[systemd-devel] [PATCH 1/2] kernel-install: avoid using 'cp --preserve'

Sébastien Luttringer seblu at seblu.net
Wed Sep 25 17:50:16 PDT 2013


On Thu, Sep 26, 2013 at 1:45 AM, Kay Sievers <kay at vrfy.org> wrote:
> On Thu, Sep 26, 2013 at 1:13 AM, Sébastien Luttringer <seblu at seblu.net> wrote:
>> On Thu, Sep 26, 2013 at 12:56 AM, Kay Sievers <kay at vrfy.org> wrote:
>>> On Thu, Sep 26, 2013 at 12:38 AM, Tom Gundersen <teg at jklm.no> wrote:
>>>> Force 0600 and root:root instead, to avoid problems with fat filesystems.
>>>
>>> Sounds fine to me, to enforce root permissions.
>>
>> Boot kernel was world readable, and it makes sense. Why making them
>> root only readable is a good idea?
>
> Sure, 0644 sounds fine too.
>
>> If your /boot is a FAT filesystem, the world readable rights are
>> handled by your mount options.
>> On non UEFI systems, world readable rights set by kernel-install matter.
>
> Why would that matter?
On non UEFI system your boot partition (when there is one) is almost
_never_ FAT. It's a "decent"  FS like ext{2,3,4} or anything that
handle group and other permissions.
With these FS, you cannot globally override the permissions set by
kernel-install with a mount options to have these files world
readable. Like with fat:

# mount -t vfat
 /dev/sda1 on /boot type vfat (rw,...,fmask=0133,dmask=0022,...)

>
>>> If people want special permissions, they can always drop-in their own
>>> install.d/ callout to mangle them.
>> This means maintain it's own generator,
>
> It's not a generator, they are different things in systemd. It would
> just be a /usr/lib/kernel/install.d/*.install snippet.
Yes it's a mistake, I realized too late, sorry.
But, the meaning is the same, copy the
/usr/lib/kernel/install.d/90-loaderentry.install into /etc and keep
track of upgrades of the original file to only edit perms is waste of
time.
If a drop-in.d mechanism (for these scripts) is available... it's like
killing a fly with a tank.

>
>> it's a bit boring for just
>> being able to check the size of your installed kernel.
>
> Check the size and file permissions? You don't need access to check
> its size, do you?
True. And I don't remember me open these kernel files.
What it make me bug is the message : Enforce root read only for /boot.
To be coherent, this should also apply to directories  and files in /boot.
Thus, others *.install files will be inspired by what the default
systemd scripts does.
As a consequence, initrd hooks will make my initrd not readable. We
can avoid that with a sane default here.

>> The opposite logic seems more appropriate.
>
> 0644 sounds good to me too, sure, as long as we have a defined default.
Sounds good!

-- 
Sébastien "Seblu" Luttringer
https://www.seblu.net
GPG: 0x2072D77A


More information about the systemd-devel mailing list