Bug#633582: initramfs-tools: All files in initrd owned by root

To: 633582@bugs.debian.org
Subject: Bug#633582: initramfs-tools: All files in initrd owned by root
From: Mandos Maintainers <mandos@fukt.bsnet.se>
Date: Tue, 12 Jul 2011 00:16:39 +0200
Message-id: <[🔎] 871uxwv4xk.fsf@tower.fukt.bsnet.se>
Reply-to: Mandos Maintainers <mandos@fukt.bsnet.se>, 633582@bugs.debian.org
In-reply-to: <[🔎] 20110711213307.GE30099@vostochny.stro.at>
References: <[🔎] 87hb6sv8bd.fsf@tower.fukt.bsnet.se> <[🔎] 20110711213307.GE30099@vostochny.stro.at>

tags 633582 +patch -moreinfo
stop

Converted patch to Git format; it is attached.

> what the hack is "mandos"?

Description: do unattended reboots with an encrypted root file system
<http://packages.debian.org/en/stable/mandos-client>

> care to give a short intro and usage purpose that it may break?

It is a network-using security-related program.  Best practices dictate
that it runs with lowest possible privileges at all times; i.e. not as
root.  It has some files which it needs to read, but which also must be
unreadable by any other non-root process.  These files are therefore
mode 0600 and owned by its own non-root user.  When mkinitramfs changes
the files to be owned by root, the unprivileged process can no longer
read the files.

> similar as dracut.

Does dracut also inhibit creation of non-root files in the initramfs?
Do you know the rationale for this?

/Teddy Hogeborn & Björn Påhlsson

-- 
The Mandos Project
http://www.fukt.bsnet.se/mandos

>From a926cb036f4430b64b4c565ac3bf13831eceed54 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20P=C3=A5hlsson?= <belorn@recompile.se>
Date: Mon, 11 Jul 2011 23:53:46 +0200
Subject: [PATCH] =?UTF-8?q?Signed-off-by:=20Bj=C3=B6rn=20P=C3=A5hlsson=20<be?=
 =?UTF-8?q?lorn@recompile.se>?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Don't force file ownership to root.

Signed-off-by: Björn Påhlsson <belorn@recompile.se>

diff --git a/mkinitramfs b/mkinitramfs
index de061d7..82c0a91 100755
--- a/mkinitramfs
+++ b/mkinitramfs
@@ -316,7 +316,7 @@ fi
 [ "${verbose}" = y ] && echo "Building cpio ${outfile} initramfs"
 (
 # work around lack of "set -o pipefail" for the following pipe:
-# cd "${DESTDIR}" && find . | cpio --quiet -R 0:0 -o -H newc | gzip >"${outfile}" || exit 1
+# cd "${DESTDIR}" && find . | cpio --quiet -o -H newc | gzip >"${outfile}" || exit 1
 exec 3>&1
 eval `
 	# http://cfaj.freeshell.org/shell/cus-faq-2.html
@@ -325,7 +325,7 @@ eval `
 	{
 		find . 4>&-; echo "ec1=$?;" >&4
 	} | {
-		cpio --quiet -R 0:0 -o -H newc 4>&-; echo "ec2=$?;" >&4
+		cpio --quiet -o -H newc 4>&-; echo "ec2=$?;" >&4
 	} | ${compress} >"${outfile}"
 	echo "ec3=$?;" >&4
 `
-- 
1.7.5.4

Reply to:

Follow-Ups:
- Processed: Re: Bug#633582: initramfs-tools: All files in initrd owned by root
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

References:
- Bug#633582: initramfs-tools: All files in initrd owned by root
  - From: Mandos Maintainers <mandos@fukt.bsnet.se>
- Bug#633582: initramfs-tools: All files in initrd owned by root
  - From: maximilian attems <max@stro.at>

Prev by Date: Processed: Re: Bug#633582: initramfs-tools: All files in initrd owned by root
Next by Date: Processed: Re: Bug#633589: kvm extremely __slow__ under 2.6.39-2-amd64 compared to 2.6.32-5-amd64
Previous by thread: Processed: Re: Bug#633582: initramfs-tools: All files in initrd owned by root
Next by thread: Processed: Re: Bug#633582: initramfs-tools: All files in initrd owned by root
Index(es):
- Date
- Thread