From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 94DF8233B6; Mon, 28 Jul 2025 06:01:45 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 37C7F2334F; Mon, 28 Jul 2025 06:01:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_PASS,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=4.0.1 Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) by atuin.qyliss.net (Postfix) with ESMTPS id 3822C2334C for ; Mon, 28 Jul 2025 06:01:42 +0000 (UTC) Received: by mail-qk1-x72e.google.com with SMTP id af79cd13be357-7e32c95775aso442203485a.3 for ; Sun, 27 Jul 2025 23:01:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1753682501; x=1754287301; darn=spectrum-os.org; h=content-transfer-encoding:autocrypt:cc:to:in-reply-to :content-language:references:subject:from:user-agent:mime-version :date:message-id:from:to:cc:subject:date:message-id:reply-to; bh=WNMcmXSql0RGfxJ0gPBmlS+v0HwKnaQekq1N7xu345A=; b=WBfJDkdQFLZTCgjFBA2ljEyKVqp1PHpQu2Exx0v0fvIu7X9MJMtf2OoySYTacGFq7D mCww0dTb91a6Nevd8wUoktDkwgBFfRmxJdBge3cYVpKLpmObTiQoXH/T1cwj9v/veSju OVFKvm3WSse2OsfOxoSRafS1Ng5i/lPUcp1QJovnVP0t7GiTO0qC2yxuqoVQsC8JjksB XAYHYvzvavZIzlskeVGuTHubNasqiPn8RJoFuS0wkwWVHK2QdtGqpmNEsWBMe6DrTPHs LdvYeQADQxezZtwD7eJzLnwgaEM4wi8VHtkEA2sXhjmYfzsFVeW16rAaxhKzilbhk2A/ yjSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1753682501; x=1754287301; h=content-transfer-encoding:autocrypt:cc:to:in-reply-to :content-language:references:subject:from:user-agent:mime-version :date:message-id:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=WNMcmXSql0RGfxJ0gPBmlS+v0HwKnaQekq1N7xu345A=; b=JhV53vZSMNIAHzRwwkSG5lLR5V2inE3FYEcpVyOhTaMU8t3SSiZOMpRQMkwiiPqq3L mefMz+GGb71ntpO/PXQ/U5LROnglSLQiZxEZJoyPNW40RrTlN8rPBtLwCL67XWmcEb+v hLe+oWUl7UrG+LvSdgtG5xgwdwlvz3Cvlma9xxQ4Sk5I6BhbKeQ56ZPEMAeHK1lo+a0N +bz11hgtUU5GC1Et4waaGJ4ZtF+WL/Mm/jAu1L+R1/0B0sc60iqZIS3sBZ3AEw13aqTD foeVOYxN7cMCyjxMg2TgG8lWWOMWzJJGy8X2cpivMUnJrBOBHdqOZ/J+PihleOJnmA9S XMkA== X-Gm-Message-State: AOJu0Yynf51ysONN/vmruz9dkTtcUvy/wZ3MLK6LWCfkn9IYc4FJ3Xl3 ofecUrAys9VUhBVRxGIGE39oztIDJCKQb3V3ej7ZX+0IL0xgLKbRHr1xBV8usQ== X-Gm-Gg: ASbGncsENrOhX11eF9LZTYYM3xkcx/CpqCA700mAqfY59vdtXznqLgZcjO+Vf9SXsLm iCAHFfRLb8AAHCJjq9AVnZqhAyI5EbArdS5xLgnwgCGuhLGOLVQCnBaq1cAGIsvZ/im1D0gZGQm Hv+p4oE8GbukDavc54/DWLsQCyyAqxBoyNHLmkHDm/1rbyzPJ9VBWf0f65Dvs8QhVhr7pGej7h/ VMJ+t0AJWRJYy8ZUDi9ZRfkFL+UYPXROQFNs9t8ZnCyF0tvG0q115APIt/tTFGwX53fBLsyhxvC L0raKzoxA9PY7/AZx0l8F3Ps0AKKrTzv1FgU9Y4OzIeKPwGpZJCvp86zEmZABbtLttve6ZCdGcK aXr1FDlcGzqRjVKspTuKlGPV7HWo= X-Google-Smtp-Source: AGHT+IH9PHUZOK1gHS+zbYJ3bBq1epxOsTosf6Fz1MIiC+KzlVU2UTDoLvIy1ATWC5Vz77+ul/ckRw== X-Received: by 2002:a05:620a:8126:b0:7e3:33e9:9d36 with SMTP id af79cd13be357-7e63bf9d6bcmr1113613585a.50.1753682500673; Sun, 27 Jul 2025 23:01:40 -0700 (PDT) Received: from [10.138.10.6] ([89.187.178.201]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4ae9966e341sm31416531cf.51.2025.07.27.23.01.39 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 27 Jul 2025 23:01:40 -0700 (PDT) Message-ID: Date: Mon, 28 Jul 2025 02:01:39 -0400 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Demi Marie Obenour Subject: [PATCH v7 1/2] img/app: Create needed directories in early boot References: <263f81f2-9e86-4bb1-be80-41f7731a9a63@gmail.com> Content-Language: en-US In-Reply-To: <263f81f2-9e86-4bb1-be80-41f7731a9a63@gmail.com> To: Spectrum OS Development Autocrypt: addr=demiobenour@gmail.com; keydata= xsFNBFp+A0oBEADffj6anl9/BHhUSxGTICeVl2tob7hPDdhHNgPR4C8xlYt5q49yB+l2nipd aq+4Gk6FZfqC825TKl7eRpUjMriwle4r3R0ydSIGcy4M6eb0IcxmuPYfbWpr/si88QKgyGSV Z7GeNW1UnzTdhYHuFlk8dBSmB1fzhEYEk0RcJqg4AKoq6/3/UorR+FaSuVwT7rqzGrTlscnT DlPWgRzrQ3jssesI7sZLm82E3pJSgaUoCdCOlL7MMPCJwI8JpPlBedRpe9tfVyfu3euTPLPx wcV3L/cfWPGSL4PofBtB8NUU6QwYiQ9Hzx4xOyn67zW73/G0Q2vPPRst8LBDqlxLjbtx/WLR 6h3nBc3eyuZ+q62HS1pJ5EvUT1vjyJ1ySrqtUXWQ4XlZyoEFUfpJxJoN0A9HCxmHGVckzTRl 5FMWo8TCniHynNXsBtDQbabt7aNEOaAJdE7to0AH3T/Bvwzcp0ZJtBk0EM6YeMLtotUut7h2 Bkg1b//r6bTBswMBXVJ5H44Qf0+eKeUg7whSC9qpYOzzrm7+0r9F5u3qF8ZTx55TJc2g656C 9a1P1MYVysLvkLvS4H+crmxA/i08Tc1h+x9RRvqba4lSzZ6/Tmt60DPM5Sc4R0nSm9BBff0N m0bSNRS8InXdO1Aq3362QKX2NOwcL5YaStwODNyZUqF7izjK4QARAQABzTxEZW1pIE1hcmll IE9iZW5vdXIgKGxvdmVyIG9mIGNvZGluZykgPGRlbWlvYmVub3VyQGdtYWlsLmNvbT7CwXgE EwECACIFAlp+A0oCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJELKItV//nCLBhr8Q AK/xrb4wyi71xII2hkFBpT59ObLN+32FQT7R3lbZRjVFjc6yMUjOb1H/hJVxx+yo5gsSj5LS 9AwggioUSrcUKldfA/PKKai2mzTlUDxTcF3vKx6iMXKA6AqwAw4B57ZEJoMM6egm57TV19kz PMc879NV2nc6+elaKl+/kbVeD3qvBuEwsTe2Do3HAAdrfUG/j9erwIk6gha/Hp9yZlCnPTX+ VK+xifQqt8RtMqS5R/S8z0msJMI/ajNU03kFjOpqrYziv6OZLJ5cuKb3bZU5aoaRQRDzkFIR 6aqtFLTohTo20QywXwRa39uFaOT/0YMpNyel0kdOszFOykTEGI2u+kja35g9TkH90kkBTG+a EWttIht0Hy6YFmwjcAxisSakBuHnHuMSOiyRQLu43ej2+mDWgItLZ48Mu0C3IG1seeQDjEYP tqvyZ6bGkf2Vj+L6wLoLLIhRZxQOedqArIk/Sb2SzQYuxN44IDRt+3ZcDqsPppoKcxSyd1Ny 2tpvjYJXlfKmOYLhTWs8nwlAlSHX/c/jz/ywwf7eSvGknToo1Y0VpRtoxMaKW1nvH0OeCSVJ itfRP7YbiRVc2aNqWPCSgtqHAuVraBRbAFLKh9d2rKFB3BmynTUpc1BQLJP8+D5oNyb8Ts4x Xd3iV/uD8JLGJfYZIR7oGWFLP4uZ3tkneDfYzsFNBFp+A0oBEAC9ynZI9LU+uJkMeEJeJyQ/ 8VFkCJQPQZEsIGzOTlPnwvVna0AS86n2Z+rK7R/usYs5iJCZ55/JISWd8xD57ue0eB47bcJv VqGlObI2DEG8TwaW0O0duRhDgzMEL4t1KdRAepIESBEA/iPpI4gfUbVEIEQuqdqQyO4GAe+M kD0Hy5JH/0qgFmbaSegNTdQg5iqYjRZ3ttiswalql1/iSyv1WYeC1OAs+2BLOAT2NEggSiVO txEfgewsQtCWi8H1SoirakIfo45Hz0tk/Ad9ZWh2PvOGt97Ka85o4TLJxgJJqGEnqcFUZnJJ riwoaRIS8N2C8/nEM53jb1sH0gYddMU3QxY7dYNLIUrRKQeNkF30dK7V6JRH7pleRlf+wQcN fRAIUrNlatj9TxwivQrKnC9aIFFHEy/0mAgtrQShcMRmMgVlRoOA5B8RTulRLCmkafvwuhs6 dCxN0GNAORIVVFxjx9Vn7OqYPgwiofZ6SbEl0hgPyWBQvE85klFLZLoj7p+joDY1XNQztmfA rnJ9x+YV4igjWImINAZSlmEcYtd+xy3Li/8oeYDAqrsnrOjb+WvGhCykJk4urBog2LNtcyCj kTs7F+WeXGUo0NDhbd3Z6AyFfqeF7uJ3D5hlpX2nI9no/ugPrrTVoVZAgrrnNz0iZG2DVx46 x913pVKHl5mlYQARAQABwsFfBBgBAgAJBQJafgNKAhsMAAoJELKItV//nCLBwNIP/AiIHE8b oIqReFQyaMzxq6lE4YZCZNj65B/nkDOvodSiwfwjjVVE2V3iEzxMHbgyTCGA67+Bo/d5aQGj gn0TPtsGzelyQHipaUzEyrsceUGWYoKXYyVWKEfyh0cDfnd9diAm3VeNqchtcMpoehETH8fr RHnJdBcjf112PzQSdKC6kqU0Q196c4Vp5HDOQfNiDnTf7gZSj0BraHOByy9LEDCLhQiCmr+2 E0rW4tBtDAn2HkT9uf32ZGqJCn1O+2uVfFhGu6vPE5qkqrbSE8TG+03H8ecU2q50zgHWPdHM OBvy3EhzfAh2VmOSTcRK+tSUe/u3wdLRDPwv/DTzGI36Kgky9MsDC5gpIwNbOJP2G/q1wT1o Gkw4IXfWv2ufWiXqJ+k7HEi2N1sree7Dy9KBCqb+ca1vFhYPDJfhP75I/VnzHVssZ/rYZ9+5 1yDoUABoNdJNSGUYl+Yh9Pw9pE3Kt4EFzUlFZWbE4xKL/NPno+z4J9aWemLLszcYz/u3XnbO vUSQHSrmfOzX3cV4yfmjM5lewgSstoxGyTx2M8enslgdXhPthZlDnTnOT+C+OTsh8+m5tos8 HQjaPM01MKBiAqdPgksm1wu2DrrwUi6ChRVTUBcj6+/9IJ81H2P2gJk3Ls3AVIxIffLoY34E +MYSfkEjBz0E8CLOcAw7JIwAaeBT Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Message-ID-Hash: C3E5YPRABE332OJPI2EW2AIZJBKI2RUX X-Message-ID-Hash: C3E5YPRABE332OJPI2EW2AIZJBKI2RUX X-MailFrom: demiobenour@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Alyssa Ross X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This moves various calls to mkdir(1) to very early boot, before any services are running. This has two advantages: 1. These directories are guaranteed to exist. Code can just assume that they are there without checking for them. 2. Malicious code running as an unprivileged user cannot create directories under /tmp before legitimate code has done so. The following directories are created under /tmp: - /tmp/.font-unix (used by obsolete X Font Server) is created with mode 0000. - The directories used by X11 are created with 1700 permissions: - /tmp/.X11-unix (X server) - /tmp/.ICE-unix (Inter-Client Exchange) - /tmp/.XIM-unix (X Input Methods) - $XDG_RUNTIME_DIR (/run/user/0) is created with 0700 permissions, as expected by the XDG specification. The copyright notice for directory creation is not kept because making one directories with well-known names and permissions is not copyrightable and the code has been rewritten. Signed-off-by: Demi Marie Obenour --- Changes since v6: - Add missing S-o-b - Add comments explaining why each directory needs to be created. - Fix spelling errors in commit messages. Changes since v5: - Remove "directories" service in favor of creating the directories from rc.init. --- img/app/etc/s6-linux-init/scripts/rc.init | 13 +++++++++++++ img/app/etc/s6-rc/wayland-proxy-virtwl/run | 10 ---------- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init index c5a59245ff3761e94acb974edde967806fb3b234..7744286d0282bb8e0cc40973c6a6eae4c9401630 100755 --- a/img/app/etc/s6-linux-init/scripts/rc.init +++ b/img/app/etc/s6-linux-init/scripts/rc.init @@ -1,10 +1,23 @@ #!/bin/execlineb -P # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2020-2022 Alyssa Ross +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour if { s6-rc-init -c /etc/s6-rc /run/service } if { modprobe overlay } if { mount -a --mkdir } +# X Font Server is obsolete +if { mkdir -m 0000 /tmp/.font-unix } + +# /tmp/.X11-unix: X11 server +# /tmp/.ICE-unix: X11 Inter-Client Exchange +# /tmp/.XIM-unix: X11 input methods +# Some documentation states sticky bit is required. +if { mkdir -m 1700 /tmp/.X11-unix /tmp/.ICE-unix /tmp/.XIM-unix } + +# /run/user/0: "$XDG_RUNTIME_DIR" +if { mkdir -m 0700 /run/user/0 } + s6-rc change ok-all diff --git a/img/app/etc/s6-rc/wayland-proxy-virtwl/run b/img/app/etc/s6-rc/wayland-proxy-virtwl/run index 0715d912953c8a1d326059dfd37c29799fcbb053..c1e0e088c789ab8c5fde7e50c9f4b856fff0e477 100755 --- a/img/app/etc/s6-rc/wayland-proxy-virtwl/run +++ b/img/app/etc/s6-rc/wayland-proxy-virtwl/run @@ -1,16 +1,6 @@ #!/bin/execlineb -P # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2023-2024 Alyssa Ross -# -# Directory creation (if it's copyrightable): -# SPDX-License-Identifier: MIT -# SPDX-FileCopyrightText: 2022 Unikie - -foreground { mkdir /tmp/.X11-unix } -foreground { - umask 077 - mkdir /run/user/0 -} s6-ipcserver-socketbinder -B /run/user/0/wayland-0 fdmove -c 3 0 base-commit: 560fd878ba1bbd8df0fe28488e72948f28940948 -- Sincerely, Demi Marie Obenour (she/her/hers)