From 9d9c024ba9de04965aff3e0e2e8caa2abb80ab7c Mon Sep 17 00:00:00 2001 From: José Bollo Date: Tue, 11 Jun 2019 12:17:04 +0200 Subject: Enforce separation of users using UMASK MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Users should not be able to read other user content. Use Umask to enforce that. Bug-AGL: SPEC-1016 Change-Id: Ibb61b7a6a7617117a499650c5bd70bdd5af3c328 Signed-off-by: José Bollo --- meta-app-framework/recipes-core/base-files/base-files_%.bbappend | 6 ++++-- meta-app-framework/recipes-core/shadow/shadow_%.bbappend | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 meta-app-framework/recipes-core/shadow/shadow_%.bbappend (limited to 'meta-app-framework') diff --git a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend index 536ce8075..1dddcd6f2 100644 --- a/meta-app-framework/recipes-core/base-files/base-files_%.bbappend +++ b/meta-app-framework/recipes-core/base-files/base-files_%.bbappend @@ -2,8 +2,10 @@ RDEPENDS_${PN}_append_with-lsm-smack = " smack" PACKAGE_WRITE_DEPS_append_with-lsm-smack = " smack-native" do_install_append() { - install -d ${D}/${sysconfdir}/skel/app-data - install -d ${D}/${sysconfdir}/skel/.config + install -m 0700 -d ${D}/${sysconfdir}/skel + chmod -R 0700 ${D}/${sysconfdir}/skel + install -m 0700 -d ${D}/${sysconfdir}/skel/app-data + install -m 0700 -d ${D}/${sysconfdir}/skel/.config install -m 0755 -d ${D}/var if [ -d ${D}/usr/local ]; then mv ${D}/usr/local ${D}/var diff --git a/meta-app-framework/recipes-core/shadow/shadow_%.bbappend b/meta-app-framework/recipes-core/shadow/shadow_%.bbappend new file mode 100644 index 000000000..4f594d47c --- /dev/null +++ b/meta-app-framework/recipes-core/shadow/shadow_%.bbappend @@ -0,0 +1,6 @@ + +do_install_append() { + sed -i '/^UMASK/s:^.*$:UMASK 077:' ${D}${sysconfdir}/login.defs +} + + -- cgit 1.2.3-korg