Removing writable permissions in squashfs images vs overlayfs

Phillip Lougher phillip.lougher at gmail.com
Sun Oct 23 20:35:15 PDT 2022


On Thu, Oct 20, 2022 at 6:01 PM Peter Naulls <peter at chocky.org> wrote:
>
>
> Yes, I know. Bear with me. Laugh if you must.
>
> # ls -l /rom/
> ...
> drwxr-xr-x    4 root     root            98 Oct 20 13:53 www
>
> I'd like to remove the writable bits from the squashfs image - /www is
> particular concern because of security paranoia.
>
> Now I realize that:
>
> 1. This is contrary to the design and operation of overlayfs - it doesn't
> matter what you set the permissions to, overlayfs will make a copy and
> let you "write" anyway (correct me if I'm wrong here) and besides there's only
> root.
>
> 2. This is 100% security theater, but the optics have become important here.
>
> I don't see that mksquashfs has any options for removing these attributes.
> It is possible to set the permissions on files that end up in the rootfs
> before the image generation, but then you tend to run into permissions
> problems on the host build system when you do it again and it needs to clean
> things out.

On the contrary, this is fully supported by Mksquashfs using actions.
Actions are modelled on the find command, and allow one or more tests
to be performed on a file, and if the tests match, execute an action.

What you probably want is the following

% mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w)"

"perm(/ugo+w)" is a test that matches on any file that has a writable
permission (either user, group or other).

"chmod(ugo-w)" is an action that removes the writable permission for
user, group and other.

So if any file has a writable permission it is removed before
generating the Squashfs filesystem.

Worked example

phillip at phoenix:/tmp$ ls -la test
total 12
drwxr-xr-x  3 phillip users 4096 Oct 24 03:37 .
drwxrwxrwt 11 root    root  4096 Oct 24 04:17 ..
drwxrwxrwx  2 phillip users 4096 Oct 24 03:32 example_dir
-rw-rw-rw-  1 phillip users    0 Oct 24 03:32 example_file
-r--r--r--  1 phillip users    0 Oct 24 03:37 not_writable
phillip at phoenix:/tmp$ mksquashfs test test.sqsh -action
"chmod(ugo-w)@perm(/ugo+w)"
phillip at phoenix:/tmp$ unsquashfs -lls test.sqsh
dr-xr-xr-x phillip/users            74 2022-10-24 03:37 squashfs-root
dr-xr-xr-x phillip/users             3 2022-10-24 03:32
squashfs-root/example_dir
-r--r--r-- phillip/users             0 2022-10-24 03:32
squashfs-root/example_file
-r--r--r-- phillip/users             0 2022-10-24 03:37
squashfs-root/not_writable

If you only want the writable permission removed from directories, you
can test the file type in addition to the writable permissions, e.g.

% mksquashfs test test.sqsh -action "chmod(ugo-w)@perm(/ugo+w) &&
type(d)" -quiet -no-progress

Worked example

phillip at phoenix:/tmp$ ls -la test
total 12
drwxr-xr-x  3 phillip users 4096 Oct 24 03:37 .
drwxrwxrwt 11 root    root  4096 Oct 24 04:22 ..
drwxrwxrwx  2 phillip users 4096 Oct 24 03:32 example_dir
-rw-rw-rw-  1 phillip users    0 Oct 24 03:32 example_file
-r--r--r--  1 phillip users    0 Oct 24 03:37 not_writable
phillip at phoenix:/tmp$ mksquashfs test test.sqsh -action
"chmod(ugo-w)@perm(/ugo+w) && type(d)" -quiet -no-progress
phillip at phoenix:/tmp$ unsquashfs -lls test.sqsh
dr-xr-xr-x phillip/users            74 2022-10-24 03:37 squashfs-root
dr-xr-xr-x phillip/users             3 2022-10-24 03:32
squashfs-root/example_dir
-rw-rw-rw- phillip/users             0 2022-10-24 03:32
squashfs-root/example_file
-r--r--r-- phillip/users             0 2022-10-24 03:37
squashfs-root/not_writable

More information on Mksquashfs actions is here

https://github.com/plougher/squashfs-tools/blob/master/ACTIONS-README

Please ask if you want more information.

Phillip
---
Squashfs author and maintainer.



More information about the openwrt-devel mailing list