From 8d4ce2d1b7132dbe00486134e60e0e13f715b8d4 Mon Sep 17 00:00:00 2001 From: John Van de Meulebrouck Brendgard Date: Fri, 17 Nov 2023 15:03:47 +0100 Subject: [PATCH] Make sure that COSMOS_BASE is only readable by root since it's possible that the directory can contain files that after applying the overlay to / only should be read or writable by root. --- global/post-tasks.d/014set-cosmos-permissions | 24 +++++++++++++++++++ global/pre-tasks.d/014set-cosmos-permissions | 24 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100755 global/post-tasks.d/014set-cosmos-permissions create mode 100755 global/pre-tasks.d/014set-cosmos-permissions diff --git a/global/post-tasks.d/014set-cosmos-permissions b/global/post-tasks.d/014set-cosmos-permissions new file mode 100755 index 0000000..08992b5 --- /dev/null +++ b/global/post-tasks.d/014set-cosmos-permissions @@ -0,0 +1,24 @@ +#!/bin/sh +# +# Set Cosmos directory permissions so that +# the files cannot be read by anyone but root, +# since it's possible that the directory +# can contain files that after applying the +# overlay to / only should be read or writable +# by root. + +set -e +self=$(basename "$0") + +if ! test -d "$COSMOS_BASE"; then + test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions." + exit 0 +fi + +args="" +if [ "x$COSMOS_VERBOSE" = "xy" ]; then + args="-v" +fi + +chown ${args} root:root "$COSMOS_BASE" +chmod ${args} 750 "$COSMOS_BASE" diff --git a/global/pre-tasks.d/014set-cosmos-permissions b/global/pre-tasks.d/014set-cosmos-permissions new file mode 100755 index 0000000..08992b5 --- /dev/null +++ b/global/pre-tasks.d/014set-cosmos-permissions @@ -0,0 +1,24 @@ +#!/bin/sh +# +# Set Cosmos directory permissions so that +# the files cannot be read by anyone but root, +# since it's possible that the directory +# can contain files that after applying the +# overlay to / only should be read or writable +# by root. + +set -e +self=$(basename "$0") + +if ! test -d "$COSMOS_BASE"; then + test -z "$COSMOS_VERBOSE" || echo "$self: COSMOS_BASE was not found. Aborting change of permissions." + exit 0 +fi + +args="" +if [ "x$COSMOS_VERBOSE" = "xy" ]; then + args="-v" +fi + +chown ${args} root:root "$COSMOS_BASE" +chmod ${args} 750 "$COSMOS_BASE"