Re: git: a6ed8c959303 - main - Fix /root permissions after 'make installworld'

In reply to: Mateusz Guzik : "Re: git: a6ed8c959303 - main - Fix /root permissions after 'make installworld'"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Gordon Bergling <gbe_at_freebsd.org>
Date: Sun, 26 Nov 2023 18:26:33 UTC

Hi Mateusz,

On Thu, Nov 16, 2023 at 02:21:53PM +0100, Mateusz Guzik wrote:
> On 11/16/23, Gordon Bergling <gbe@freebsd.org> wrote:
> > The branch main has been updated by gbe:
> >
> > URL:
> > https://cgit.FreeBSD.org/src/commit/?id=a6ed8c9593031abf6fa73661be55c226caa362d6
> >
> > commit a6ed8c9593031abf6fa73661be55c226caa362d6
> > Author:     Thomas Eberhardt <sneakywumpus@gmail.com>
> > AuthorDate: 2023-11-16 09:59:38 +0000
> > Commit:     Gordon Bergling <gbe@FreeBSD.org>
> > CommitDate: 2023-11-16 09:59:38 +0000
> >
> >     Fix /root permissions after 'make installworld'
> >
> >     According to /etc/mtree/BSD.root.dist /root should have
> >     0750 permissions, but the build target 'make installworld'
> >     changes these to 0755.
> >
> >     This is caused by the installation of the configuration
> >     files of sh(1) and csh(1).
> >
> >     Correct this by specifying the correct default /root permissions.
> >
> >     PR:     273342
> >     Reviewed by:    jilles
> >     Approved by:    jilles
> >     MFC after:      2 weeks
> >     Differential Revision:https://reviews.freebsd.org/D42395
> > ---
> >  bin/csh/Makefile | 1 +
> >  bin/sh/Makefile  | 1 +
> >  2 files changed, 2 insertions(+)
> >
> > diff --git a/bin/csh/Makefile b/bin/csh/Makefile
> > index 1f996df3999b..94e1ba763d6e 100644
> > --- a/bin/csh/Makefile
> > +++ b/bin/csh/Makefile
> > @@ -15,6 +15,7 @@ ROOTPACKAGE=	csh
> >  ETC=	csh.cshrc csh.login csh.logout
> >  ROOT=	dot.cshrc dot.login
> >  ROOTDIR=	/root
> > +ROOTDIR_MODE=	0750
> 
> This is at best a total workaround, the real bug is that root dir gets
> modified to begin with and there will be other cases prone to cause
> the same problem.
> 
> More importantly, is not this a regression from security pov?

I am unsure if this is a regression, but it fixed the problem about overriden
permissions from 'make installworld'. I keep an eye on the PR and when I have
time I'll try to come up with a better solution, but I am far from beeing an
expert in the build framework.

--Gordon