Removing writable permissions in squashfs images vs overlayfs
Peter Naulls
peter at chocky.org
Thu Oct 20 09:59:21 PDT 2022
Yes, I know. Bear with me. Laugh if you must.
# ls -l /rom/
...
drwxr-xr-x 4 root root 98 Oct 20 13:53 www
I'd like to remove the writable bits from the squashfs image - /www is
particular concern because of security paranoia.
Now I realize that:
1. This is contrary to the design and operation of overlayfs - it doesn't
matter what you set the permissions to, overlayfs will make a copy and
let you "write" anyway (correct me if I'm wrong here) and besides there's only
root.
2. This is 100% security theater, but the optics have become important here.
I don't see that mksquashfs has any options for removing these attributes.
It is possible to set the permissions on files that end up in the rootfs
before the image generation, but then you tend to run into permissions
problems on the host build system when you do it again and it needs to clean
things out.
Open to suggestions.
More information about the openwrt-devel
mailing list