[OpenWrt-Devel] Extra file permissions
David Madden
dhm at mersenne.com
Tue Nov 3 11:47:23 EST 2015
[Sorry for the delay---I missed your reply]
>>> On Tue Oct 27 09:15:53 CET 2015, Bastian Bittorf wrote:
> IMHO it is better to explicitely set 0700 for the SSH stuff?
> so the user can just copy the files without tweaking the bits.
That's sort of what used to happen -- the permission fix would exclude
files named "ssh_host*" and "shadow," and afterward it set /tmp to 1777.
The problem is that if you want specific permissions for a specific
extra file, you have to fiddle with .../include/image.mk before the
image is made so that the general permission fixing leaves those files
alone.
I think it's easier just to leave the user's extra-file permissions
alone. If there's nothing special on a file (i.e., -rw-rw-r--) then
it'll get copied in with reasonable values. But for some files, it's
really important NOT to add read or execute permissions. /etc/shadow is
an obvious one, but I also build images with HTTPS certificates and
keys. The machine.key file MUST be -r-------- or the key will be public.
Further, imagine that you build the image normally and the key file gets
installed as -rw-rw-r-- (on /rom). Then you go in and change the
permission, so the file gets copied to /overlay/upper/etc/httpd.key with
the desired permissions.
The key file is _still_ _accessible_ under /rom/etc/httpd.key with the
old permissions. So it doesn't even help to change the permission on
the target machine after installation.
if you want to have keys (and other security-sensitive items) built into
the sysimage, the permissions must be set the right way at build time.
Regards,
--
Mersenne Law LLP · www.mersenne.com · +1-503-679-1671
- Small Business, Startup and Intellectual Property Law -
9600 S.W. Oak Street · Suite 500 · Tigard, Oregon 97223
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4023 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151103/e02a297f/attachment.p7s>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list