Permission problem with luci-base.json when build-system uses "umask 0022" #1521

torte71 · 2018-01-10T14:32:53Z

Targets: System independent (seen on raspberry pi3, gl-ar150 and wr842)
Version: git-head (probably in earlier versions as well)
Module: luci-base

See also here: freifunk-berlin/firmware#431

When building luci-base on a system with a default umask 0022, luci will not be usable for non-root users in the resulting image (non-root access is enabled e.g. in the freifunk package).
For non-root users, it will just display a "500 internal server error", because ubusd requires the file "/usr/share/acl.d/luci-base.json"[1] to be not group-readable[2]. As a result, access to ubus/system/board will not be allowed, leading to a NIL value for the boardinfo object in "/usr/lib/lua/luci/view/themes/bootstrap/header.htm"[3], what causes a crash, when trying to access its "hostname"[4] property.

The reason is, that the "install" section in "luci.mk"[5] does not set the required permission - it just copies the directories, retaining the permissions, that the files have from "git clone". If you are lucky to be compiling on a host with a "umask 0002" setting, the luci-base.json will have rw-r--r-- permission and everything works fine. On a system with "umask 0022" (this is nothing unusual), it will have rw-rw-r-- permissions after the checkout, resulting in a non-usable luci in the final image.

As a workaround, one can issue "umask 0002" before "git clone"ing. To really solve it, luci.mk may use "chmod" or "$(INSTALL_DATA)" on this file to ensure, the file gets installed with the correct permissions.

How to reproduce:

Build lede/openwrt with these steps:
- a) With error: "umask 0022 ; git clone https://git.lede-project.org/source.git lede"
- b) Without error: "umask 0002 ; git clone https://git.lede-project.org/source.git lede"
- ./scripts/feeds update -a
- ./scripts/feeds install -a
- make menuconfig
- select LuCI/Collections/luci
- select LuCI/Modules/luci-mod-freifunk - to see luci break - without it, only the ubusd output will show the permission issue
- make
Install the image
With luci-mod-freifunk: Open http://192.168.1.1 to see the 500-internal-server error (and via logread: "Tue Jan 9 23:48:09 2018 daemon.err uhttpd[1009]: A runtime error occured: [string "/usr/lib/lua/luci/view/themes/bootstrap/hea..."]:150: attempt to index local 'boardinfo' (a nil value)")
Without luci-mod-freifunk: Login via ssh. When running "killall ubusd" on the routers console, you will see following output from "logread -f": "Wed Jan 10 00:13:04 2018 daemon.err ubusd[1644]: /usr/share/acl.d/luci-base.json has wrong permissions"

(Please note, that the Freifunk-module is only used to easily demonstrate the consequences of this issue. The output from restarting ubusd shows, that the permission problem already exists in a vanilla luci-base installation).

[1] affected file "/usr/share/acl.d/luci-base.json"
https://github.com/openwrt/luci/tree/master/modules/luci-base/root/usr/share/acl.d

[2] permission check in ubusd
https://git.lede-project.org/?p=project/ubus.git;a=blob;f=ubusd_acl.c;h=4b72663d25aa983cb65b10fae8ba029b099c7c45;hb=HEAD#l406

[3] NIL value for boardinfo = util.ubus("system", "board")
https://github.com/openwrt/luci/blob/master/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm#L14

[4] crash accessing boardinfo.hostname
https://github.com/openwrt/luci/blob/master/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm#L162

[5] "install" section from luci.mk
https://github.com/openwrt/luci/blob/master/luci.mk#L169

jow- · 2018-01-10T16:03:28Z

I am unable to verify this problem here.
Compiled this test program:

#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>

int main(int argc, char *argv[])
{
	struct stat st;

	if (stat("/usr/share/acl.d/luci-base.json", &st)) {
		printf("stat failed\n");
		return 1;
	}

	if (st.st_uid || st.st_gid) {
		printf("wrong owner\n");
		return 1;
	}

	if (st.st_mode & (S_IWOTH | S_IWGRP | S_IXOTH)) {
		printf("has wrong permissions\n");
		return 1;
	}

	printf("permissions okay\n");
	return 0;
}

Ran it on a target device:

root@jj:~# ls -lh /usr/share/acl.d/luci-base.json
-rw-r--r--    1 root     root          91 Jul  2  2017 /usr/share/acl.d/luci-base.json
root@jj:~# /tmp/test 
permissions okay
root@jj:~#

jow- · 2018-01-10T16:08:36Z

You probably swapped your with/without error cases. Builds with umask != 022 are known to be broken, OpenWrt added a prereq check due to this, see https://github.com/openwrt/openwrt/blob/master/include/prereq-build.mk#L25

The problem you raise here is not specific to LuCI and will affect a lot of other packages as well so I am not sure if it makes sense to add workarounds or checks to address this specific arbitrary case.

torte71 · 2018-01-10T16:36:57Z

Oops, indeed I swapped those values.
But looking at the grep from the prereq test: This would return true for 0022 and 0002 (and some more).
That explains, why I never encountered that message.

For now we only want to ensure that the group permission mask is permissive enough to not clobber required permissions on the rootfs, so allow less strict masks as well. Signed-off-by: Jo-Philipp Wich <jo@mein.io>

The openwrt files fetched via "git" already need the correct permissions. openwrt/luci#1521 freifunk-berlin#431

If the openwrt files are fetched using "git" on systems with "umask 002", they get checked out with group-writable permission. This finally leads to a "500 internal server error" when accessing luci pages, because of wrong permissions of /usr/share/acl.d/luci-base.json. See OpenWrt: "Builds with umask != 022 are known to be broken": openwrt/luci#1521 (comment) Bugreport and details, how these wrong permissions end up in the image: freifunk-berlin#431

jow- · 2018-06-25T09:46:19Z

This needs to be solved in OpenWrt buildroot and/or the host system.

If the openwrt files are fetched using "git" on systems with "umask 002", they get checked out with group-writable permission. This finally leads to a "500 internal server error" when accessing luci pages, because of wrong permissions of /usr/share/acl.d/luci-base.json. See OpenWrt: "Builds with umask != 022 are known to be broken": openwrt/luci#1521 (comment) Bugreport and details, how these wrong permissions end up in the image: #431

If the openwrt files are fetched using "git" on systems with "umask 002", they get checked out with group-writable permission. This finally leads to a "500 internal server error" when accessing luci pages, because of wrong permissions of /usr/share/acl.d/luci-base.json. See OpenWrt: "Builds with umask != 022 are known to be broken": openwrt/luci#1521 (comment) Bugreport and details, how these wrong permissions end up in the image: #431 cherry-pick from master (47eedf5)

torte71 mentioned this issue Jan 21, 2018

Lede Build: The OLSR services are not being listed on the router's webpage freifunk-berlin/firmware#445

Closed

torte71 added a commit to torte71/firmware that referenced this issue Mar 10, 2018

Set "umask 022" for "git clone" and "feed update"

b5f3740

The openwrt files fetched via "git" already need the correct permissions. openwrt/luci#1521 freifunk-berlin#431

torte71 mentioned this issue Mar 10, 2018

Set "umask 022" for "git clone" and "feed update" freifunk-berlin/firmware#530

Merged

jow- closed this as completed Jun 25, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Permission problem with luci-base.json when build-system uses "umask 0022" #1521

Permission problem with luci-base.json when build-system uses "umask 0022" #1521

torte71 commented Jan 10, 2018

jow- commented Jan 10, 2018

jow- commented Jan 10, 2018

torte71 commented Jan 10, 2018

jow- commented Jun 25, 2018

Permission problem with luci-base.json when build-system uses "umask 0022" #1521

Permission problem with luci-base.json when build-system uses "umask 0022" #1521

Comments

torte71 commented Jan 10, 2018

jow- commented Jan 10, 2018

jow- commented Jan 10, 2018

torte71 commented Jan 10, 2018

jow- commented Jun 25, 2018