keremet/rpm-ostree
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

passwd: Make default perms 0644

Browse Source 
This matches the default from the RPM, and we don't want
the file to be writable if an admin adds a user to the `root`
group.  (Which IMO is just a bad idea, but
for historical reasons OpenShift suggests this for
images
https://docs.openshift.com/container-platform/4.7/openshift_images/create-images.html#images-create-guide-openshift_create-images
for example)
This commit is contained in:
Colin Walters 2021-05-12 08:36:24 -04:00
parent 58684c43f1
commit a6da3c08d4
2 changed files with 38 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
rust/src/passwd.rs
View File

@ -19,6 +19,7 @@ use std::os::unix::io::AsRawFd;
use std::path::PathBuf;
use std::pin::Pin;
const DEFAULT_MODE: u32 = 0o644;
static PWGRP_SHADOW_FILES: &[&str] = &["shadow", "gshadow", "subuid", "subgid"];
static USRLIB_PWGRP_FILES: &[&str] = &["passwd", "group"];
@ -104,7 +105,7 @@ pub fn migrate_passwd_except_root(rootfs_dfd: i32) -> CxxResult<()> {
{
let mut usrdest_stream = rootfs
.append_file(USRDEST_PATH, 0o664)
.append_file(USRDEST_PATH, DEFAULT_MODE)
.map(BufWriter::new)?;
for entry in &others {
@ -114,12 +115,16 @@ pub fn migrate_passwd_except_root(rootfs_dfd: i32) -> CxxResult<()> {
usrdest_stream.flush()?;
}
rootfs.write_file_with_sync(ETCSRC_PATH, 0o664, |mut etcdest_stream| -> Result<()> {
for entry in &roots {
entry.to_writer(&mut etcdest_stream)?;
}
Ok(())
})?;
rootfs.write_file_with_sync(
ETCSRC_PATH,
DEFAULT_MODE,
|mut etcdest_stream| -> Result<()> {
for entry in &roots {
entry.to_writer(&mut etcdest_stream)?;
}
Ok(())
},
)?;
Ok(())
}
@ -143,7 +148,7 @@ pub fn migrate_group_except_root(rootfs_dfd: i32, preserved_groups: &Vec<String>
{
let mut usrdest_stream = rootfs
.append_file(USRDEST_PATH, 0o664)
.append_file(USRDEST_PATH, DEFAULT_MODE)
.map(BufWriter::new)?;
for entry in &others {
@ -159,12 +164,16 @@ pub fn migrate_group_except_root(rootfs_dfd: i32, preserved_groups: &Vec<String>
usrdest_stream.flush()?;
}
rootfs.write_file_with_sync(ETCSRC_PATH, 0o664, |mut etcdest_stream| -> Result<()> {
for entry in &roots_preserved {
entry.to_writer(&mut etcdest_stream)?;
}
Ok(())
})?;
rootfs.write_file_with_sync(
ETCSRC_PATH,
DEFAULT_MODE,
|mut etcdest_stream| -> Result<()> {
for entry in &roots_preserved {
entry.to_writer(&mut etcdest_stream)?;
}
Ok(())
},
)?;
Ok(())
}
@ -346,12 +355,17 @@ fn data_from_json(
let mut seen_names = HashSet::new();
rootfs
.write_file_with_sync(&target_etc_filename, 0o664, |dest_bufwr| -> Result<()> {
let mut buf_rd = BufReader::new(&mut src_file);
append_unique_entries(&mut buf_rd, &mut seen_names, dest_bufwr)
.with_context(|| format!("failed to process '{}' content from JSON", &target))?;
Ok(())
})
.write_file_with_sync(
&target_etc_filename,
DEFAULT_MODE,
|dest_bufwr| -> Result<()> {
let mut buf_rd = BufReader::new(&mut src_file);
append_unique_entries(&mut buf_rd, &mut seen_names, dest_bufwr).with_context(
|| format!("failed to process '{}' content from JSON", &target),
)?;
Ok(())
},
)
.with_context(|| format!("failed to write /{}", &target_etc_filename))?;
Ok(true)
@ -398,7 +412,7 @@ fn concat_files(rootfs: &openat::Dir, prev_root: &gio::File, target: &str) -> Re
let etc_target = format!("etc/{}", target);
rootfs
.write_file_with_sync(&etc_target, 0o664, |dest_bufwr| -> Result<()> {
.write_file_with_sync(&etc_target, DEFAULT_MODE, |dest_bufwr| -> Result<()> {
let mut seen_names = HashSet::new();
if let Some(ref src_file) = orig_usretc_content {
let src_stream = src_file.read(gio::NONE_CANCELLABLE)?.into_read();

3
tests/compose/libbasic-test.sh
View File

@ -19,6 +19,9 @@ validate_passwd() {
validate_passwd passwd
validate_passwd group
ostree --repo=${repo} ls ${treeref} /usr/etc/passwd > passwd.txt
assert_file_has_content_literal passwd.txt '00644 '
ostree --repo=${repo} cat ${treeref} /usr/etc/default/useradd > useradd.txt
assert_file_has_content_literal useradd.txt HOME=/var/home