summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTails developers <amnesia@boum.org>2013-03-19 16:16:39 +0100
committerTails developers <amnesia@boum.org>2013-03-19 16:16:39 +0100
commit3399907b0ff5112edf8c70a2f2d3f14881eb1be5 (patch)
treefb4cf4fe9b748fa6fbcf253abfb6441b0b03500e
parent4d6933b79d62cd426af7dce71dad60d4221e3dee (diff)
New fix for bugs/writable_system_disk:_belongs_to_floppy_groupbugfix/writable_boot_media
-rw-r--r--config/chroot_local-includes/etc/udev/rules.d/99-boot-dev-ownership.rules6
-rwxr-xr-xconfig/chroot_local-includes/lib/live/config/9980-permissions30
-rwxr-xr-xconfig/chroot_local-includes/usr/local/sbin/udev-boot-dev-helper18
3 files changed, 24 insertions, 30 deletions
diff --git a/config/chroot_local-includes/etc/udev/rules.d/99-boot-dev-ownership.rules b/config/chroot_local-includes/etc/udev/rules.d/99-boot-dev-ownership.rules
new file mode 100644
index 0000000..0073bae
--- /dev/null
+++ b/config/chroot_local-includes/etc/udev/rules.d/99-boot-dev-ownership.rules
@@ -0,0 +1,6 @@
+# Fix for Debian bug #645466.
+# Note: Must be applied after /lib/udev/rules.d/91-permissions.rules
+
+SUBSYSTEM=="block", SUBSYSTEMS=="usb", \
+ IMPORT{program}="/usr/local/sbin/udev-boot-dev-helper %k"
+SUBSYSTEM=="block", SUBSYSTEMS=="usb", ENV{IS_ON_BOOT_DEV}=="yes", GROUP="disk"
diff --git a/config/chroot_local-includes/lib/live/config/9980-permissions b/config/chroot_local-includes/lib/live/config/9980-permissions
index d446bf8..2205be2 100755
--- a/config/chroot_local-includes/lib/live/config/9980-permissions
+++ b/config/chroot_local-includes/lib/live/config/9980-permissions
@@ -1,39 +1,9 @@
#!/bin/sh
-Fix_debian_bug_645466 ()
-{
- # Fix bugs/writable_system_disk:_belongs_to_floppy_group (Debian
- # bug #645466). Short story: udev sets a USB boot device's group
- # ownership to 'floppy' making it writable by the live user. To
- # prevent this we set it to 'disk'.
-
- boot_dev_id=$(udevadm info --device-id-of-file=/lib/live/mount/medium)
- boot_dev=$(readlink -f /dev/block/"${boot_dev_id}")
- boot_dev_type=$(udevadm info --query=property --name="${boot_dev}" | \
- awk -F'=' '/ID_BUS/ { print $2 }')
- if [ "${boot_dev_type}" != usb ]; then
- return
- fi
- boot_dev_group=$(stat -c %G "${boot_dev}")
- if [ "${boot_dev_group}" != disk ]; then
- chgrp disk "${boot_dev}"
- parent_path=$(udevadm info --query=property --name="${boot_dev}" | \
- awk -F'=' '/UDISKS_PARTITION_SLAVE/ { print $2 }')
- if [ -n "${parent_path}" ]; then
- parent_name=$(udevadm info --query=name --path="${parent_path}")
- if [ -n "${parent_name}" ]; then
- parent_dev=/dev/${parent_name}
- chgrp disk "${parent_dev}"*
- fi
- fi
- fi
-}
-
Fix_permissions ()
{
echo "- fixing permissions"
chown -R "${LIVE_USERNAME}":"${LIVE_USERNAME}" "/home/${LIVE_USERNAME}"
- Fix_debian_bug_645466
# Creating state file
touch /var/lib/live/config/permissions
diff --git a/config/chroot_local-includes/usr/local/sbin/udev-boot-dev-helper b/config/chroot_local-includes/usr/local/sbin/udev-boot-dev-helper
new file mode 100755
index 0000000..4347601
--- /dev/null
+++ b/config/chroot_local-includes/usr/local/sbin/udev-boot-dev-helper
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Turns out we cannot use function using `udevadm` in this library for
+# this script since it's used in an udev rule; at that time the udev
+# database isn't finished and any queries in it cannot be trusted.
+. /usr/local/lib/tails-shell-library/boot.sh
+
+# XXX: This code is pretty crude thanks to not having udev to query
+# for the parent device. In Wheezy with its newer blkid we'll be able
+# to determine the parent device more reliably, if we care.
+boot_part_id=$(mountpoint -d "${BOOT_IMAGE}")
+boot_part=$(dev_id_to_block_dev "${boot_part_id}")
+boot_dev=$(echo ${boot_part} | sed 's/[0-9]*$//')
+if [ -b "${boot_dev}" ] && \
+ echo ${boot_dev} | grep -q "^/dev/sd[a-z]$" && \
+ echo /dev/$1 | grep -q "^${boot_dev}"; then
+ echo IS_ON_BOOT_DEV=yes
+fi