On 9/8/25 04:46, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
Enforce that anything under /var or /etc is 0755 for directories and executable files and 0644 for anything else. Enforce that anything else is 0555 for directories and executable files and 0444 for anything else. This avoids depending on factors that may depend on the build environment, such as the user's umask.
diff --git a/scripts/make-erofs.sh b/scripts/make-erofs.sh index 66abd1f388524c19cd3a1113415892d0d72e3f82..d566a4ac7b30f55338fe9b8b6a94702686f6ddd1 100755 --- a/scripts/make-erofs.sh +++ b/scripts/make-erofs.sh @@ -95,4 +95,25 @@ while read -r arg1; do cp -RT -- "$arg1" "$root/$arg2" done
+# Ensure that the permissions in the image are independent +# of those in the git repository or Nix store, except for +# the executable bit. In particular, the mode of those +# outside the Nix store might depend on the user's umask. +# While the image itself is strictly read-only, it makes +# sense to populate an overlayfs over /etc and /var, and +# this overlayfs should be writable by root and readable +# by all users. The remaining paths should not be writable +# by anyone, but should be world-readable.
So I get why, given the overlayfs idea, it's important for /etc and /var to not be user-writeable, but what I don't understand is: why aren't we checking permissions for other directories, like /bin or /lib?
Other way around: /etc, /var, and /nix/store are skipped (via -prune -o) and the rest are checked.
+find "$root" \ + -path "$root/nix/store" -prune -o \ + -path "$root/etc" -prune -o \ + -path "$root/var" -prune -o \ + -type l -o \ + -type d -a -perm 0555 -o \ + -type f -a -perm 0444 -o \ + -execdir chmod ugo-w,ugo+rX -- '{}' + +find "$root/etc" "$root/var" ! -type l -execdir chmod u+w,go-w,ugo+rX -- '{}' + +chmod 0755 "$root" + +# Make the erofs image. mkfs.erofs -x-1 -b4096 --all-root "$@" "$root"
-- 2.51.0
-- Sincerely, Demi Marie Obenour (she/her/hers)