Bug #7343

Changed t-p-s numeric UID breaks persistence.conf access rights check

Added by intrigeri 2014-05-30 07:56:12 . Updated 2014-07-22 22:55:35 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Persistence
Target version:
Start date:
2014-05-30
Due date:
% Done:

100%

Feature Branch:
bugfix/7343-static-uids
Type of work:
Code
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

I installed Tails 1.0, setup persistence, put some files in there. Then upgraded to a build from current experimental, restarted. Then persistence.conf was disabled, as the ACL for that file gives access to the UID the t-p-s user had on Tails/Squeeze.

The fix seems easy: create this user with the expected, fixed UID at ISO build time.


Subtasks


Related issues

Blocks Tails - Bug #7338: NetworkManager persistence setting is not migrated Resolved 2014-05-29

History

#1 Updated by intrigeri 2014-05-30 08:01:30

  • Description updated

Exercise for the reader: why the heck didn’t the automated test suite notice this? I should try and reproduce this with a read 1.1~beta1, first.

#2 Updated by intrigeri 2014-05-30 09:09:48

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10
  • Feature Branch set to bugfix/7343-static-uids

#3 Updated by intrigeri 2014-05-30 13:30:48

  • Assignee changed from intrigeri to anonym
  • % Done changed from 10 to 40
  • QA Check set to Ready for QA

#4 Updated by intrigeri 2014-05-30 13:33:32

  • blocks Bug #7338: NetworkManager persistence setting is not migrated added

#5 Updated by anonym 2014-06-08 16:48:24

intrigeri wrote:
> Exercise for the reader: why the heck didn’t the automated test suite notice this? I should try and reproduce this with a read 1.1~beta1, first.

When I ran the automated test suite, I couldn’t use Tails 1.0’s image as --old-iso since essentially all images used by sikuli were updated for Wheezy So I just used a week old devel build.

#6 Updated by anonym 2014-06-12 14:39:45

  • Status changed from In Progress to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 40 to 100
  • QA Check changed from Ready for QA to Pass

#7 Updated by alant 2014-06-21 12:55:57

To manually fix that under 1.1~beta1, in addition to copying the content of the .insecure-disabled files, one shoud also change the ACLs of /live/persistence/TailsData_unlocked/ to:

user::rwx
user:tails-persistence-setup:rwx
group::rwx
mask::rwx
other::r-x

That can be achieved with the following commands as root:

setfacl -x user:htp
setfacl -m user:tails-persistence-setup:rwx

#8 Updated by intrigeri 2014-06-21 15:34:31

> To manually fix that under 1.1~beta1, in addition to copying the content of the
> .insecure-disabled files, one shoud also change the ACLs of
> /live/persistence/TailsData_unlocked/ to:

… and then you’ll have to do the opposite change when upgrading to a newer beta, or to 1.1 final.

#9 Updated by BitingBird 2014-07-22 22:55:35

  • Status changed from Fix committed to Resolved