summaryrefslogtreecommitdiff
path: root/parabolaiso
diff options
context:
space:
mode:
authorDavid P <megver83@parabola.nu>2020-12-02 16:33:08 -0300
committerDavid P <megver83@parabola.nu>2020-12-02 16:33:08 -0300
commitce23b5ac79cc6ff418eabe5303c8029e381b0a1c (patch)
tree57522d7be01f266dae658cf4b3ccdd15b0a2977a /parabolaiso
parent39f2387cbc51e6ba634984931ea2de160c3c350a (diff)
sync with archisov50
Imported from archiso v50.1 8ba2870 (HEAD -> master, tag: v50.1, origin/master, origin/HEAD) configs/releng/syslinux/archiso_pxe-linux.cfg: add missing /boot to initrd file path Imported from archiso 50 c10004d (tag: v50) Fix issues with file ownerships/modes 863247d Keep all SYSLINUX files in /syslinux 183ae52 Prevent path traversal outside of $airootfs_dir 42d9e4f Allow specifying ownership and mode of custom airootfs files and directories 2c99df5 Reset network interfaces at the end of the PXE boot to allow DHCP to run Signed-off-by: David P <megver83@parabola.nu>
Diffstat (limited to 'parabolaiso')
-rwxr-xr-xparabolaiso/mkparabolaiso132
1 files changed, 53 insertions, 79 deletions
diff --git a/parabolaiso/mkparabolaiso b/parabolaiso/mkparabolaiso
index b88ea34..97462ed 100755
--- a/parabolaiso/mkparabolaiso
+++ b/parabolaiso/mkparabolaiso
@@ -37,6 +37,7 @@ override_pacman_conf=""
bootmodes=()
airootfs_image_type="squashfs"
airootfs_image_tool_options=('-comp' 'xz')
+declare -A file_permissions=()
# Show an INFO message
@@ -279,30 +280,27 @@ _make_pacman_conf() {
# Prepare working directory and copy custom airootfs files (airootfs)
_make_custom_airootfs() {
local passwd=()
+ local filename permissions
install -d -m 0755 -o 0 -g 0 -- "${airootfs_dir}"
if [[ -d "${profile}/airootfs" ]]; then
- _msg_info "Copying custom airootfs files and setting up user home directories..."
- cp -af --no-preserve=ownership -- "${profile}/airootfs/." "${airootfs_dir}"
-
- [[ -e "${airootfs_dir}/etc/shadow" ]] && chmod -f 0400 -- "${airootfs_dir}/etc/shadow"
- [[ -e "${airootfs_dir}/etc/gshadow" ]] && chmod -f 0400 -- "${airootfs_dir}/etc/gshadow"
-
- # Set up user home directories and permissions
- if [[ -e "${airootfs_dir}/etc/passwd" ]]; then
- while IFS=':' read -a passwd -r; do
- [[ "${passwd[5]}" == '/' ]] && continue
- [[ -z "${passwd[5]}" ]] && continue
-
- if [[ -d "${airootfs_dir}${passwd[5]}" ]]; then
- chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
- chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
- else
- install -d -m 0750 -o "${passwd[2]}" -g "${passwd[3]}" -- "${airootfs_dir}${passwd[5]}"
- fi
- done < "${airootfs_dir}/etc/passwd"
- fi
+ _msg_info "Copying custom airootfs files..."
+ cp -af --no-preserve=ownership,mode -- "${profile}/airootfs/." "${airootfs_dir}"
+ # Set ownership and mode for files and directories
+ for filename in "${!file_permissions[@]}"; do
+ IFS=':' read -ra permissions <<< "${file_permissions["${filename}"]}"
+ # Prevent file path traversal outside of $airootfs_dir
+ if [[ "$(realpath -q -- "${airootfs_dir}${filename}")" != "$(realpath -q -- "${airootfs_dir}")"* ]]; then
+ _msg_error "Failed to set permissions on '${airootfs_dir}${filename}'. Outside of valid path." 1
+ # Warn if the file does not exist
+ elif [[ ! -e "${airootfs_dir}${filename}" ]]; then
+ _msg_warning "Cannot change permissions of '${airootfs_dir}${filename}'. The file or directory does not exist."
+ else
+ chown -fh -- "${permissions[0]}:${permissions[1]}" "${airootfs_dir}${filename}"
+ chmod -f -- "${permissions[2]}" "${airootfs_dir}${filename}"
+ fi
+ done
_msg_info "Done!"
fi
}
@@ -340,13 +338,22 @@ _make_customize_airootfs() {
if [[ -e "${profile}/airootfs/etc/passwd" ]]; then
_msg_info "Copying /etc/skel/* to user homes..."
while IFS=':' read -a passwd -r; do
+ # Only operate on UIDs in range 1000–59999
(( passwd[2] >= 1000 && passwd[2] < 60000 )) || continue
+ # Skip invalid home directories
[[ "${passwd[5]}" == '/' ]] && continue
[[ -z "${passwd[5]}" ]] && continue
- cp -dnRT --preserve=mode,timestamps,links -- "${airootfs_dir}/etc/skel" "${airootfs_dir}${passwd[5]}"
- chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
- chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
-
+ # Prevent path traversal outside of $airootfs_dir
+ if [[ "$(realpath -q -- "${airootfs_dir}${passwd[5]}")" == "${airootfs_dir}"* ]]; then
+ if [[ ! -d "${airootfs_dir}${passwd[5]}" ]]; then
+ install -d -m 0750 -o "${passwd[2]}" -g "${passwd[3]}" -- "${airootfs_dir}${passwd[5]}"
+ fi
+ cp -dnRT --preserve=mode,timestamps,links -- "${airootfs_dir}/etc/skel/." "${airootfs_dir}${passwd[5]}"
+ chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
+ chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
+ else
+ _msg_error "Failed to set permissions on '${airootfs_dir}${passwd[5]}'. Outside of valid path." 1
+ fi
done < "${profile}/airootfs/etc/passwd"
_msg_info "Done!"
fi
@@ -354,6 +361,7 @@ _make_customize_airootfs() {
if [[ -e "${airootfs_dir}/root/customize_airootfs.sh" ]]; then
_msg_info "Running customize_airootfs.sh in '${airootfs_dir}' chroot..."
_msg_warning "customize_airootfs.sh is deprecated! Support for it will be removed in a future parabolaiso version."
+ chmod -f -- +x "${airootfs_dir}/root/customize_airootfs.sh"
eval -- arch-chroot "${airootfs_dir}" "/root/customize_airootfs.sh"
rm -- "${airootfs_dir}/root/customize_airootfs.sh"
_msg_info "Done! customize_airootfs.sh run successfully."
@@ -377,33 +385,33 @@ _make_boot_on_iso9660() {
_msg_info "Done!"
}
-# Prepare /${install_dir}/boot/syslinux
+# Prepare /syslinux
_make_bootmode_bios.syslinux.mbr() {
_msg_info "Setting up SYSLINUX for BIOS booting from a disk..."
- install -d -m 0755 -- "${isofs_dir}/${install_dir}/boot/syslinux"
+ install -d -m 0755 -- "${isofs_dir}/syslinux"
for _cfg in "${profile}/syslinux/"*.cfg; do
sed "s|%PARABOLAISO_LABEL%|${iso_label}|g;
s|%INSTALL_DIR%|${install_dir}|g;
s|%ARCH%|${arch}|g" \
- "${_cfg}" > "${isofs_dir}/${install_dir}/boot/syslinux/${_cfg##*/}"
+ "${_cfg}" > "${isofs_dir}/syslinux/${_cfg##*/}"
done
if [[ -e "${profile}/syslinux/splash.png" ]]; then
- install -m 0644 -- "${profile}/syslinux/splash.png" "${isofs_dir}/${install_dir}/boot/syslinux/"
+ install -m 0644 -- "${profile}/syslinux/splash.png" "${isofs_dir}/syslinux/"
fi
- install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/"*.c32 "${isofs_dir}/${install_dir}/boot/syslinux/"
- install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/lpxelinux.0" "${isofs_dir}/${install_dir}/boot/syslinux/"
- install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/memdisk" "${isofs_dir}/${install_dir}/boot/syslinux/"
+ install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/"*.c32 "${isofs_dir}/syslinux/"
+ install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/lpxelinux.0" "${isofs_dir}/syslinux/"
+ install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/memdisk" "${isofs_dir}/syslinux/"
_run_dual '_run_once _make_boot_on_iso9660'
- if [[ -e "${isofs_dir}/${install_dir}/boot/syslinux/hdt.c32" ]]; then
- install -d -m 0755 -- "${isofs_dir}/${install_dir}/boot/syslinux/hdt"
+ if [[ -e "${isofs_dir}/syslinux/hdt.c32" ]]; then
+ install -d -m 0755 -- "${isofs_dir}/syslinux/hdt"
if [[ -e "${airootfs_dir}/usr/share/hwdata/pci.ids" ]]; then
gzip -c -9 "${airootfs_dir}/usr/share/hwdata/pci.ids" > \
- "${isofs_dir}/${install_dir}/boot/syslinux/hdt/pciids.gz"
+ "${isofs_dir}/syslinux/hdt/pciids.gz"
fi
find "${airootfs_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -c -9 '{}' ';' -quit > \
- "${isofs_dir}/${install_dir}/boot/syslinux/hdt/modalias.gz"
+ "${isofs_dir}/syslinux/hdt/modalias.gz"
fi
# Add other aditional/extra files to ${install_dir}/boot/
@@ -417,21 +425,14 @@ _make_bootmode_bios.syslinux.mbr() {
_msg_info "Done! SYSLINUX set up for BIOS booting from a disk successfully."
}
-# Prepare /isolinux
+# Prepare /syslinux for El-Torito booting
_make_bootmode_bios.syslinux.eltorito() {
_msg_info "Setting up SYSLINUX for BIOS booting from an optical disc..."
- install -d -m 0755 -- "${isofs_dir}/isolinux"
- for _cfg in "${profile}/isolinux/"*".cfg"; do
- sed "s|%PARABOLAISO_LABEL%|${iso_label}|g;
- s|%INSTALL_DIR%|${install_dir}|g;
- s|%ARCH%|${arch}|g" \
- "${_cfg}" > "${isofs_dir}/isolinux/${_cfg##*/}"
- done
- install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/isolinux.bin" "${isofs_dir}/isolinux/"
- install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/isohdpfx.bin" "${isofs_dir}/isolinux/"
- install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/ldlinux.c32" "${isofs_dir}/isolinux/"
+ install -d -m 0755 -- "${isofs_dir}/syslinux"
+ install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/isolinux.bin" "${isofs_dir}/syslinux/"
+ install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/isohdpfx.bin" "${isofs_dir}/syslinux/"
- # isolinux.cfg loads syslinux.cfg
+ # ISOLINUX and SYSLINUX installation is shared
_run_once _make_bootmode_bios.syslinux.mbr
_msg_info "Done! SYSLINUX set up for BIOS booting from an optical disc successfully."
@@ -640,34 +641,7 @@ _validate_requirements_bootmode_bios.syslinux.mbr() {
}
_validate_requirements_bootmode_bios.syslinux.eltorito() {
- # Check if the syslinux package is in the package list
- # shellcheck disable=SC2076
- if [[ ! " ${pkg_list[*]} " =~ ' syslinux ' ]]; then
- (( validation_error=validation_error+1 ))
- _msg_error "Validating '${bootmode}': The 'syslinux' package is missing from the package list!" 0
- fi
-
- # Check if isolinux configuration files exist
- if [[ ! -d "${profile}/isolinux" ]]; then
- (( validation_error=validation_error+1 ))
- _msg_error "Validating '${bootmode}': The '${profile}/isolinux' directory is missing!" 0
- else
- local cfgfile
- for cfgfile in "${profile}/isolinux/"*'.cfg'; do
- if [[ -e "${cfgfile}" ]]; then
- break
- else
- (( validation_error=validation_error+1 ))
- _msg_error "Validating '${bootmode}': No configuration file found in '${profile}/isolinux/'!" 0
- fi
- done
- fi
-
- # Check for optional packages
- # shellcheck disable=SC2076
- if [[ ! " ${pkg_list[*]} " =~ ' memtest86+ ' ]]; then
- _msg_info "Validating '${bootmode}': 'memtest86+' is not in the package list. Memory testing will not be available from syslinux."
- fi
+ _validate_requirements_bootmode_bios.syslinux.mbr
}
_validate_requirements_bootmode_uefi-x64.systemd-boot.esp() {
@@ -798,9 +772,9 @@ _validate_requirements_airootfs_image_type_ext4+squashfs() {
_add_xorrisofs_options_bios.syslinux.eltorito() {
xorrisofs_options+=(
# El Torito boot image for x86 BIOS
- '-eltorito-boot' 'isolinux/isolinux.bin'
+ '-eltorito-boot' 'syslinux/isolinux.bin'
# El Torito boot catalog file
- '-eltorito-catalog' 'isolinux/boot.cat'
+ '-eltorito-catalog' 'syslinux/boot.cat'
# Required options to boot with ISOLINUX
'-no-emul-boot' '-boot-load-size' '4' '-boot-info-table'
)
@@ -809,8 +783,8 @@ _add_xorrisofs_options_bios.syslinux.eltorito() {
# SYSLINUX MBR
_add_xorrisofs_options_bios.syslinux.mbr() {
xorrisofs_options+=(
- # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot isolinux/isolinux.bin"
- '-isohybrid-mbr' "${isofs_dir}/isolinux/isohdpfx.bin"
+ # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot syslinux/isolinux.bin"
+ '-isohybrid-mbr' "${isofs_dir}/syslinux/isohdpfx.bin"
# When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR
# bootstrap code area) and mark it as bootable
# This violates the UEFI specification, but may allow booting on some systems