New fix for bugs/writable_system_disk:_belongs_to_floppy_group

3399907b · Tails developers · 4d6933b7 · 3399907b · 3399907b · 3399907b
Commit 3399907b authored Mar 19, 2013 by Tails developers
--- a/config/chroot_local-includes/etc/udev/rules.d/99-boot-dev-ownership.rules
+++ b/config/chroot_local-includes/etc/udev/rules.d/99-boot-dev-ownership.rules
+# Fix for Debian bug #645466.
+# Note: Must be applied after /lib/udev/rules.d/91-permissions.rules
+
+SUBSYSTEM=="block", SUBSYSTEMS=="usb", \
+	IMPORT{program}="/usr/local/sbin/udev-boot-dev-helper %k"
+SUBSYSTEM=="block", SUBSYSTEMS=="usb", ENV{IS_ON_BOOT_DEV}=="yes", GROUP="disk"
--- a/config/chroot_local-includes/lib/live/config/9980-permissions
+++ b/config/chroot_local-includes/lib/live/config/9980-permissions
 #!/bin/sh

-Fix_debian_bug_645466 ()
-{
-	# Fix bugs/writable_system_disk:_belongs_to_floppy_group (Debian
-	# bug #645466). Short story: udev sets a USB boot device's group
-	# ownership to 'floppy' making it writable by the live user. To
-	# prevent this we set it to 'disk'.
-
-	boot_dev_id=$(udevadm info --device-id-of-file=/lib/live/mount/medium)
-	boot_dev=$(readlink -f /dev/block/"${boot_dev_id}")
-	boot_dev_type=$(udevadm info --query=property --name="${boot_dev}" | \
-	                awk -F'=' '/ID_BUS/ { print $2 }')
-	if [ "${boot_dev_type}" != usb ]; then
-		return
-	fi
-	boot_dev_group=$(stat -c %G "${boot_dev}")
-	if [ "${boot_dev_group}" != disk ]; then
-		chgrp disk "${boot_dev}"
-		parent_path=$(udevadm info --query=property --name="${boot_dev}" | \
-		              awk -F'=' '/UDISKS_PARTITION_SLAVE/ { print $2 }')
-		if [ -n "${parent_path}" ]; then
-			parent_name=$(udevadm info --query=name --path="${parent_path}")
-			if [ -n "${parent_name}" ]; then
-				parent_dev=/dev/${parent_name}
-				chgrp disk "${parent_dev}"*
-			fi
-		fi
-	fi
-}
-
 Fix_permissions ()
 {
 	echo "- fixing permissions"
 	chown -R "${LIVE_USERNAME}":"${LIVE_USERNAME}" "/home/${LIVE_USERNAME}"
-	Fix_debian_bug_645466

 	# Creating state file
 	touch /var/lib/live/config/permissions

--- a/config/chroot_local-includes/usr/local/sbin/udev-boot-dev-helper
+++ b/config/chroot_local-includes/usr/local/sbin/udev-boot-dev-helper
+#!/bin/sh
+
+# Turns out we cannot use function using `udevadm` in this library for
+# this script since it's used in an udev rule; at that time the udev
+# database isn't finished and any queries in it cannot be trusted.
+. /usr/local/lib/tails-shell-library/boot.sh
+
+# XXX: This code is pretty crude thanks to not having udev to query
+# for the parent device. In Wheezy with its newer blkid we'll be able
+# to determine the parent device more reliably, if we care.
+boot_part_id=$(mountpoint -d "${BOOT_IMAGE}")
+boot_part=$(dev_id_to_block_dev "${boot_part_id}")
+boot_dev=$(echo ${boot_part} | sed 's/[0-9]*$//')
+if [ -b "${boot_dev}" ] && \
+    echo ${boot_dev} | grep -q "^/dev/sd[a-z]$" && \
+    echo /dev/$1 | grep -q "^${boot_dev}"; then
+        echo IS_ON_BOOT_DEV=yes
+fi