search

projg2 / installkernel-gentoo

Gentoo fork of installkernel from debianutils
GNU General Public License v2.0
19 stars 7 forks source link

/etc/os-release #31

Closed Biosias closed 4 months ago

Biosias commented 4 months ago

Hello again,

I was just thinking about sourcing information from /etc/os-release and I don't think doing it like this is a good idea:

if [ -f /etc/os-release ]; then
    # shellcheck source=/dev/null
    . /etc/os-release
elif [ -f /usr/lib/os-release ]; then
    # shellcheck source=/dev/null
    . /usr/lib/os-release
fi

if some got a way to append some command to it, installkernel and also uefi-mkconfig would run it as root.

example:

# cat /etc/os-release 
NAME="Gentoo"
ID=gentoo

echo "I just run command as $(whoami)"
# emerge --config =sys-kernel/gentoo-kernel-bin-6.9.10                        

Configuring pkg...

 * Your /boot partition was detected as being mounted.
 * Files will be installed there for gentoo-kernel-bin to function correctly.
 * Assuming you do not have a separate /efi partition.
 * Assuming you do not have a separate /boot/efi partition.
 * Assuming you do not have a separate /boot/EFI partition.
 * Installing the kernel via installkernel ...
Reading /usr/lib/kernel/install.conf...
/usr/lib/kernel/install.conf configures layout=efistub
/usr/lib/kernel/install.conf configures initrd_generator=dracut
/usr/lib/kernel/install.conf configures uki_generator=none
I just run command as root
Found vendor directory on ESP

Running /usr/lib/kernel/preinst.d/35-amd-microcode.install 6.9.10-gentoo-dist /usr/src/linux-6.9.10-gentoo-dist/arch/x86/boot/bzImage...
Nowa-Ammerlaan commented 4 months ago

Sourcing is what we also do for install.conf, this is copied from systemd's kernel-install[1]. As I understand it, this file is meant to be sourced, like other environment files.

os-release is a file installed by sys-apps/baselayout, it is owned by root and only writeable by root. If you can write something malicious to it, then you are already in a situation where you can write something malicious to the hooks or even /sbin/installkernel directly. So I don't think sourcing is a security risk.

[1] https://github.com/systemd/systemd/commit/42551ea7e923bac5df12b20e3e735a487d38dcd5#diff-4458868cf2352dde45db167301235ad7e22f3508ae16f5389e5cf12899fecbb2L192

Biosias commented 4 months ago

Yeah, you are right. I that case, thanks!