[OpenWrt-Devel] Extra file permissions

David Madden dhm at mersenne.com
Tue Nov 3 11:47:23 EST 2015


[Sorry for the delay---I missed your reply]

>>> On Tue Oct 27 09:15:53 CET 2015, Bastian Bittorf wrote:
> IMHO it is better to explicitely set 0700 for the SSH stuff?
> so the user can just copy the files without tweaking the bits.

That's sort of what used to happen -- the permission fix would exclude
files named "ssh_host*" and "shadow," and afterward it set /tmp to 1777.

The problem is that if you want specific permissions for a specific
extra file, you have to fiddle with .../include/image.mk before the
image is made so that the general permission fixing leaves those files
alone.

I think it's easier just to leave the user's extra-file permissions
alone.  If there's nothing special on a file (i.e., -rw-rw-r--) then
it'll get copied in with reasonable values.  But for some files, it's
really important NOT to add read or execute permissions.  /etc/shadow is
an obvious one, but I also build images with HTTPS certificates and
keys.  The machine.key file MUST be -r-------- or the key will be public.

Further, imagine that you build the image normally and the key file gets
installed as -rw-rw-r-- (on /rom).  Then you go in and change the
permission, so the file gets copied to /overlay/upper/etc/httpd.key with
the desired permissions.

The key file is _still_ _accessible_ under /rom/etc/httpd.key with the
old permissions.  So it doesn't even help to change the permission on
the target machine after installation.

if you want to have keys (and other security-sensitive items) built into
the sysimage, the permissions must be set the right way at build time.

Regards,
-- 
Mersenne Law LLP  ·  www.mersenne.com  ·  +1-503-679-1671
- Small Business, Startup and Intellectual Property Law -
9600 S.W. Oak Street · Suite 500 · Tigard, Oregon  97223

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4023 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151103/e02a297f/attachment.p7s>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list