userid in NiChrome does not match with userid of the build machine, leading to permission denied error

[thienhoang23]

Commit id: 511cf6fc999ba6e8f9982103864430b9d56c4baf

Build Machine Configurations:

• go toolchain version: go1.9.3 linux/amd64
• umask: 0022
• Perimission bits of ./usr/lib, ./usr/lib/[any_binary], ./lib, ./lib/[any_binary] in the NiChrome directory: 755

Steps for reproduction:

1. Plug in the usb stick into build machine and find out what device it is (in this case, it was /dev/sda)
2. From the project root directory, go to the usb subdirectory and build the usb command in this directory

   $ cd usb && go build .

3. Install the u-root's command gpt. Change back to the root directory. Run the usb command.

   $ go install github.com/u-root/u-root/cmds/gpt
   $ cd ..
   $ ./usb/usb -fetch=true -dev=/the/name/of/device

4. Unplug the usb stick from build machine and plug it into a Chromebook
5. Turn on a Chromebook. When the dev-mode screen appears, press Ctrl-U
6. After boot, observe that Chrome browser and user terminal do not start.
7. Ctrl-Alt-backspace to exit X11
8. Notice the following error message about permission denied error: X11 user startup: fork/exec /bbin/uinit: permission denied

The following are results of some further investigation after the above reproduction steps:

1. ls -a -l / in the test Chromebook show that /, /go, /lib, /tcz, /usr owned by the user who built the usb stick on the build machine (in this case, userid: 533858, groupid: 5762). Furthermore, the permission on / is 700

2. When I did chmod 755 / as a root and ran uinit -login, I got the following output:

   Welcome to NiChrome!
   Welcome to NiChrome!
   Starting up user mode processes
   Run wingo
   Run flwm
   Run AppChrome
   Run chrome
   aterm: can't open display :0
   x11 user failed: X11 start /usr/local/bin/aterm []: exit startus 1
   X11 user startup: exit status 1
   wait: exit status 1
   installcommand: trying to build {cmdName: wingo, Path [$PATH], err exit status 1, out can't load package: package github.com/u-root/wingo: open /src/github.com/u-root/wingo/cmd_hacks.go: permission denied } 

3. Upon entering ls -a -l /src/github.com/u-root/wingo, I found cmd_hacks.go and a lot other .go files all have permission 640

4. Upon changing the permissions in all the files in the /src/github.com/u-root/wingo directory tree to 755, running uinit -login again generated the following message:

   
   Welcome to NiChrome!
   Welcome to NiChrome!
   Starting up user mode processes
   Run wingo
   Run flwm
   Run AppChrome
   Run chrome
   aterm: can't open display :0
   x11 user failed: X11 start /usr/local/bin/aterm []: exit startus 1
   X11 user startup: exit status 1
   wait: exit status 1

Cannot mount AppImage, please check your FUSE setup. You might still be able to extract the contents of this AppImage If you it with the --appimage-extract option. See https://github.com/AppImage/AppImageKit/wiki/FUSE for more information Failed to open libnotify

open dir error: No such file or directory installcommand: trying to build {cmdName: wingo, Path [$PATH], err exit status 1, out go install github.com/u-root/wingo/vendeor/github.com/BurntSushi/xgbutil/xrect: mkdir /pkg/linux_amd64/github.com/u-root/wingo: permission denied go install go/token: mkdir go/pkg/linux_amd64/go/: permission denied go install go install github.com/u-root/wingo/vendeor/github.com/BurntSushi/xgbutil/xrect: mkdir go/pkg/linux_amd64/go/: permission denied [more go install permission denied error] }

5. Upon making everything in the /go and /pkg directory tree 777, run `uinit -login` again, generate the following message:

Welcome to NiChrome! Welcome to NiChrome! Starting up user mode processes Run wingo Run flwm Run AppChrome Run chrome aterm: can't open display :0 x11 user failed: X11 start /usr/local/bin/aterm []: exit startus 1 X11 user startup: exit status 1 wait: exit status 1

installcommand: trying to build {cmdName: wingo, Path [$PATH], err exit status 1, out go install github.com/u-root/wingo: open /ubin/wingo: permission denied

6. Upon going into /ubin, there was no binary called wingo. However typing wingo onto the terminal would generate a response and wingo appears in /ubin. Now running the `uinit -login` will not generate the installcommand error anymore.

[rminnich]

Root should definitely not be 700! I wonder why that happened ... can you cpio -ivt < initramfs.linux_amd64.cpio and see what it shows there?

[thienhoang23]

It shows root as 700

[rminnich]

My / is 0700 in the repo.

I think you need to work your way back to why the original uinit dologin() function is failing. That's the key to this whole mess.

[rminnich]

So do this: change cmds/uinit.go to NOT run the dologin command. The run it by hand and it should fail. The ls -l / and see what the mode on bbin is chmod 755 /bbin and try again. Then if that fails, check / and try again.

[thienhoang23]

I changed cmds/uinit.go to not run the dologin command.

• After boost, / is owned by the build userid and has 700 permission, /bbin is owned by root and has 755 permission
• After run dologin command and have it fail, nothing changes
• After making root has permission 755, uinit fails on installcommand: trying to build {cmdName: wingo, Path [$PATH], err exit status 1, out can't load package: package github.com/u-root/wingo: open /src/github.com/u-root/wingo/cmd_hacks.go: permission denied }

[rminnich]

well this is a good first step. The permissions on / are wrong and we need to know why. So let's focus on that.