Opened 7 years ago

Closed 7 years ago

#5626 closed defect (fixed)

Permissions on ~olpc/Activities are too restrictive.

Reported by: cscott Owned by: mstone
Priority: blocker Milestone: Update.1
Component: distro Version:
Keywords: update.1? Cc: mstone, marco
Blocked By: Blocking: #5320, #5851
Deployments affected: Action Needed:
Verified: no

Description

On upgrade, olpc-configure resets permissions in /home/olpc to 770; the contents of ~olpc/Activities need to be 755 or 775 instead (installing new Activities sets their permissions to 755).

This is a blocker for update.1, since otherwise pre-installed activities are unusable after upgrade.

Change History (13)

comment:1 Changed 7 years ago by cscott

  • Keywords update.1? added
  • Priority changed from normal to blocker

comment:2 Changed 7 years ago by jg

  • Milestone changed from Never Assigned to Update.1

comment:3 Changed 7 years ago by bernie

  • Status changed from new to assigned

Michael, should I set permissions of /home/olpc and all its descendant directories to 775?

We need at least the the x bit for "others" on /home/olpc if we want to make /home/olpc/Activities accessible.

comment:4 Changed 7 years ago by mstone

As we learned in #5320, this issue is a bit subtle.

Currently, (i.e. while Rainbow runs as root and while the Datastore runs as uid 500), the important things are that

/home/olpc/.sugar should be rwx by uid 500 and --- by anyone else.
/home/olpc and /home/olpc/Activities should be rwx by uid 500 and r-x by anyone else.
/home/olpc should contain _no_ world-writable files in directories that are world-traversable


Any assignment of permissions to files in /home/olpc that is consistent with these principles is fine by me, though we should probably be careful to keep SSH happy by locking down .ssh and to keep a tight lid on other sensitive files.

comment:5 Changed 7 years ago by bernie

  • Owner changed from bernie to dgilmore
  • Status changed from assigned to new

Please let the dust settle for a couple of days, then tag:

olpc-utils-0.63-1.olpc2

for update1

comment:6 Changed 7 years ago by dgilmore

  • Owner changed from dgilmore to bernie

bernie you need to get approval for update before it goes in. I cant give you that. please follow the procedue at http://wiki.laptop.org/go/Update.1_process

comment:7 Changed 7 years ago by mstone

  • Owner changed from bernie to ApprovalForUpdate

comment:8 Changed 7 years ago by mstone

  • Blocking 5320 added

comment:9 Changed 7 years ago by mstone

  • Blocking 5851 added

(In #5851) Should be fixed in joyride-1508 and later.

comment:10 Changed 7 years ago by jg

  • Owner changed from ApprovalForUpdate to dgilmore

Approved.

comment:11 Changed 7 years ago by dgilmore

  • Owner changed from dgilmore to cscott

Please test update.1 build 684

comment:12 Changed 7 years ago by cscott

  • Owner changed from cscott to mstone

Michael, can you confirm that permissions are reasonable when upgrading to the latest update.1 build, and when it is installed cleanly?

comment:13 Changed 7 years ago by mstone

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.