This moves various calls to mkdir(1) to very early boot, before any services are running. This has two advantages: 1. These directories are guaranteed to exist. Code can just assume that they are there without checking for them. 2. Malicious code running as an unprivileged user cannot create directories under /tmp before legitimate code has done so. Also, it creates the various directories used by X11 with restrictive permissions to prevent untrusted code from writing to them, and sets up /run/user/0 to provide $XDG_RUNTIME_DIR. The copyright notice for directory creation is not kept because making four directories with well-known names and permissions is not copyrightable. --- img/app/etc/s6-linux-init/scripts/rc.init | 8 ++++++++ img/app/etc/s6-rc/wayland-proxy-virtwl/run | 10 ---------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/img/app/etc/s6-linux-init/scripts/rc.init b/img/app/etc/s6-linux-init/scripts/rc.init index c5a59245ff3761e94acb974edde967806fb3b234..6f2db32935332793faf47e3c68e42b0afd537a2d 100755 --- a/img/app/etc/s6-linux-init/scripts/rc.init +++ b/img/app/etc/s6-linux-init/scripts/rc.init @@ -7,4 +7,12 @@ if { s6-rc-init -c /etc/s6-rc /run/service } if { modprobe overlay } if { mount -a --mkdir } +# /tmp/.*-unix are used by X11 and exist on my machine with 1777 permissions. +# Use mode 0755 because no other user needs access to them. +# Also, I have seen some software use /tmp/user, so create it as well. +if { mkdir -m 0755 /tmp/user /tmp/.X11-unix /tmp/.ICE-unix /tmp/.XIM-unix /tmp/.font-unix } + +# Create $XDG_RUNTIME_DIR +if { mkdir -m 0700 /run/user/0 } + s6-rc change ok-all diff --git a/img/app/etc/s6-rc/wayland-proxy-virtwl/run b/img/app/etc/s6-rc/wayland-proxy-virtwl/run index 0715d912953c8a1d326059dfd37c29799fcbb053..c1e0e088c789ab8c5fde7e50c9f4b856fff0e477 100755 --- a/img/app/etc/s6-rc/wayland-proxy-virtwl/run +++ b/img/app/etc/s6-rc/wayland-proxy-virtwl/run @@ -1,16 +1,6 @@ #!/bin/execlineb -P # SPDX-License-Identifier: EUPL-1.2+ # SPDX-FileCopyrightText: 2023-2024 Alyssa Ross <hi@alyssa.is> -# -# Directory creation (if it's copyrightable): -# SPDX-License-Identifier: MIT -# SPDX-FileCopyrightText: 2022 Unikie - -foreground { mkdir /tmp/.X11-unix } -foreground { - umask 077 - mkdir /run/user/0 -} s6-ipcserver-socketbinder -B /run/user/0/wayland-0 fdmove -c 3 0 -- Sincerely, Demi Marie Obenour (she/her/hers)