifier: EUPL-1.2+
# SPDX-FileCopyrightText: 2020-2022 Alyssa Ross <hi@alyssa.is>
+# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
if { s6-rc-init -c /etc/s6-rc /run/service }
if { modprobe overlay }
if { mount -a --mkdir }
+# X Font Server is obsolete
+if { mkdir -m 0000 /tmp/.font-unix }
+
+# /tmp/.X11-unix: X11 server
+# /tmp/.ICE-unix: X11 Inter-Client Exchange
+# /tmp/.XIM-unix: X11 input methods
+# Some documentation states sticky bit is required.
+if { mkdir -m 1700 /tmp/.X11-unix /tmp/.ICE-unix /tmp/.XIM-unix }
+
+# /run/user/0: "$XDG_RUNTIME_DIR"
+if { mkdir -m 0700 /run/user/0 }
+
s6-rc change ok-all
diff --git a/img/app/etc/s6-rc/wayland-proxy-virtwl/run b/img/app/etc/s6-rc/wayland-proxy-virtwl/run
index 0715d912953c8a1d326059dfd37c29799fcbb053..c1e0e088c789ab8c5fde7e50c9f4b856fff0e477 100755
--- a/img/app/etc/s6-rc/wayland-proxy-virtwl/run
+++ b/img/app/etc/s6-rc/wayland-proxy-virtwl/run
@@ -1,16 +1,6 @@
#!/bin/execlineb -P
# SPDX-License-Identifier: EUPL-1.2+
# SPDX-FileCopyrightText: 2023-2024 Alyssa Ross <hi@alyssa.is>
-#
-# Directory creation (if it's copyrightable):
-# SPDX-License-Identifier: MIT
-# SPDX-FileCopyrightText: 2022 Unikie
-
-foreground { mkdir /tmp/.X11-unix }
-foreground {
- umask 077
- mkdir /run/user/0
-}
s6-ipcserver-socketbinder -B /run/user/0/wayland-0
fdmove -c 3 0
base-commit: 560fd878ba1bbd8df0fe28488e72948f28940948
--
Sincerely,
Demi Marie Obenour (she/her/hers)
next prev parent reply other threads:[~2025-07-28 6:01 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-11 2:44 [PATCH v3] Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-14 14:54 ` Alyssa Ross
2025-07-15 20:22 ` Demi Marie Obenour
2025-07-16 10:26 ` Alyssa Ross
2025-07-16 21:16 ` Demi Marie Obenour
2025-07-16 21:27 ` Demi Marie Obenour
2025-07-18 12:16 ` Alyssa Ross
2025-07-17 5:53 ` Demi Marie Obenour
2025-07-18 10:02 ` Alyssa Ross
2025-07-18 10:19 ` Alyssa Ross
2025-07-18 2:07 ` [PATCH v4 0/3] Sound support in Spectrum VMs Demi Marie Obenour
2025-07-18 2:13 ` [PATCH v4 1/3] Rebuild the root filesystem when the makefile changes Demi Marie Obenour
2025-07-18 11:14 ` Alyssa Ross
2025-07-18 2:13 ` [PATCH v4 2/3] Fix permissions on /tmp Demi Marie Obenour
2025-07-18 11:51 ` Alyssa Ross
2025-07-18 11:51 ` Alyssa Ross
2025-07-18 11:53 ` Alyssa Ross
2025-07-18 2:14 ` [PATCH v4 3/3] Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-18 11:27 ` Alyssa Ross
2025-07-18 17:59 ` Demi Marie Obenour
2025-07-19 9:22 ` Alyssa Ross
2025-07-19 20:05 ` Demi Marie Obenour
2025-07-19 8:06 ` Alyssa Ross
2025-07-19 20:03 ` Demi Marie Obenour
2025-07-19 20:07 ` Demi Marie Obenour
2025-07-20 7:50 ` Alyssa Ross
2025-07-20 17:58 ` [PATCH v5 0/8] Sound support in Spectrum VMs Demi Marie Obenour
2025-07-20 18:02 ` [PATCH v5 1/8] Revert "img/app: fix permissions on /tmp" Demi Marie Obenour
2025-07-21 9:34 ` Alyssa Ross
2025-07-20 18:03 ` [PATCH v5 2/8] img/app: Use separate service to create directories Demi Marie Obenour
2025-07-21 9:21 ` Alyssa Ross
2025-07-22 23:48 ` Demi Marie Obenour
2025-07-20 18:04 ` [PATCH v5 3/8] img/app: Fix permissions of /tmp/.X11-unix Demi Marie Obenour
2025-07-20 18:05 ` [PATCH v5 4/8] img/app: Create other X11 directories Demi Marie Obenour
2025-07-21 9:23 ` Alyssa Ross
2025-07-21 19:03 ` Demi Marie Obenour
2025-07-20 18:06 ` [PATCH v5 5/8] img/app: Be explicit about directory modes Demi Marie Obenour
2025-07-20 18:08 ` [PATCH v5 6/8] img/app: create /run/user and /run/wait very early in boot Demi Marie Obenour
2025-07-21 9:23 ` Alyssa Ross
2025-07-20 18:10 ` [PATCH v5 7/8] host/rootfs: " Demi Marie Obenour
2025-07-20 18:11 ` [PATCH v5 8/8] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-21 9:42 ` Alyssa Ross
2025-07-21 19:09 ` Demi Marie Obenour
2025-07-26 10:11 ` Alyssa Ross
2025-07-21 19:10 ` Demi Marie Obenour
2025-07-24 22:15 ` [PATCH v6 0/5] Sound support in Spectrum VMs Demi Marie Obenour
2025-07-24 22:30 ` [PATCH v6 1/5] host/rootfs: Create /run/user and /run/wait via run-image Demi Marie Obenour
2025-07-26 10:46 ` Alyssa Ross
2025-07-24 22:32 ` [PATCH v6 2/5] img/app: " Demi Marie Obenour
2025-07-24 22:33 ` [PATCH v6 3/5] img/app: tell mount(8) to create directories Demi Marie Obenour
2025-07-26 11:20 ` Alyssa Ross
2025-07-26 11:26 ` Alyssa Ross
2025-07-24 22:35 ` [PATCH v6 4/5] img/app: Create needed directories in early boot Demi Marie Obenour
2025-07-26 10:24 ` Alyssa Ross
2025-07-27 20:13 ` Demi Marie Obenour
2025-07-24 22:36 ` [PATCH v6 5/5] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-26 11:29 ` Alyssa Ross
2025-07-26 10:57 ` [PATCH v6 0/5] Sound support in Spectrum VMs Alyssa Ross
2025-07-28 5:57 ` [PATCH v7 0/2] " Demi Marie Obenour
2025-07-28 6:01 ` Demi Marie Obenour [this message]
2025-07-28 6:03 ` [PATCH v7 2/2] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-28 6:18 ` Demi Marie Obenour
2025-07-28 23:13 ` [PATCH v8 0/2] Sound support in Spectrum VMs Demi Marie Obenour
2025-07-29 0:32 ` [PATCH v9 " Demi Marie Obenour
2025-07-29 0:33 ` [PATCH v9 1/2] img/app: Create needed directories in early boot Demi Marie Obenour
2025-07-29 12:44 ` Alyssa Ross
2025-07-29 0:33 ` [PATCH v9 2/2] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-29 13:08 ` Alyssa Ross
2025-07-29 21:17 ` Demi Marie Obenour
2025-07-30 8:10 ` Alyssa Ross
2025-07-30 9:59 ` [PATCH v10] " Demi Marie Obenour
2025-07-31 9:12 ` Alyssa Ross
2025-07-31 9:40 ` Alyssa Ross
2025-07-31 17:06 ` [PATCH v11] " Demi Marie Obenour
2025-08-01 17:53 ` Alyssa Ross
2025-08-02 7:54 ` Alyssa Ross
2025-07-28 23:13 ` [PATCH v8 1/2] img/app: Create needed directories in early boot Demi Marie Obenour
2025-07-28 23:19 ` Demi Marie Obenour
2025-07-28 23:13 ` [PATCH v8 2/2] img/app: Run PipeWire and WirePlumber in the VMs Demi Marie Obenour
2025-07-29 12:41 ` [PATCH v7 0/2] Sound support in Spectrum VMs Alyssa Ross
2025-07-24 22:23 ` [PATCH v6 1/5] host/rootfs: Create /run/user and /run/wait via run-image Demi Marie Obenour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b4af3cde-6977-414c-894f-f74787f1ce00@gmail.com \
--to=demiobenour@gmail.com \
--cc=devel@spectrum-os.org \
--cc=hi@alyssa.is \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://spectrum-os.org/git/crosvm
https://spectrum-os.org/git/doc
https://spectrum-os.org/git/mktuntap
https://spectrum-os.org/git/nixpkgs
https://spectrum-os.org/git/spectrum
https://spectrum-os.org/git/ucspi-vsock
https://spectrum-os.org/git/www
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).