Changed t-p-s numeric UID breaks persistence.conf access rights check
I installed Tails 1.0, setup persistence, put some files in there. Then upgraded to a build from current experimental, restarted. Then
persistence.conf was disabled, as the ACL for that file gives access to the UID the t-p-s user had on Tails/Squeeze.
The fix seems easy: create this user with the expected, fixed UID at ISO build time.
Create the tails-persistence-setup user with the same UID/GID it had on Tails/Squeeze. (Closes: #7343)
Else, our various checks for safe access rights on persistence.conf fail,
as the ACL stores numerical UID values, and the saved UID does not match
the one tails-persistence-setup gets in Tails 1.1~beta1.
Also remove the --quiet flag: it makes adduser silently ignore failures in
case a user with the same UID already exists.
Also rename the hook to create the tails-persistence-setup user before others,
so that its UID is still free.
Note that we cannot use the mutually exclusive --gid and --group when calling
adduser. That's why we create the group first, with the desired GID.
#5 Updated by anonym about 5 years ago
Exercise for the reader: why the heck didn't the automated test suite notice this? I should try and reproduce this with a read 1.1~beta1, first.
When I ran the automated test suite, I couldn't use Tails 1.0's image as
--old-iso since essentially all images used by sikuli were updated for Wheezy So I just used a week old devel build.
#7 Updated by alant about 5 years ago
To manually fix that under 1.1~beta1, in addition to copying the content of the .insecure-disabled files, one shoud also change the ACLs of /live/persistence/TailsData_unlocked/ to:
user::rwx user:tails-persistence-setup:rwx group::rwx mask::rwx other::r-x
That can be achieved with the following commands as root:
setfacl -x user:htp setfacl -m user:tails-persistence-setup:rwx
#8 Updated by intrigeri about 5 years ago
To manually fix that under 1.1~beta1, in addition to copying the content of the
.insecure-disabled files, one shoud also change the ACLs of
... and then you'll have to do the opposite change when upgrading to a newer beta, or to 1.1 final.