From 8c720efa053f81dc8d2bb604cdbdb25de9a6efab Mon Sep 17 00:00:00 2001 From: Mark Hatle Date: Mon, 20 Jun 2011 10:57:49 -0500 Subject: classes/package.bbclass: Add fixup_perms Add a new function that is responsible for fixing directory and file permissions, owners and groups during the packaging process. This will fix various issues where two packages may create the same directory and end up with different permissions, owner and/or group. The issue being resolved is that if two packages conflict in their ownership of a directory, the first installed into the rootfs sets the permissions. This leads to a least potentially non-deterministic filesystems, at worst security defects. The user can specify their own settings via the configuration files specified in FILESYSTEM_PERMS_TABLES. If this is not defined, it will fall back to loading files/fs-perms.txt from BBPATH. The format of this file is documented within the file. By default all of the system directories, specified in bitbake.conf, will be fixed to be 0755, root, root. The fs-perms.txt contains a few default entries to correct documentation, locale, headers and debug sources. It was discovered these are often incorrect due to being directly copied from the build user environment. The entries needed to match the base-files package have also been added. Also tweak a couple of warnings to provide more diagnostic information. Signed-off-by: Mark Hatle --- meta/files/fs-perms.txt | 69 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 meta/files/fs-perms.txt (limited to 'meta/files') diff --git a/meta/files/fs-perms.txt b/meta/files/fs-perms.txt new file mode 100644 index 000000000..f5a2b696e --- /dev/null +++ b/meta/files/fs-perms.txt @@ -0,0 +1,69 @@ +# This file contains a list of files and directories with known permissions. +# It is used by the packaging class to ensure that the permissions, owners and +# group of listed files and directories are in sync across the system. +# +# The format of this file +# +# +# +# or +# +# link +# +# : directory path +# : mode for directory +# : uid for directory +# : gid for directory +# : recursively walk the directory? true or false +# : if walking, new mode for files +# : if walking, new uid for files +# : if walking, new gid for files +# : turn the directory into a symlink point to target +# +# in mode, uid or gid, a "-" means don't change any existing values +# +# /usr/src 0755 root root false - - - +# /usr/share/man 0755 root root true 0644 root root + +# Note: all standard config directories are automatically assigned "0755 root root false - - -" + +# Documentation should always be corrected +${mandir} 0755 root root true 0644 root root +${infodir} 0755 root root true 0644 root root +${docdir} 0755 root root true 0644 root root +${datadir}/gtk-doc 0755 root root true 0644 root root + +# Fixup locales +${datadir}/locale 0755 root root true 0644 root root + +# Cleanup headers +${includedir} 0755 root root true 0644 root root +${oldincludedir} 0755 root root true 0644 root root + +# Cleanup debug src +/usr/src/debug 0755 root root true 0644 root root + +# Items from base-files +# Links +${localstatedir}/cache link volatile/cache +${localstatedir}/run link volatile/run +${localstatedir}/log link volatile/log +${localstatedir}/lock link volatile/lock +${localstatedir}/tmp link volatile/tmp + +# Special permissions from base-files +# Set 1777 +/tmp 01777 root root false - - - +${localstatedir}/volatile/lock 01777 root root false - - - +${localstatedir}/volatile/tmp 01777 root root false - - - + +# Set 2775 +/home 02755 root root false - - - +${prefix}/src 02755 root root false - - - +${localstatedir}/local 02755 root root false - - - + +# Set 3755 +/srv 0755 root root false - - - + +# Set 4775 +/var/mail 02755 root root false - - - -- cgit v1.2.3