Project

General

Profile

Bug #7343

Changed t-p-s numeric UID breaks persistence.conf access rights check

Added by intrigeri over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
Persistence
Target version:
Start date:
05/30/2014
Due date:
% Done:

100%

Feature Branch:
bugfix/7343-static-uids
Type of work:
Code
Blueprint:
Starter:
No
Affected tool:

Description

I installed Tails 1.0, setup persistence, put some files in there. Then upgraded to a build from current experimental, restarted. Then persistence.conf was disabled, as the ACL for that file gives access to the UID the t-p-s user had on Tails/Squeeze.

The fix seems easy: create this user with the expected, fixed UID at ISO build time.


Related issues

Blocks Tails - Bug #7338: NetworkManager persistence setting is not migrated Resolved 05/29/2014

Associated revisions

Revision 2f565f6b (diff)
Added by Tails developers over 5 years ago

Create the tails-persistence-setup user with the same UID/GID it had on Tails/Squeeze. (Closes: #7343)

Else, our various checks for safe access rights on persistence.conf fail,
as the ACL stores numerical UID values, and the saved UID does not match
the one tails-persistence-setup gets in Tails 1.1~beta1.

Also remove the --quiet flag: it makes adduser silently ignore failures in
case a user with the same UID already exists.

Also rename the hook to create the tails-persistence-setup user before others,
so that its UID is still free.

Note that we cannot use the mutually exclusive --gid and --group when calling
adduser. That's why we create the group first, with the desired GID.

History

#1 Updated by intrigeri over 5 years ago

  • Description updated (diff)

Exercise for the reader: why the heck didn't the automated test suite notice this? I should try and reproduce this with a read 1.1~beta1, first.

#2 Updated by intrigeri over 5 years ago

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/7343-static-uids

#3 Updated by intrigeri over 5 years ago

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 40
  • QA Check set to Ready for QA

#4 Updated by intrigeri over 5 years ago

  • Blocks Bug #7338: NetworkManager persistence setting is not migrated added

#5 Updated by anonym over 5 years ago

intrigeri wrote:

Exercise for the reader: why the heck didn't the automated test suite notice this? I should try and reproduce this with a read 1.1~beta1, first.

When I ran the automated test suite, I couldn't use Tails 1.0's image as --old-iso since essentially all images used by sikuli were updated for Wheezy So I just used a week old devel build.

#6 Updated by anonym over 5 years ago

  • Status changed from In Progress to 11
  • Assignee deleted (anonym)
  • % Done changed from 40 to 100
  • QA Check changed from Ready for QA to Pass

#7 Updated by alant over 5 years ago

To manually fix that under 1.1~beta1, in addition to copying the content of the .insecure-disabled files, one shoud also change the ACLs of /live/persistence/TailsData_unlocked/ to:

user::rwx
user:tails-persistence-setup:rwx
group::rwx
mask::rwx
other::r-x

That can be achieved with the following commands as root:

setfacl -x user:htp
setfacl -m user:tails-persistence-setup:rwx

#8 Updated by intrigeri over 5 years ago

To manually fix that under 1.1~beta1, in addition to copying the content of the
.insecure-disabled files, one shoud also change the ACLs of
/live/persistence/TailsData_unlocked/ to:

... and then you'll have to do the opposite change when upgrading to a newer beta, or to 1.1 final.

#9 Updated by BitingBird over 5 years ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF