Ticket #5626 (closed defect: fixed)

Opened 7 years ago

Last modified 7 years ago

Permissions on ~olpc/Activities are too restrictive.

Reported by: cscott Owned by: mstone
Priority: blocker Milestone: Update.1
Component: distro Version:
Keywords: update.1? Cc: mstone, marco
Action Needed: Verified: no
Deployments affected: Blocked By:
Blocking:

Description

On upgrade, olpc-configure resets permissions in /home/olpc to 770; the contents of ~olpc/Activities need to be 755 or 775 instead (installing new Activities sets their permissions to 755).

This is a blocker for update.1, since otherwise pre-installed activities are unusable after upgrade.

Change History

Changed 7 years ago by cscott

  • keywords update.1? added
  • priority changed from normal to blocker

Changed 7 years ago by jg

  • milestone changed from Never Assigned to Update.1

Changed 7 years ago by bernie

  • status changed from new to assigned

Michael, should I set permissions of /home/olpc and all its descendant directories to 775?

We need at least the the x bit for "others" on /home/olpc if we want to make /home/olpc/Activities accessible.

Changed 7 years ago by mstone

As we learned in #5320, this issue is a bit subtle.

Currently, (i.e. while Rainbow runs as root and while the Datastore runs as uid 500), the important things are that

/home/olpc/.sugar should be rwx by uid 500 and --- by anyone else. /home/olpc and /home/olpc/Activities should be rwx by uid 500 and r-x by anyone else. /home/olpc should contain _no_ world-writable files in directories that are world-traversable

Any assignment of permissions to files in /home/olpc that is consistent with these principles is fine by me, though we should probably be careful to keep SSH happy by locking down .ssh and to keep a tight lid on other sensitive files.

Changed 7 years ago by bernie

  • status changed from assigned to new
  • owner changed from bernie to dgilmore

Please let the dust settle for a couple of days, then tag:

olpc-utils-0.63-1.olpc2

for update1

Changed 7 years ago by dgilmore

  • owner changed from dgilmore to bernie

bernie you need to get approval for update before it goes in. I cant give you that. please follow the procedue at  http://wiki.laptop.org/go/Update.1_process

Changed 7 years ago by mstone

  • owner changed from bernie to ApprovalForUpdate

Changed 7 years ago by mstone

  • blocking 5320 added

Changed 7 years ago by mstone

  • blocking 5851 added

(In #5851) Should be fixed in joyride-1508 and later.

Changed 7 years ago by jg

  • owner changed from ApprovalForUpdate to dgilmore

Approved.

Changed 7 years ago by dgilmore

  • owner changed from dgilmore to cscott

Please test update.1 build 684

Changed 7 years ago by cscott

  • owner changed from cscott to mstone

Michael, can you confirm that permissions are reasonable when upgrading to the latest update.1 build, and when it is installed cleanly?

Changed 7 years ago by mstone

  • status changed from new to closed
  • resolution set to fixed
Note: See TracTickets for help on using tickets.