From ce23b5ac79cc6ff418eabe5303c8029e381b0a1c Mon Sep 17 00:00:00 2001
From: David P <megver83@parabola.nu>
Date: Wed, 2 Dec 2020 16:33:08 -0300
Subject: sync with archiso

Imported from archiso v50.1
8ba2870 (HEAD -> master, tag: v50.1, origin/master, origin/HEAD) configs/releng/syslinux/archiso_pxe-linux.cfg: add missing /boot to initrd file path

Imported from archiso 50
c10004d (tag: v50) Fix issues with file ownerships/modes
863247d Keep all SYSLINUX files in /syslinux
183ae52 Prevent path traversal outside of $airootfs_dir
42d9e4f Allow specifying ownership and mode of custom airootfs files and directories
2c99df5 Reset network interfaces at the end of the PXE boot to allow DHCP to run

Signed-off-by: David P <megver83@parabola.nu>
---
 parabolaiso/mkparabolaiso | 132 +++++++++++++++++++---------------------------
 1 file changed, 53 insertions(+), 79 deletions(-)

(limited to 'parabolaiso/mkparabolaiso')

diff --git a/parabolaiso/mkparabolaiso b/parabolaiso/mkparabolaiso
index b88ea34..97462ed 100755
--- a/parabolaiso/mkparabolaiso
+++ b/parabolaiso/mkparabolaiso
@@ -37,6 +37,7 @@ override_pacman_conf=""
 bootmodes=()
 airootfs_image_type="squashfs"
 airootfs_image_tool_options=('-comp' 'xz')
+declare -A file_permissions=()
 
 
 # Show an INFO message
@@ -279,30 +280,27 @@ _make_pacman_conf() {
 # Prepare working directory and copy custom airootfs files (airootfs)
 _make_custom_airootfs() {
     local passwd=()
+    local filename permissions
 
     install -d -m 0755 -o 0 -g 0 -- "${airootfs_dir}"
 
     if [[ -d "${profile}/airootfs" ]]; then
-        _msg_info "Copying custom airootfs files and setting up user home directories..."
-        cp -af --no-preserve=ownership -- "${profile}/airootfs/." "${airootfs_dir}"
-
-        [[ -e "${airootfs_dir}/etc/shadow" ]] && chmod -f 0400 -- "${airootfs_dir}/etc/shadow"
-        [[ -e "${airootfs_dir}/etc/gshadow" ]] && chmod -f 0400 -- "${airootfs_dir}/etc/gshadow"
-
-        # Set up user home directories and permissions
-        if [[ -e "${airootfs_dir}/etc/passwd" ]]; then
-            while IFS=':' read -a passwd -r; do
-                [[ "${passwd[5]}" == '/' ]] && continue
-                [[ -z "${passwd[5]}" ]] && continue
-
-                if [[ -d "${airootfs_dir}${passwd[5]}" ]]; then
-                    chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
-                    chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
-                else
-                    install -d -m 0750 -o "${passwd[2]}" -g "${passwd[3]}" -- "${airootfs_dir}${passwd[5]}"
-                fi
-             done < "${airootfs_dir}/etc/passwd"
-        fi
+        _msg_info "Copying custom airootfs files..."
+        cp -af --no-preserve=ownership,mode -- "${profile}/airootfs/." "${airootfs_dir}"
+        # Set ownership and mode for files and directories
+        for filename in "${!file_permissions[@]}"; do
+            IFS=':' read -ra permissions <<< "${file_permissions["${filename}"]}"
+            # Prevent file path traversal outside of $airootfs_dir
+            if [[ "$(realpath -q -- "${airootfs_dir}${filename}")" != "$(realpath -q -- "${airootfs_dir}")"* ]]; then
+                _msg_error "Failed to set permissions on '${airootfs_dir}${filename}'. Outside of valid path." 1
+            # Warn if the file does not exist
+            elif [[ ! -e "${airootfs_dir}${filename}" ]]; then
+                _msg_warning "Cannot change permissions of '${airootfs_dir}${filename}'. The file or directory does not exist."
+            else
+                chown -fh -- "${permissions[0]}:${permissions[1]}" "${airootfs_dir}${filename}"
+                chmod -f -- "${permissions[2]}" "${airootfs_dir}${filename}"
+            fi
+        done
         _msg_info "Done!"
     fi
 }
@@ -340,13 +338,22 @@ _make_customize_airootfs() {
     if [[ -e "${profile}/airootfs/etc/passwd" ]]; then
         _msg_info "Copying /etc/skel/* to user homes..."
         while IFS=':' read -a passwd -r; do
+            # Only operate on UIDs in range 1000–59999
             (( passwd[2] >= 1000 && passwd[2] < 60000 )) || continue
+            # Skip invalid home directories
             [[ "${passwd[5]}" == '/' ]] && continue
             [[ -z "${passwd[5]}" ]] && continue
-            cp -dnRT --preserve=mode,timestamps,links -- "${airootfs_dir}/etc/skel" "${airootfs_dir}${passwd[5]}"
-            chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
-            chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
-
+            # Prevent path traversal outside of $airootfs_dir
+            if [[ "$(realpath -q -- "${airootfs_dir}${passwd[5]}")" == "${airootfs_dir}"* ]]; then
+                if [[ ! -d "${airootfs_dir}${passwd[5]}" ]]; then
+                    install -d -m 0750 -o "${passwd[2]}" -g "${passwd[3]}" -- "${airootfs_dir}${passwd[5]}"
+                fi
+                cp -dnRT --preserve=mode,timestamps,links -- "${airootfs_dir}/etc/skel/." "${airootfs_dir}${passwd[5]}"
+                chmod -f 0750 -- "${airootfs_dir}${passwd[5]}"
+                chown -hR -- "${passwd[2]}:${passwd[3]}" "${airootfs_dir}${passwd[5]}"
+            else
+                _msg_error "Failed to set permissions on '${airootfs_dir}${passwd[5]}'. Outside of valid path." 1
+            fi
         done < "${profile}/airootfs/etc/passwd"
         _msg_info "Done!"
     fi
@@ -354,6 +361,7 @@ _make_customize_airootfs() {
     if [[ -e "${airootfs_dir}/root/customize_airootfs.sh" ]]; then
         _msg_info "Running customize_airootfs.sh in '${airootfs_dir}' chroot..."
         _msg_warning "customize_airootfs.sh is deprecated! Support for it will be removed in a future parabolaiso version."
+        chmod -f -- +x "${airootfs_dir}/root/customize_airootfs.sh"
         eval -- arch-chroot "${airootfs_dir}" "/root/customize_airootfs.sh"
         rm -- "${airootfs_dir}/root/customize_airootfs.sh"
         _msg_info "Done! customize_airootfs.sh run successfully."
@@ -377,33 +385,33 @@ _make_boot_on_iso9660() {
     _msg_info "Done!"
 }
 
-# Prepare /${install_dir}/boot/syslinux
+# Prepare /syslinux
 _make_bootmode_bios.syslinux.mbr() {
     _msg_info "Setting up SYSLINUX for BIOS booting from a disk..."
-    install -d -m 0755 -- "${isofs_dir}/${install_dir}/boot/syslinux"
+    install -d -m 0755 -- "${isofs_dir}/syslinux"
     for _cfg in "${profile}/syslinux/"*.cfg; do
         sed "s|%PARABOLAISO_LABEL%|${iso_label}|g;
              s|%INSTALL_DIR%|${install_dir}|g;
              s|%ARCH%|${arch}|g" \
-             "${_cfg}" > "${isofs_dir}/${install_dir}/boot/syslinux/${_cfg##*/}"
+             "${_cfg}" > "${isofs_dir}/syslinux/${_cfg##*/}"
     done
     if [[ -e "${profile}/syslinux/splash.png" ]]; then
-        install -m 0644 -- "${profile}/syslinux/splash.png" "${isofs_dir}/${install_dir}/boot/syslinux/"
+        install -m 0644 -- "${profile}/syslinux/splash.png" "${isofs_dir}/syslinux/"
     fi
-    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/"*.c32 "${isofs_dir}/${install_dir}/boot/syslinux/"
-    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/lpxelinux.0" "${isofs_dir}/${install_dir}/boot/syslinux/"
-    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/memdisk" "${isofs_dir}/${install_dir}/boot/syslinux/"
+    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/"*.c32 "${isofs_dir}/syslinux/"
+    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/lpxelinux.0" "${isofs_dir}/syslinux/"
+    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/memdisk" "${isofs_dir}/syslinux/"
 
     _run_dual '_run_once _make_boot_on_iso9660'
 
-    if [[ -e "${isofs_dir}/${install_dir}/boot/syslinux/hdt.c32" ]]; then
-        install -d -m 0755 -- "${isofs_dir}/${install_dir}/boot/syslinux/hdt"
+    if [[ -e "${isofs_dir}/syslinux/hdt.c32" ]]; then
+        install -d -m 0755 -- "${isofs_dir}/syslinux/hdt"
         if [[ -e "${airootfs_dir}/usr/share/hwdata/pci.ids" ]]; then
             gzip -c -9 "${airootfs_dir}/usr/share/hwdata/pci.ids" > \
-                "${isofs_dir}/${install_dir}/boot/syslinux/hdt/pciids.gz"
+                "${isofs_dir}/syslinux/hdt/pciids.gz"
         fi
         find "${airootfs_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -c -9 '{}' ';' -quit > \
-            "${isofs_dir}/${install_dir}/boot/syslinux/hdt/modalias.gz"
+            "${isofs_dir}/syslinux/hdt/modalias.gz"
     fi
 
     # Add other aditional/extra files to ${install_dir}/boot/
@@ -417,21 +425,14 @@ _make_bootmode_bios.syslinux.mbr() {
     _msg_info "Done! SYSLINUX set up for BIOS booting from a disk successfully."
 }
 
-# Prepare /isolinux
+# Prepare /syslinux for El-Torito booting
 _make_bootmode_bios.syslinux.eltorito() {
     _msg_info "Setting up SYSLINUX for BIOS booting from an optical disc..."
-    install -d -m 0755 -- "${isofs_dir}/isolinux"
-    for _cfg in "${profile}/isolinux/"*".cfg"; do
-        sed "s|%PARABOLAISO_LABEL%|${iso_label}|g;
-             s|%INSTALL_DIR%|${install_dir}|g;
-             s|%ARCH%|${arch}|g" \
-             "${_cfg}" > "${isofs_dir}/isolinux/${_cfg##*/}"
-    done
-    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/isolinux.bin" "${isofs_dir}/isolinux/"
-    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/isohdpfx.bin" "${isofs_dir}/isolinux/"
-    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/ldlinux.c32" "${isofs_dir}/isolinux/"
+    install -d -m 0755 -- "${isofs_dir}/syslinux"
+    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/isolinux.bin" "${isofs_dir}/syslinux/"
+    install -m 0644 -- "${airootfs_dir}/usr/lib/syslinux/bios/isohdpfx.bin" "${isofs_dir}/syslinux/"
 
-    # isolinux.cfg loads syslinux.cfg
+    # ISOLINUX and SYSLINUX installation is shared
     _run_once _make_bootmode_bios.syslinux.mbr
 
     _msg_info "Done! SYSLINUX set up for BIOS booting from an optical disc successfully."
@@ -640,34 +641,7 @@ _validate_requirements_bootmode_bios.syslinux.mbr() {
 }
 
 _validate_requirements_bootmode_bios.syslinux.eltorito() {
-    # Check if the syslinux package is in the package list
-    # shellcheck disable=SC2076
-    if [[ ! " ${pkg_list[*]} " =~ ' syslinux ' ]]; then
-        (( validation_error=validation_error+1 ))
-        _msg_error "Validating '${bootmode}': The 'syslinux' package is missing from the package list!" 0
-    fi
-
-    # Check if isolinux configuration files exist
-    if [[ ! -d "${profile}/isolinux" ]]; then
-        (( validation_error=validation_error+1 ))
-        _msg_error "Validating '${bootmode}': The '${profile}/isolinux' directory is missing!" 0
-    else
-        local cfgfile
-        for cfgfile in "${profile}/isolinux/"*'.cfg'; do
-            if [[ -e "${cfgfile}" ]]; then
-                break
-            else
-                (( validation_error=validation_error+1 ))
-                _msg_error "Validating '${bootmode}': No configuration file found in '${profile}/isolinux/'!" 0
-            fi
-        done
-    fi
-
-    # Check for optional packages
-    # shellcheck disable=SC2076
-    if [[ ! " ${pkg_list[*]} " =~ ' memtest86+ ' ]]; then
-        _msg_info "Validating '${bootmode}': 'memtest86+' is not in the package list. Memory testing will not be available from syslinux."
-    fi
+    _validate_requirements_bootmode_bios.syslinux.mbr
 }
 
 _validate_requirements_bootmode_uefi-x64.systemd-boot.esp() {
@@ -798,9 +772,9 @@ _validate_requirements_airootfs_image_type_ext4+squashfs() {
 _add_xorrisofs_options_bios.syslinux.eltorito() {
     xorrisofs_options+=(
         # El Torito boot image for x86 BIOS
-        '-eltorito-boot' 'isolinux/isolinux.bin'
+        '-eltorito-boot' 'syslinux/isolinux.bin'
         # El Torito boot catalog file
-        '-eltorito-catalog' 'isolinux/boot.cat'
+        '-eltorito-catalog' 'syslinux/boot.cat'
         # Required options to boot with ISOLINUX
         '-no-emul-boot' '-boot-load-size' '4' '-boot-info-table'
     )
@@ -809,8 +783,8 @@ _add_xorrisofs_options_bios.syslinux.eltorito() {
 # SYSLINUX MBR
 _add_xorrisofs_options_bios.syslinux.mbr() {
     xorrisofs_options+=(
-        # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot isolinux/isolinux.bin"
-        '-isohybrid-mbr' "${isofs_dir}/isolinux/isohdpfx.bin"
+        # SYSLINUX MBR bootstrap code; does not work without "-eltorito-boot syslinux/isolinux.bin"
+        '-isohybrid-mbr' "${isofs_dir}/syslinux/isohdpfx.bin"
         # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR
         # bootstrap code area) and mark it as bootable
         # This violates the UEFI specification, but may allow booting on some systems
-- 
cgit v1.2.2