Removing writable permissions in squashfs images vs overlayfs
Phillip Lougher
phillip.lougher at gmail.com
Sun Oct 23 20:35:15 PDT 2022
On Thu, Oct 20, 2022 at 6:01 PM Peter Naulls <peter at chocky.org> wrote:
>
>
> Yes, I know. Bear with me. Laugh if you must.
>
> # ls -l /rom/
> ...
> drwxr-xr-x 4 root root 98 Oct 20 13:53 www
>
> I'd like to remove the writable bits from the squashfs image - /www is
> particular concern because of security paranoia.
>
> Now I realize that:
>
> 1. This is contrary to the design and operation of overlayfs - it doesn't
> matter what you set the permissions to, overlayfs will make a copy and
> let you "write" anyway (correct me if I'm wrong here) and besides there's only
> root.
>
> 2. This is 100% security theater, but the optics have become important here.
>
> I don't see that mksquashfs has any options for removing these attributes.
> It is possible to set the permissions on files that end up in the rootfs
> before the image generation, but then you tend to run into permissions
> problems on the host build system when you do it again and it needs to clean
> things out.
On the contrary, this is fully supported by Mksquashfs using actions.
Actions are modelled on the find command, and allow one or more tests
to be performed on a file, and if the tests match, execute an action.
What you probably want is the following
% mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)"
"perm(/ugo+w)" is a test that matches on any file that has a writable
permission (either user, group or other).
"chmod(ugo-w)" is an action that removes the writable permission for
user, group and other.
So if any file has a writable permission it is removed before
generating the Squashfs filesystem.
Worked example
phillip at phoenix:/tmp$ ls -la test
total 12
drwxr-xr-x 3 phillip users 4096 Oct 24 03:37 .
drwxrwxrwt 11 root root 4096 Oct 24 04:17 ..
drwxrwxrwx 2 phillip users 4096 Oct 24 03:32 example_dir
-rw-rw-rw- 1 phillip users 0 Oct 24 03:32 example_file
-r--r--r-- 1 phillip users 0 Oct 24 03:37 not_writable
phillip at phoenix:/tmp$ mksquashfs test test.sqsh -action
"chmod(ugo-w)@perm(/ugo+w)"
phillip at phoenix:/tmp$ unsquashfs -lls test.sqsh
dr-xr-xr-x phillip/users 74 2022-10-24 03:37 squashfs-root
dr-xr-xr-x phillip/users 3 2022-10-24 03:32
squashfs-root/example_dir
-r--r--r-- phillip/users 0 2022-10-24 03:32
squashfs-root/example_file
-r--r--r-- phillip/users 0 2022-10-24 03:37
squashfs-root/not_writable
If you only want the writable permission removed from directories, you
can test the file type in addition to the writable permissions, e.g.
% mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w) &&
type(d)" -quiet -no-progress
Worked example
phillip at phoenix:/tmp$ ls -la test
total 12
drwxr-xr-x 3 phillip users 4096 Oct 24 03:37 .
drwxrwxrwt 11 root root 4096 Oct 24 04:22 ..
drwxrwxrwx 2 phillip users 4096 Oct 24 03:32 example_dir
-rw-rw-rw- 1 phillip users 0 Oct 24 03:32 example_file
-r--r--r-- 1 phillip users 0 Oct 24 03:37 not_writable
phillip at phoenix:/tmp$ mksquashfs test test.sqsh -action
"chmod(ugo-w)@perm(/ugo+w) && type(d)" -quiet -no-progress
phillip at phoenix:/tmp$ unsquashfs -lls test.sqsh
dr-xr-xr-x phillip/users 74 2022-10-24 03:37 squashfs-root
dr-xr-xr-x phillip/users 3 2022-10-24 03:32
squashfs-root/example_dir
-rw-rw-rw- phillip/users 0 2022-10-24 03:32
squashfs-root/example_file
-r--r--r-- phillip/users 0 2022-10-24 03:37
squashfs-root/not_writable
More information on Mksquashfs actions is here
https://github.com/plougher/squashfs-tools/blob/master/ACTIONS-README
Please ask if you want more information.
Phillip
---
Squashfs author and maintainer.
More information about the openwrt-devel
mailing list