From owner-freebsd-stable@freebsd.org Fri Jun 16 12:25:41 2017 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5D504BFF6ED for ; Fri, 16 Jun 2017 12:25:41 +0000 (UTC) (envelope-from karl@denninger.net) Received: from colo1.denninger.net (colo1.denninger.net [67.205.158.196]) by mx1.freebsd.org (Postfix) with ESMTP id 167557D3D6 for ; Fri, 16 Jun 2017 12:25:40 +0000 (UTC) (envelope-from karl@denninger.net) Received: from denninger.net (ip68-1-57-197.pn.at.cox.net [68.1.57.197]) by colo1.denninger.net (Postfix) with ESMTP id 4D83327461 for ; Fri, 16 Jun 2017 08:25:35 -0400 (EDT) Received: from [192.168.10.20] (D10.Denninger.Net [192.168.10.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by denninger.net (Postfix) with ESMTPSA id 9003237DE for ; Fri, 16 Jun 2017 07:25:33 -0500 (CDT) To: FreeBSD-STABLE Mailing List From: Karl Denninger Subject: Interesting permissions difference on NanoBSD build Message-ID: Date: Fri, 16 Jun 2017 07:25:31 -0500 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.0 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-512; boundary="------------ms010201070904060803030303" X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jun 2017 12:25:41 -0000 This is a cryptographically signed message in MIME format. --------------ms010201070904060803030303 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable I've recently started playing with the "base" NanoBSD scripts and have run into an interesting issue. Specifically, this is what winds up in the "_.w" (world) directory base when the build completes: root@NewFS:/pics/Crochet-work-AMD/obj/_.w # ls -al total 112 drwxr-x--- 18 root wheel 24 Jun 15 17:10 . drwxr-xr-x 5 root wheel 24 Jun 15 17:11 .. -rw-r--r-- 2 root wheel 955 Jun 15 17:09 .cshrc -rw-r--r-- 2 root wheel 247 Jun 15 17:09 .profile -r--r--r-- 1 root wheel 6197 Jun 15 17:09 COPYRIGHT drwxr-xr-x 2 root wheel 47 Jun 15 17:08 bin drwxr-xr-x 8 root wheel 51 Jun 15 17:09 boot -rw-r--r-- 1 root wheel 12 Jun 15 17:09 boot.config drwxr-xr-x 2 root wheel 2 Jun 15 17:09 cfg drwxr-xr-x 4 root wheel 4 Jun 15 17:10 conf dr-xr-xr-x 2 root wheel 3 Jun 15 17:09 dev drwxr-x--x 28 root wheel 110 Jun 15 17:10 etc drwxr-xr-x 4 root wheel 56 Jun 15 17:08 lib drwxr-xr-x 3 root wheel 5 Jun 15 17:09 libexec drwxr-xr-x 2 root wheel 2 Jun 15 17:07 media drwxr-xr-x 2 root wheel 2 Jun 15 17:07 mnt dr-xr-xr-x 2 root wheel 2 Jun 15 17:07 proc drwxr-xr-x 2 root wheel 146 Jun 15 17:08 rescue drwxr-xr-x 2 root wheel 12 Jun 15 17:10 root drwxr-xr-x 2 root wheel 137 Jun 15 17:08 sbin lrwxr-xr-x 1 root wheel 11 Jun 15 17:07 sys -> usr/src/sys lrwxr-xr-x 1 root wheel 7 Jun 15 17:10 tmp -> var/tmp drwxr-x--x 12 root wheel 12 Jun 15 17:10 usr drwxr-xr-x 25 root wheel 25 Jun 15 17:10 var root@NewFS:/pics/Crochet-work-AMD/obj/_.w # Note the missing "r" bit for "other" in usr and etc directories -- and the missing "x" bit (at minimum) for the root! The same is carried down to "local" under usr: root@NewFS:/pics/Crochet-work-AMD/obj/_.w # ls -al usr total 134 drwxr-x--x 12 root wheel 12 Jun 15 17:10 . drwxr-x--- 18 root wheel 24 Jun 15 17:10 .. drwxr-xr-x 2 root wheel 497 Jun 15 17:09 bin drwxr-xr-x 52 root wheel 327 Jun 15 17:10 include drwxr-xr-x 8 root wheel 655 Jun 15 17:10 lib drwxr-xr-x 4 root wheel 670 Jun 15 17:09 lib32 drwxr-xr-x 5 root wheel 5 Jun 15 17:10 libdata drwxr-xr-x 7 root wheel 70 Jun 15 17:10 libexec drwxr-x--x 10 root wheel 11 Jun 15 17:10 local drwxr-xr-x 2 root wheel 294 Jun 15 17:08 sbin drwxr-xr-x 31 root wheel 31 Jun 15 17:10 share drwxr-xr-x 14 root wheel 17 Jun 15 17:10 tests root@NewFS:/pics/Crochet-work-AMD/obj/_.w # I do not know if this is intentional, but it certainly was not expected. It does carry through to the disk image that is created as well and then there's this, which if you mount the image leads me to wonder what's going on: root@NewFS:/pics/Crochet-work-AMD/obj # mount -o ro /dev/md0s1a /mnt root@NewFS:/pics/Crochet-work-AMD/obj # cd /mnt root@NewFS:/mnt # ls -al total 34 drwxr-x--- 19 root wheel 512 Jun 15 17:10 . drwxr-xr-x 45 root wheel 55 Jun 1 10:58 .. -rw-r--r-- 2 root wheel 955 Jun 15 17:09 .cshrc -rw-r--r-- 2 root wheel 247 Jun 15 17:09 .profile drwxrwxr-x 2 root operator 512 Jun 15 17:10 .snap -r--r--r-- 1 root wheel 6197 Jun 15 17:09 COPYRIGHT drwxr-xr-x 2 root wheel 1024 Jun 15 17:08 bin drwxr-xr-x 8 root wheel 1024 Jun 15 17:09 boot -rw-r--r-- 1 root wheel 12 Jun 15 17:09 boot.config drwxr-xr-x 2 root wheel 512 Jun 15 17:09 cfg drwxr-xr-x 4 root wheel 512 Jun 15 17:10 conf dr-xr-xr-x 2 root wheel 512 Jun 15 17:09 dev drwxr-x--x 28 root wheel 2048 Jun 15 17:10 etc drwxr-xr-x 4 root wheel 1536 Jun 15 17:08 lib drwxr-xr-x 3 root wheel 512 Jun 15 17:09 libexec drwxr-xr-x 2 root wheel 512 Jun 15 17:07 media drwxr-xr-x 2 root wheel 512 Jun 15 17:07 mnt dr-xr-xr-x 2 root wheel 512 Jun 15 17:07 proc drwxr-xr-x 2 root wheel 2560 Jun 15 17:08 rescue drwxr-xr-x 2 root wheel 512 Jun 15 17:10 root drwxr-xr-x 2 root wheel 2560 Jun 15 17:08 sbin lrwxr-xr-x 1 root wheel 11 Jun 15 17:07 sys -> usr/src/sys lrwxr-xr-x 1 root wheel 7 Jun 15 17:10 tmp -> var/tmp drwxr-x--x 12 root wheel 512 Jun 15 17:10 usr drwxr-xr-x 25 root wheel 512 Jun 15 17:10 var Note the permissions at the root -- that denies *search* for others.... it is an exact copy of the "_.w" permission list of course, but if you create a non-root user as a part of the NanoBSD build you wind up with some "interesting" behavior when that user logs in! I'm assuming this is unintentional but wondering where it comes from (and whether it needs / should be fixed); it's easy to fix it, of course, once the embedded system boots but you need to (obviously) mount read/write long enough to update it.... --=20 Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/ --------------ms010201070904060803030303 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgMFADCABgkqhkiG9w0BBwEAAKCC BlwwggZYMIIEQKADAgECAgE9MA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzEQMA4G A1UECBMHRmxvcmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3Rl bXMgTExDMRwwGgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhND dWRhIFN5c3RlbXMgTExDIENBMB4XDTE2MTIxODE5NDUzNVoXDTIxMTIxNzE5NDUzNVowVzEL MAkGA1UEBhMCVVMxEDAOBgNVBAgTB0Zsb3JpZGExGTAXBgNVBAoTEEN1ZGEgU3lzdGVtcyBM TEMxGzAZBgNVBAMUEmthcmxAZGVubmluZ2VyLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBAM2N5maxs7NkoY9g5NMxFWll0TYiO7gXrGZTo3q25ZJgNdPMwrntLz/5ewE9 07TEbwJ3ah/Ep9BfZm7JF9vTtE1HkgKtXNKi0pawNGm1Yn26Dz5AbUr1byby6dFtDJr14E07 trzDCtRRvTkOVSBj6PQPal0fAnDtkIYQBVcuMkXkuMCtyfE95pjm8g4K9l7lAcKii3T1/3rE hCc1o2nBnb7EN1/XwBeCDGB+I2SN/ftZDbKQqGAF5q9dUn+iXU7Z/CVSfUWmhVh6cVZA4Ftv TglUqj410OuPx+cUQch3h1kFgsuhQR63HiJc3HbRJllHsV0rihvL1CjeARQkhnA6uY9NLFST p5I/PfzBzW2MSmtN/tGZvmfKKnmtbfUNgkzbIR1K3lsum+yEL71kB93Xtz/4f1demEx5c8TJ RBIniDHjDeLGK1aoBu8nfnvXAvgthFNTWBOEoR49AHEPjC3kZj0l8JQml1Y8bTQD5gtC5txl klO60WV0EufU7Hy9CmynMuFtjiA2v71pm097rXeCdrAKgisdYeEESB+SFrlY65rLiLv4n8o1 PX7DqRfqKkOYIakZ0ug/yHVKcq2EM3RiJxwzls5gT70CoOBlKbrC98O8TA6teON0Jq30M06t NTI2HhvNbJDLbBH+Awf4h1UKB+0ufENwjVvF5Jfz8Ww/FaSDAgMBAAGjgfQwgfEwNwYIKwYB BQUHAQEEKzApMCcGCCsGAQUFBzABhhtodHRwOi8vY3VkYXN5c3RlbXMubmV0Ojg4ODgwCQYD VR0TBAIwADARBglghkgBhvhCAQEEBAMCBaAwCwYDVR0PBAQDAgXgMCwGCWCGSAGG+EIBDQQf Fh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUpfAI3y+751pp9A0w 6vJHx8RoR/MwHwYDVR0jBBgwFoAUJHGbnYV9/N3dvbDKkpQDofrTbTUwHQYDVR0RBBYwFIES a2FybEBkZW5uaW5nZXIubmV0MA0GCSqGSIb3DQEBCwUAA4ICAQBiB6MlugxYJdccD8boZ/u8 d8VxmLkJCtbfyYHRjYdyoABLW5hE3k3xSpYCM9L7vzWyV/UWwDYKi4ZzxHo4g+jG/GQZfKhx v38BQjL2G9xD0Hn2d+cygOq3UPjVYlbbfQoew6JbyCFXrrZ7/0jvRMLAN2+bRC7ynaFUixPH Whnj9JSH7ieYdzak8KN+G2coIC2t2iyfXVKehzi5gdNQ0vJ7+ypbGsRm4gE8Mdo9N/WgFPvZ HPFqR9Dwas7Z+aHwOabpk5r/336SyjOaZsn3MqKJQZL6GqDKusVOCWt+9uFAD8kadg7FetZe atIoD9I+zbp59oVoMnkMDMx7Hi85faU03csusqMGsjSsAzWSI1N8PJytZlchLiykokLKc3OL G87QKlErotlou7cfPX2BbEAH5wmkj9oiqZhxIL/wwAUA+PkiTbEmksKBNompSjUq/6UsR8EA s74gnu17lmijv8mrg2qMlwRirE7qG8pnE8egLtCDxcjd0Of9WMi2NJskn0/ovC7P+J60Napl m3ZIgPJst1piYSE0Zc1FIat4fFphMfK5v4iLblo1tFSlkdx1UNDGdg/U+LaXkNVXlMp8fyPm R80V6cIrCAlEWnBJNxG1UyfbbsvNMCCZBM4faGGsR/hhQOiydlruxhjL6P8J2WV8p11DdeGx KymWoil2s1J5WTGCBRMwggUPAgEBMIGWMIGQMQswCQYDVQQGEwJVUzEQMA4GA1UECBMHRmxv cmlkYTESMBAGA1UEBxMJTmljZXZpbGxlMRkwFwYDVQQKExBDdWRhIFN5c3RlbXMgTExDMRww GgYDVQQDExNDdWRhIFN5c3RlbXMgTExDIENBMSIwIAYJKoZIhvcNAQkBFhNDdWRhIFN5c3Rl bXMgTExDIENBAgE9MA0GCWCGSAFlAwQCAwUAoIICTTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN AQcBMBwGCSqGSIb3DQEJBTEPFw0xNzA2MTYxMjI1MzFaME8GCSqGSIb3DQEJBDFCBEDi4bIR E3uyWDFQKkKBo0Cb1ymneZpPtI3l1tmjgYBhepizaFYtBUUhtM1Fro9lT5mEHIbo9Wvv9Eom 8gJNAp4hMGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggq hkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZI hvcNAwICASgwgacGCSsGAQQBgjcQBDGBmTCBljCBkDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT B0Zsb3JpZGExEjAQBgNVBAcTCU5pY2V2aWxsZTEZMBcGA1UEChMQQ3VkYSBTeXN0ZW1zIExM QzEcMBoGA1UEAxMTQ3VkYSBTeXN0ZW1zIExMQyBDQTEiMCAGCSqGSIb3DQEJARYTQ3VkYSBT eXN0ZW1zIExMQyBDQQIBPTCBqQYLKoZIhvcNAQkQAgsxgZmggZYwgZAxCzAJBgNVBAYTAlVT MRAwDgYDVQQIEwdGbG9yaWRhMRIwEAYDVQQHEwlOaWNldmlsbGUxGTAXBgNVBAoTEEN1ZGEg U3lzdGVtcyBMTEMxHDAaBgNVBAMTE0N1ZGEgU3lzdGVtcyBMTEMgQ0ExIjAgBgkqhkiG9w0B CQEWE0N1ZGEgU3lzdGVtcyBMTEMgQ0ECAT0wDQYJKoZIhvcNAQEBBQAEggIALPGtPdaxFmfy 4QlaT/nvoAPoYvaBwEAMqywHv71yx6fRxSePAbZ0jd3OvNLTOyRQ75tA/Lo4Tk5Ov8J/WIoR vACbeIp336eN9SuYNsfe/qiHlUq7RNXW6HoJj2gROTtNtlxHaQ4j+5FqPHT7ZS8m0Pvrm+Jd ruryR+6FyjiTaPK/YfLH0fOLrqvxgvxTjetuZ5T8OaoWtwMW/plPWBQjX9GcLTj/V8nt8rQH HuHjZI4M/ypq4mxxstVCK2jLipxjJPA7T36PXpYRym2mijGSITjXSkiQ4FCk1eqBGjORzihh ziJ3tWA8MRBSeuyQXGbf2cNwwCcRjPtBDS1uMVRzIFSrDBVyJ5qBPB4nDnMdcmyYryM+ZQbt MNErM2KwFD3zRRNspO+G9JAYDhRaOOK3in2fSEirq7x6sxWkr5zJvENYj3YOekS6Df/UWybE 0XL6g79gV3yLDX+31FObd281wfIfPd0URpCORunuOusvMjCMy+34YnuUZv3efLWUGpRqDRc6 psuccLIzUpqU+Rkf5/Kzj4IZH8qEMNLI8giRpiNmbola5f94QMAP6ai4MbbIBP07ZcHxChC3 tY85gYJ45hW1ALCLUThTetpUetgDumAocIsHhhNjCoS9etKSKdiLznvKkwdkVHLw7IFtUNRT 0hnUY2waAkRgNPtM65wiB5oAAAAAAAA= --------------ms010201070904060803030303--