Tiny Core Linux

Tiny Core Extensions => TCE News => Topic started by: Kingdomcome on October 15, 2009, 11:52:19 AM

Title: /usr/local/tce.* ownership and perms
Post by: Kingdomcome on October 15, 2009, 11:52:19 AM
What are the proper Owner, Group, and Perms for the /usr/local/tce.* dirs and contents?  I was under the impression that the dirs should be 775 1001:50, menu and icon items should be 644 1001:50 and post-install scripts would be 755 1001:50.  But I see in TC booted base norestore that the dirs are 775 0:50.  Since these setting have become more critical in 2.4, I would like to have a difinitive answer on this.  TIA  ;D
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 15, 2009, 02:57:31 PM
I see in the unzipped tinycore.gz directories that are 755 and 775.  Both should be fine. 

As for /usr/local/tce.menu,tce.icons,tce.installed the ownership should be tc:staff with 775 or 755 perms.  The audit script checks for ownership of those dirs.  Tce.installed is naturally the most critical.

775 may be more ideal since TC is multiuser, correct me if I am wrong.
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 15, 2009, 09:12:41 PM
Confirmed.   Please make /usr/local/tce.installed with tc:staff ownership and 775 permissions.
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 16, 2009, 04:01:25 AM
Actually, the original permissions of those directories is root:staff ownership and 775 perms.

So I will update the extension audit script, and please make the /usr/local/tce.* directories root:staff, 775.
Title: Re: /usr/local/tce.* ownership and perms
Post by: Juanito on October 16, 2009, 04:11:11 AM
..but doesn't tce.installed need to be tc:staff, i.e.

tce.icons - root:staff
tce.installed - tc:staff
tce.menu - root:staff
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 16, 2009, 05:12:55 AM
As set up by tc-config, they all 3 are root:staff 775.   The staff group and the rwx perms for group make them accessible by all group staff. 
Title: Re: /usr/local/tce.* ownership and perms
Post by: mikshaw on October 16, 2009, 05:15:00 AM
775 on a directory owned by 0:50 is essentially no different for user tc:staff than 755 on a dir owned by 1001:50.  The only different thing I can see is that user tc can't remove the directory if he doesn't own it, which shouldn't be an issue considering that particular directory shouldn't be removed.
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 16, 2009, 05:45:09 AM
In and of itself, "tc:staff 755" owner/perms of tce.installed would be fine.  But for our present extension loading to work properly, the tce.installed directory needs to be group staff with 775 perms.  Owner can be either root or tc.  Using 755 perms with ownership tc:staff in extensions for tce.installed will cause problems once extensions containing that directory are loaded.  

EDIT:  The plan is then to preserve the original owner/perms of the /usr/local/tce.* directories (root:staff with 775 perms).
Title: Re: /usr/local/tce.* ownership and perms
Post by: Kingdomcome on October 16, 2009, 07:14:02 AM
I understand that a different combination of permissions will achieve basically the same goal. The purpose of this question was to get a definitive answer that could be mentioned in the extension creating thread and wiki.
Although tc-config sets up the /usr/local/tce.* dirs as 775 0:50, looking in /usr/bin/tce-setup, it appears that IF tce-setup is used (which it is during boot time loading of extensions if the bootcode base is not used) that ownership of /usr/local/tce.installed is given to $USER:staff before extensions are loaded. If tce-load is called separately (as it is during run time) the ownership will not be changed. This appears to be a possible inconsistency in the base.
Some clarification on the ownership and permissions of the files that could be placed in each of the /usr/local/tce.* dirs would be welcome as well.
Thanks for your input so far and I hope we can get this figured out soon. :)
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 16, 2009, 07:59:44 AM
tc:staff is fine for /usr/local/tce.installed in extensions, as long as perms are set at 775.  I will audit extensions to either be tc:staff or root:staff with 775 perms on the /usr/local/tce.* directories.  Those ownership/perms will work across all TC versions all of the time. 

Mkdir by default sets perms to 755, so 775 has to be set after the /usr/local/tce.* directories are created.
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 16, 2009, 09:26:20 AM
I have been informed /usr/local/tce.* was set to root:staff with 775 perms in base for a reason, so that is the accepted permission for those directories.

I will update the audit script to reflect that.

Do not worry about extensions that already exist in the repo or have just been submitted.  I will deal with those.
Title: Re: /usr/local/tce.* ownership and perms
Post by: Kingdomcome on October 16, 2009, 11:45:12 AM
And for the files inside those dirs? I assume:
755 root:staff /usr/local/tce.installed/appname
644 root:staff /usr/local/tce.icons/*
644 root:staff /usr/local/tce.menu/appname
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 16, 2009, 11:56:42 AM
Yeah, that should be good.  775 for the startup scripts preferably, and 644 for the other regular files, root:staff owned.
Title: Re: /usr/local/tce.* ownership and perms
Post by: Kingdomcome on October 17, 2009, 05:48:10 AM
775 for scripts, roger.  thanks for getting this sorted out, standardizing these setting will hopefully avoid any problems and possible changes to extension loading in the base.  I will take a look at updating the extension creation wiki in the next couple days.
Title: Re: /usr/local/tce.* ownership and perms
Post by: mikshaw on October 17, 2009, 07:02:38 AM
Quote
Mkdir by default sets perms to 755, so 775 has to be set after the /usr/local/tce.* directories are created.
Unless you do mkdir -m 775
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 17, 2009, 01:08:51 PM
All existing extensions that have a tce.installed directory have had their permissions set to root:staff/775 for those that did not have that perm already.  I checked for tce.installed, but those that were fixed had their tce.menu and tce.icons directory set though they are not as critical.

Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 17, 2009, 06:19:52 PM
All existing extensions that have a tce.installed directory have had their permissions set to root:staff/775 for those that did not have that perm already.  I checked for tce.installed, but those that were fixed had their tce.menu and tce.icons directory set though they are not as critical.

Just noticed the permission change for /tce.installed.; used to need tc:staff, I think.  
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 17, 2009, 06:41:14 PM
Yeah, tc:staff was widely used and in and of itself would not cause a problem though root:staff is what has been settled on.  Group staff and 775 perms are the critical details.
Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 17, 2009, 10:14:45 PM
Looks like the issue of extensions changing tce.installed to root:root has been resolved ??
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 18, 2009, 03:05:54 AM
Yes, with the above permissions set on all existing extensions' tce.installed directory there should be no more permissions issue with any version of TC 2.x.  If extensions in anyone's existing tce directory are causing issue, redownload and all should be well.  There should be no extensions now that will cause a root:root tce.installed, but of course if there are any they can be mentioned here.  But I think I got them all, 102 were fixed.

Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 18, 2009, 07:10:18 AM
Yes, with the above permissions set on all existing extensions' tce.installed directory there should be no more permissions issue with any version of TC 2.x.  If extensions in anyone's existing tce directory are causing issue, redownload and all should be well.  There should be no extensions now that will cause a root:root tce.installed, but of course if there are any they can be mentioned here.  But I think I got them all, 102 were fixed.


Looks like the vulnerability was fixed as well. I created xonclock-test while in root, and loaded -i -r (I think that changed /tce.installed to root:root previously). Despite the error message, permissions remain, xonclock is in /tce.installed,  and xonclock works.

Code: [Select]

tc@box:~$ ls -ld /usr/local/tce.installed/
drwxr-xr-x    2 root     staff         960 Oct 18 07:00 /usr/local/tce.installed//
tc@box:~$ tce-load -i -r /tmp/xonclock-test.tcz 
xonclock-test.tcz
touch: /usr/local/tce.installed/xonclock-test: Permission denied
tc@box:~$ ls -ld /usr/local/tce.installed/
drwxr-xr-x    2 root     staff         980 Oct 18 07:01 /usr/local/tce.installed//
tc@box:~$ find /usr/local/tce.installed/xonclock
/usr/local/tce.installed/xonclock
tc@box:~$

Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 18, 2009, 10:37:13 AM
Something's still weird. Sometimes command line installs aren't getting into /tce.installed, other times they are.  This example shows the files installed, the extension loaded to my tce dir, but no listing in
/tce.installed.  I tried the same with xonclock, and it was fine. Last time I tried with actkbd, it wasn't in my tce directory either, although the files were present.  
 
Code: [Select]
tc@box:~$ tce-load -i -w actkbd.tcz
actkbd.tcz: OK
touch: /usr/local/tce.installed/actkbd: Permission denied
tc@box:~$ find /usr/local/tce.installed/actkbd
find: /usr/local/tce.installed/actkbd: No such file or directory
tc@box:~$ find /usr/local/sbin/actkbd
/usr/local/sbin/actkbd
tc@box:~$ find /mnt/hda1/tcZ2/actkbd.tcz
/mnt/hda1/tcZ2/actkbd.tcz
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 18, 2009, 10:46:35 AM
jpeters - is that using either an empty tce directory or a fresh boot with "base norestore"?
Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 18, 2009, 10:57:12 AM
jpeters - is that using either an empty tce directory or a fresh boot with "base norestore"?

neither
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 18, 2009, 11:04:53 AM
Ok, that means that there are some extensions in your tce directory that have not been fixed. 

Running the extension audit script on your tce directory will tell you which are the offending extensions
Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 18, 2009, 11:18:57 AM
Ok, that means that there are some extensions in your tce directory that have not been fixed.  

Running the extension audit script on your tce directory will tell you which are the offending extensions

That will affect a new install ??  
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 18, 2009, 11:34:55 AM
The script will simply point out any extensions with bad perms on tce.installed. 

Are the extensions in your tce directory installed in the last 12 hours or so? 
Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 18, 2009, 11:49:00 AM
The script will simply point out any extensions with bad perms on tce.installed.  

Are the extensions in your tce directory installed in the last 12 hours or so?  

Check the example posted.

Note: I'll try the audit script again with a full base boot ....it doesn't work with the group presently loaded.  
Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 18, 2009, 12:23:15 PM
Okay, it's installing now. Script works fine with full base.   
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 18, 2009, 12:31:32 PM
I will adjust the audit script to not exit but just echo an error message so it will display all extension issues in one run.  That would help for things like this.

EDIT: script fixed.
Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 18, 2009, 02:23:28 PM
I will adjust the audit script to not exit but just echo an error message so it will display all extension issues in one run.  That would help for things like this.

EDIT: script fixed.

For new installs, of course,  the user relies on the repos being correct.  MPlayer-svn-gtk2.tcz is set for
tc:staff, and changes the permissions for /tce.installed.  Looks like the only way to fix the vulnerability is an automatic screening of all submitted extensions (since not everyone will audit).  

You might list required deps to run audit.  Nice script!     (why not include the fix in the script? )


edit: Here's a few more:

xpdf-3.02pl2.tcz
xmms-1.2.11.tczl
gnumeric.tcz
geany.tcz
Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 18, 2009, 03:11:14 PM
I did update the script shortly after I fixed it.

I used a different script to check the repo that only looked at tce.installed.  So the extensions you mention are due to tce.menu and tce.icon perms different than ideal.  Those are not as critical as ones with tce.installed being of different perms.  I did adjust the perms of those directories of the ones whose tce.installed I fixed though.  But since the script will echo an error on those thjat have tce.menu and tce.icons perms different, I will adjust them too so it will all look good according to the audit script.

Mplayer svn gtk2 only has a tce.menu entry, not tce.installed.  But nevertheless I will fix it in time.
Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 18, 2009, 03:41:32 PM
I did update the script shortly after I fixed it.

I used a different script to check the repo that only looked at tce.installed.  So the extensions you mention are due to tce.menu and tce.icon perms different than ideal.  Those are not as critical as ones with tce.installed being of different perms.  I did adjust the perms of those directories of the ones whose tce.installed I fixed though.  But since the script will echo an error on those thjat have tce.menu and tce.icons perms different, I will adjust them too so it will all look good according to the audit script.

Mplayer svn gtk2 only has a tce.menu entry, not tce.installed.  But nevertheless I will fix it in time.

It changes perms for tce.installed, which is only important if you had some reason for it being root:staff.
As long as it installs  (actkbd wasn't).  All these changes must keep you real busy!  :)

The "fix" I was referring to was the perm changes that affect /tce.installed 
Code: [Select]
tc@box:~$ ls -ld /usr/local/tce.installed
drwxrwxr-x 2 tc staff 2120 Oct 18 14:53 /usr/local/tce.installed/

Title: Re: /usr/local/tce.* ownership and perms
Post by: Jason W on October 18, 2009, 03:56:22 PM
Tce-setup changes it to "USER":staff, Mplayer couldn't if it didn't have a tce.installed directory in the extension.  "USER" being normally tc, unless another user is specified.

The extension should be root:staff/775 for tce.installed as if tce.installed gets its attributes overwritten by the extension, "USER" may be a different user than tc.  And if the perms are tc:staff/755 or root:staff/755, another user cannot write to tce.installed.  Tce-setup changing the owner to "USER":staff is ok and normal.

Title: Re: /usr/local/tce.* ownership and perms
Post by: jpeters on October 18, 2009, 07:27:38 PM
That might be it, as I'm running groups with "base" option.