Allow specifying ownership and mode of custom airootfs files and directories

profiledef.sh can now contain an associative array called file_permissions which can be used to set custom ownership and mode of custom airootfs files. The array's keys contain the path and the value is a colon separated list of owner UID, owner GID and access mode.
For example:

    file_permissions=(
      ["/etc/shadow"]="0:0:400"
    )

This means that mkarchiso now copies airootfs files (and directores) without permissions and anything that should be owned by a user other than root and/or if the mode should be something other than 644 for files and 755 for directories must to be listed in ${file_permission[@]} in profiledef.sh.

Fixes https://gitlab.archlinux.org/archlinux/archiso/-/issues/61 .
This commit is contained in:
nl6720 2020-11-14 11:43:13 +02:00
parent 2c99df5c9b
commit 42d9e4f983
No known key found for this signature in database
GPG Key ID: 5CE88535E188D369
4 changed files with 36 additions and 24 deletions

View File

@ -52,6 +52,9 @@ The image file is constructed from some of the variables in **profiledef.sh**: `
- `ext4+squashfs`: Create an ext4 partition, copy the airootfs work directory to it and create a squashfs image from it - `ext4+squashfs`: Create an ext4 partition, copy the airootfs work directory to it and create a squashfs image from it
* `airootfs_image_tool_options`: An array of options to pass to the tool to create the airootfs image. Currently only * `airootfs_image_tool_options`: An array of options to pass to the tool to create the airootfs image. Currently only
`mksquashfs` is supported - see `mksquashfs --help` for all possible options (defaults to `('-comp' 'xz')`). `mksquashfs` is supported - see `mksquashfs --help` for all possible options (defaults to `('-comp' 'xz')`).
- `file_permissions`: An associative array that lists files and/or directories who need specific ownership or
permissions. The array's keys contain the path and the value is a colon separated list of owner UID, owner GID and
access mode. E.g. `file_permissions=(["/etc/shadow"]="0:0:400")`.
packages.arch packages.arch
============= =============
@ -91,8 +94,9 @@ airootfs
This - optional - directory may contain files and directories that will be copied to the work directory of the resulting This - optional - directory may contain files and directories that will be copied to the work directory of the resulting
image's root filesystem. image's root filesystem.
The files are copied before packages are being installed to work directory location. The files are copied before packages are being installed to work directory location.
Ownership of files and directories from the profile's `airootfs` directory are not preserved (permissions are currently Ownership and permissions of files and directories from the profile's `airootfs` directory are not preserved. The mode
the same as in the profile's `airootfs` - see `#61 <https://gitlab.archlinux.org/archlinux/archiso/-/issues/73>`_). will be `644` for files and `755` for directories, all of them will be owned by root. To set custom ownership and/or
permissions, use `file_permissions` in **profiledef.sh**.
With this overlay structure it is possible to e.g. create users and set passwords for them, by providing With this overlay structure it is possible to e.g. create users and set passwords for them, by providing
`airootfs/etc/passwd`, `airootfs/etc/shadow`, `airootfs/etc/gshadow` (see `man 5 passwd`, `man 5 shadow` and `man 5 `airootfs/etc/passwd`, `airootfs/etc/shadow`, `airootfs/etc/gshadow` (see `man 5 passwd`, `man 5 shadow` and `man 5

View File

@ -37,6 +37,7 @@ override_pacman_conf=""
bootmodes=() bootmodes=()
airootfs_image_type="squashfs" airootfs_image_type="squashfs"
airootfs_image_tool_options=('-comp' 'xz') airootfs_image_tool_options=('-comp' 'xz')
declare -A file_permissions=()
# Show an INFO message # Show an INFO message
@ -257,30 +258,23 @@ _make_pacman_conf() {
# Prepare working directory and copy custom airootfs files (airootfs) # Prepare working directory and copy custom airootfs files (airootfs)
_make_custom_airootfs() { _make_custom_airootfs() {
local passwd=() local passwd=()
local filename permissions
install -d -m 0755 -o 0 -g 0 -- "${airootfs_dir}" install -d -m 0755 -o 0 -g 0 -- "${airootfs_dir}"
if [[ -d "${profile}/airootfs" ]]; then if [[ -d "${profile}/airootfs" ]]; then
_msg_info "Copying custom airootfs files and setting up user home directories..." _msg_info "Copying custom airootfs files..."
cp -af --no-preserve=ownership -- "${profile}/airootfs/." "${airootfs_dir}" cp -af --no-preserve=ownership,mode -- "${profile}/airootfs/." "${airootfs_dir}"
# Set ownership and mode for files and directories
[[ -e "${airootfs_dir}/etc/shadow" ]] && chmod -f 0400 -- "${airootfs_dir}/etc/shadow" for filename in "${!file_permissions[@]}"; do
[[ -e "${airootfs_dir}/etc/gshadow" ]] && chmod -f 0400 -- "${airootfs_dir}/etc/gshadow" IFS=':' read -ra permissions <<< "${file_permissions["${filename}"]}"
if [[ -e "${airootfs_dir}${filename}" ]]; then
# Set up user home directories and permissions chown -fh -- "${permissions[0]}:${permissions[1]}" "${airootfs_dir}${filename}"
if [[ -e "${airootfs_dir}/etc/passwd" ]]; then chmod -f -- "${permissions[2]}" "${airootfs_dir}${filename}"
while IFS=':' read -a passwd -r; do
[[ "${passwd[5]}" == '/' ]] && continue
[[ -z "${passwd[5]}" ]] && continue
if [[ -d "${airootfs_dir}${passwd[5]}" ]]; then
chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
else else
install -d -m 0750 -o "${passwd[2]}" -g "${passwd[3]}" -- "${airootfs_dir}${passwd[5]}" _msg_warning "Cannot change permissions of '${airootfs_dir}${filename}'. The file or directory does not exist."
fi
done < "${airootfs_dir}/etc/passwd"
fi fi
done
_msg_info "Done!" _msg_info "Done!"
fi fi
} }
@ -318,10 +312,12 @@ _make_customize_airootfs() {
(( passwd[2] >= 1000 && passwd[2] < 60000 )) || continue (( passwd[2] >= 1000 && passwd[2] < 60000 )) || continue
[[ "${passwd[5]}" == '/' ]] && continue [[ "${passwd[5]}" == '/' ]] && continue
[[ -z "${passwd[5]}" ]] && continue [[ -z "${passwd[5]}" ]] && continue
cp -dnRT --preserve=mode,timestamps,links -- "${airootfs_dir}/etc/skel" "${airootfs_dir}${passwd[5]}" if [[ ! -d "${airootfs_dir}${passwd[5]}" ]]; then
install -d -m 0750 -o "${passwd[2]}" -g "${passwd[3]}" -- "${airootfs_dir}${passwd[5]}"
fi
cp -dnRT --preserve=mode,timestamps,links -- "${airootfs_dir}/etc/skel/." "${airootfs_dir}${passwd[5]}"
chmod -f 0750 -- "${airootfs_dir}${passwd[5]}" chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}" chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
done < "${profile}/airootfs/etc/passwd" done < "${profile}/airootfs/etc/passwd"
_msg_info "Done!" _msg_info "Done!"
fi fi
@ -329,6 +325,7 @@ _make_customize_airootfs() {
if [[ -e "${airootfs_dir}/root/customize_airootfs.sh" ]]; then if [[ -e "${airootfs_dir}/root/customize_airootfs.sh" ]]; then
_msg_info "Running customize_airootfs.sh in '${airootfs_dir}' chroot..." _msg_info "Running customize_airootfs.sh in '${airootfs_dir}' chroot..."
_msg_warning "customize_airootfs.sh is deprecated! Support for it will be removed in a future archiso version." _msg_warning "customize_airootfs.sh is deprecated! Support for it will be removed in a future archiso version."
chmod -f -- +x "${airootfs_dir}/root/customize_airootfs.sh"
eval -- arch-chroot "${airootfs_dir}" "/root/customize_airootfs.sh" eval -- arch-chroot "${airootfs_dir}" "/root/customize_airootfs.sh"
rm -- "${airootfs_dir}/root/customize_airootfs.sh" rm -- "${airootfs_dir}/root/customize_airootfs.sh"
_msg_info "Done! customize_airootfs.sh run successfully." _msg_info "Done! customize_airootfs.sh run successfully."

View File

@ -10,3 +10,6 @@ install_dir="arch"
bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito' 'uefi-x64.systemd-boot.esp' 'uefi-x64.systemd-boot.eltorito') bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito' 'uefi-x64.systemd-boot.esp' 'uefi-x64.systemd-boot.eltorito')
arch="x86_64" arch="x86_64"
pacman_conf="pacman.conf" pacman_conf="pacman.conf"
file_permissions=(
["/etc/shadow"]="0:0:400"
)

View File

@ -11,3 +11,11 @@ bootmodes=('bios.syslinux.mbr' 'bios.syslinux.eltorito' 'uefi-x64.systemd-boot.e
arch="x86_64" arch="x86_64"
pacman_conf="pacman.conf" pacman_conf="pacman.conf"
airootfs_image_tool_options=('-comp' 'xz' '-Xbcj' 'x86' '-b' '1M' '-Xdict-size' '1M') airootfs_image_tool_options=('-comp' 'xz' '-Xbcj' 'x86' '-b' '1M' '-Xdict-size' '1M')
file_permissions=(
["/etc/shadow"]="0:0:400"
["/root"]="0:0:750"
["/root/.automated_script.sh"]="0:0:750"
["/usr/local/bin/choose-mirror"]="0:0:755"
["/usr/local/bin/Installation_guide"]="0:0:755"
["/usr/local/bin/livecd-sound"]="0:0:755"
)