[Sorry for the delay---I missed your reply] >>> On Tue Oct 27 09:15:53 CET 2015, Bastian Bittorf wrote: > IMHO it is better to explicitely set 0700 for the SSH stuff? > so the user can just copy the files without tweaking the bits.
That's sort of what used to happen -- the permission fix would exclude files named "ssh_host*" and "shadow," and afterward it set /tmp to 1777. The problem is that if you want specific permissions for a specific extra file, you have to fiddle with .../include/image.mk before the image is made so that the general permission fixing leaves those files alone. I think it's easier just to leave the user's extra-file permissions alone. If there's nothing special on a file (i.e., -rw-rw-r--) then it'll get copied in with reasonable values. But for some files, it's really important NOT to add read or execute permissions. /etc/shadow is an obvious one, but I also build images with HTTPS certificates and keys. The machine.key file MUST be -r-------- or the key will be public. Further, imagine that you build the image normally and the key file gets installed as -rw-rw-r-- (on /rom). Then you go in and change the permission, so the file gets copied to /overlay/upper/etc/httpd.key with the desired permissions. The key file is _still_ _accessible_ under /rom/etc/httpd.key with the old permissions. So it doesn't even help to change the permission on the target machine after installation. if you want to have keys (and other security-sensitive items) built into the sysimage, the permissions must be set the right way at build time. Regards, -- Mersenne Law LLP · www.mersenne.com · +1-503-679-1671 - Small Business, Startup and Intellectual Property Law - 9600 S.W. Oak Street · Suite 500 · Tigard, Oregon 97223
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
