Bug#633582: initramfs-tools: All files in initrd owned by root

Mon, 11 Jul 2011 15:27:19 -0700 

tags 633582 +patch -moreinfo
stop

Converted patch to Git format; it is attached.

> what the hack is "mandos"?

Description: do unattended reboots with an encrypted root file system
<http://packages.debian.org/en/stable/mandos-client>

> care to give a short intro and usage purpose that it may break?

It is a network-using security-related program.  Best practices dictate
that it runs with lowest possible privileges at all times; i.e. not as
root.  It has some files which it needs to read, but which also must be
unreadable by any other non-root process.  These files are therefore
mode 0600 and owned by its own non-root user.  When mkinitramfs changes
the files to be owned by root, the unprivileged process can no longer
read the files.

> similar as dracut.

Does dracut also inhibit creation of non-root files in the initramfs?
Do you know the rationale for this?

/Teddy Hogeborn & Björn Påhlsson

-- 
The Mandos Project
http://www.fukt.bsnet.se/mandos

>From a926cb036f4430b64b4c565ac3bf13831eceed54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20P=C3=A5hlsson?= <bel...@recompile.se>
Date: Mon, 11 Jul 2011 23:53:46 +0200
Subject: [PATCH] =?UTF-8?q?Signed-off-by:=20Bj=C3=B6rn=20P=C3=A5hlsson=20<be?=
 =?UTF-8?q?l...@recompile.se>?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Don't force file ownership to root.

Signed-off-by: Björn Påhlsson <bel...@recompile.se>

diff --git a/mkinitramfs b/mkinitramfs
index de061d7..82c0a91 100755
--- a/mkinitramfs
+++ b/mkinitramfs
@@ -316,7 +316,7 @@ fi
 [ "${verbose}" = y ] && echo "Building cpio ${outfile} initramfs"
 (
 # work around lack of "set -o pipefail" for the following pipe:
-# cd "${DESTDIR}" && find . | cpio --quiet -R 0:0 -o -H newc | gzip >"${outfile}" || exit 1
+# cd "${DESTDIR}" && find . | cpio --quiet -o -H newc | gzip >"${outfile}" || exit 1
 exec 3>&1
 eval `
 	# http://cfaj.freeshell.org/shell/cus-faq-2.html
@@ -325,7 +325,7 @@ eval `
 	{
 		find . 4>&-; echo "ec1=$?;" >&4
 	} | {
-		cpio --quiet -R 0:0 -o -H newc 4>&-; echo "ec2=$?;" >&4
+		cpio --quiet -o -H newc 4>&-; echo "ec2=$?;" >&4
 	} | ${compress} >"${outfile}"
 	echo "ec3=$?;" >&4
 `
-- 
1.7.5.4

Reply via email to