Discussion:
[OLPC Security] Activity home dirs (was Re: OLPC XO Opera browser as Sugar activity)
Bert Freudenberg
2008-06-26 06:53:47 UTC
Permalink
The activity start script should configure Opera to put its
configuration file in $SUGAR_ACTIVITY_ROOT/data instead of
$HOME/.opera. Also it should set umask to 0002 so the config file is
group-writable (otherwise the next activity instance cannot
overwrite).
See http://wiki.laptop.org/go/Low-level_Activity_API#File_Access
QSettings: error creating /home/olpc/isolation/1/uid_to_home_dir/
10000/.qt
opera: Can not use personal directory: /home/olpc/isolation/1/
uid_to_home_dir/10000/.opera
This looks more like a bug in Rainbow than in Opera.
Why would Sugar or Rainbow be setting $HOME to a rainbow-created
directory that the activity can't make subdirectories in?
(The universe of Unix programs isn't going to rewrite itself because
OLPC decided that $SUGAR_ACTIVITY_ROOT is the right place to keep your
files on Unix. $HOME has been that place for decades. Rainbow is
already setting $HOME. It's just apparently setting it to something
that doesn't work.)
Also it should set umask to 0002 so the config file is
group-writable (otherwise the next activity instance cannot
overwrite).
If Rainbow runs the same activity as many different UIDs that share a
single group ID, then yes, Rainbow should be setting the umask so that
files are created group-writeable by default. There should be no need
to modify ordinary Unix programs for this.
Agreed, but Peter's question was about build 708 so it might be fixed
in the mean time. Indeed I remember discussion about that, although I
can't find the Trac report. I recall that HOME is set to
$SUGAR_ACTIVITY_ROOT/instance now, which should work at least, but I
think is also wrong as it is not shared between activity instances.
The right place would be $SUGAR_ACTIVITY_ROOT/data. And I think umask
is set by Sugar nowadays.

But that won't help machines in the field now so I gave a recipe that
would work around that bug.

- Bert -
Michael Stone
2008-06-26 22:10:11 UTC
Permalink
Post by Bert Freudenberg
The activity start script should configure Opera to put its
configuration file in $SUGAR_ACTIVITY_ROOT/data instead of
$HOME/.opera. Also it should set umask to 0002 so the config file is
group-writable (otherwise the next activity instance cannot
overwrite).
See http://wiki.laptop.org/go/Low-level_Activity_API#File_Access
QSettings: error creating /home/olpc/isolation/1/uid_to_home_dir/
10000/.qt
opera: Can not use personal directory: /home/olpc/isolation/1/
uid_to_home_dir/10000/.opera
This looks more like a bug in Rainbow than in Opera.
It was considered to be a feature at the time it was introduced.
Post by Bert Freudenberg
Why would Sugar or Rainbow be setting $HOME to a rainbow-created
directory that the activity can't make subdirectories in?
Because the spec it was built to said that activities should be
permitted to write to precisely three directories named 'tmp', 'data',
and 'instance'. Furthermore, it was entirely unclear at the time which
one $HOME should point to.
Post by Bert Freudenberg
(The universe of Unix programs isn't going to rewrite itself because
OLPC decided that $SUGAR_ACTIVITY_ROOT is the right place to keep your
files on Unix. $HOME has been that place for decades. Rainbow is
already setting $HOME. It's just apparently setting it to something
that doesn't work.)
Also it should set umask to 0002 so the config file is
group-writable (otherwise the next activity instance cannot
overwrite).
rainbow >= 0.7.4 (available since Nov. 10, 2007) sets umask(0) before
running the activity. However, we found that several important library
calls like mkstemp, mkdtemp, and the equivalent file creation code used
by xulrunner hardcode the use of modes like 0700 and 0600 for
directories and files that they create. It would not surprise me if
Opera behaved similarly.
Post by Bert Freudenberg
If Rainbow runs the same activity as many different UIDs that share a
single group ID, then yes, Rainbow should be setting the umask so that
files are created group-writeable by default. There should be no need
to modify ordinary Unix programs for this.
Agreed, but Peter's question was about build 708 so it might be fixed
in the mean time.
rainbow >= 0.7.12 causes $HOME to be writable. This change has been
available since April 10, 2008 in joyride and is expected to be included in
our next major release.
Post by Bert Freudenberg
$SUGAR_ACTIVITY_ROOT/instance now, which should work at least, but I
think is also wrong as it is not shared between activity instances.
As a result of the fact that xulrunner hardcodes the use of modes like
0700 and 0600 in its file creation code, I decided that we should set
$HOME == $SAR/instance by default so that programs would be less likely
to encounter files they couldn't write. Activities which dislike this
default are fully capable of changing themselves when they are executed.

That being said, I'm open to arguments about what the default should be.
Have you got some mechanism for setting $HOME to $SAR/data which would
be safe in the face of programs like xulrunner?

(For what it's worth, I happen think that the real defect is that uids
and instance dirs are deleted on reboot and recreated on activity resume
rather than being persistent and reused at activity resume.
Unfortunately, though I intend to address this issue as soon as my other
responsibilities permit, it will probably be a while before that
happens. Interested onlookers should definitely take initiative here and
then submit their results for discussion and possible merging.)
Post by Bert Freudenberg
But that won't help machines in the field now so I gave a recipe that
would work around that bug.
Thanks!

Michael

Loading...