Ubuntu
system-image package

Bug #1235975
Comment #5

Comment 5 for bug 1235975

Revision history for this message

Barry Warsaw (barry) wrote on 2013-10-15:

I think I was a bit too aggressive in 1.9 in fixing this, especially in light of LP: #1233521

Here's the breakdown of directories and files, and what I think we should do for each:

[system]tempdir - by default /tmp
- This directory should already exist, and we don't own it, so do not chmod if it exists. If it doesn't exist, we'll create it with 02700
- random subdir is created using Python's tempfile.mkdtemp() method, which creates it securely <http://docs.python.org/3/library/tempfile.html#tempfile.mkdtemp>. We call this function with prefix='system-image-' and dir=<[system]tempdir> so you'll end up with directories like /tmp/system-image-0ft3jq mod 700 owned by uid:gid of the process.

Thus there should be nothing we need to do with tempdir above what Python already does, unless we have to create the directory.

[system]logfile - by default /var/log/system-image/client.log
We'll create the log file with 0600 and chmod it to that if it already exists, since we own it. If the parent directory already exists, we'll chmod it to 02700 since we should assume that we own it. If it doesn't exist, we'll create it with 02700.

Note that it's possible someone would change the client.ini file to put the log file in a location we *don't* own, e.g. /var/log/client.log. In that case /var/log could get chmod'd to an unexpected mode. It's not clear to me what we can do about that other than say "Don't Do That".

[updater]cache_partition - by default /android/cache/recovery
We don't own this so we should not chmod it. If it doesn't exist, we'll create it 02700 (but it should always exist except in the test suite).

[updater]data_partition - by default /var/lib/system-image
(This will contain subdirectories, such as `keyrings`)
Create this, and subdirs, with 02700. If this directory (and subdirs) exist, chmod them to 02700. Similar to the discussion above, if someone changes it to point to an existing directory we don't own (e.g. /var/lib itself), then we could end up chmoding it unexpectedly. "Don't Do That" also applies here.

I think I was a bit too aggressive in 1.9 in fixing this, especially in light of LP: #1233521

Here's the breakdown of directories and files, and what I think we should do for each:

[system]tempdir - by default /tmp
- This directory should already exist, and we don't own it, so do not chmod if it exists.  If it doesn't exist, we'll create it with 02700
- random subdir is created using Python's tempfile.mkdtemp() method, which creates it securely <http://docs.python.org/3/library/tempfile.html#tempfile.mkdtemp>.  We call this function with prefix='system-image-' and dir=<[system]tempdir> so you'll end up with directories like /tmp/system-image-0ft3jq mod 700 owned by uid:gid of the process.

Thus there should be nothing we need to do with tempdir above what Python already does, unless we have to create the directory.

[system]logfile - by default /var/log/system-image/client.log
We'll create the log file with 0600 and chmod it to that if it already exists, since we own it.  If the parent directory already exists, we'll chmod it to 02700 since we should assume that we own it.  If it doesn't exist, we'll create it with 02700.

Note that it's possible someone would change the client.ini file to put the log file in a location we *don't* own, e.g. /var/log/client.log.  In that case /var/log could get chmod'd to an unexpected mode.  It's not clear to me what we can do about that other than say "Don't Do That".

[updater]cache_partition - by default /android/cache/recovery
We don't own this so we should not chmod it.  If it doesn't exist, we'll create it 02700 (but it should always exist except in the test suite).

[updater]data_partition - by default /var/lib/system-image
(This will contain subdirectories, such as `keyrings`)
Create this, and subdirs, with 02700.  If this directory (and subdirs) exist, chmod them to 02700.  Similar to the discussion above, if someone changes it to point to an existing directory we don't own (e.g. /var/lib itself), then we could end up chmoding it unexpectedly.  "Don't Do That" also applies here.

Ubuntusystem-image package

Comment 5 for bug 1235975

Ubuntu
system-image package