integrated modifications so that hss_led can be run in non-priviledged

mode under a dedicated hssled user context rather than root. This required not only introduction of a user and group but also incorporates a udev rule which will make sure the /sys/class/leds nodes have the right permissions. Furthermore, hss_led also needs to create /var/status/hasInternet and thus we had to modify global umask and directory permissions for that part as well (this refs #599).
jens-maus · Sep 25, 2023 · ef8ebf3 · ef8ebf3
1 parent d58190b
commit ef8ebf3
Show file tree

Hide file tree

Showing 14 changed files with 36 additions and 11 deletions.
diff --git a/buildroot-external/overlay/base-raspmatic/etc/monitrc b/buildroot-external/overlay/base-raspmatic/etc/monitrc
@@ -26,7 +26,7 @@ check program hw-watchdogEnabled with path "/usr/bin/test -c /dev/watchdog"
 # hss_led service monitoring
 check process hss_led with pidfile /var/run/hss_led.pid
     group homematic
-    start = "/sbin/start-stop-daemon -S -q -b -m -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6"
+    start = "/sbin/start-stop-daemon -S -q -b -m -c hssled:hssled -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6"
     stop = "/sbin/start-stop-daemon -K -q -p /var/run/hss_led.pid"
     #if failed port 8182 type udp for 5 cycles then restart
     if not exist for 1 cycles then restart

diff --git a/buildroot-external/overlay/base-raspmatic_oci/etc/init.d/rcS b/buildroot-external/overlay/base-raspmatic_oci/etc/init.d/rcS
@@ -4,6 +4,9 @@
 # Start all init scripts in /etc/init.d
 # executing them in numerical order.
 
+# make sure we have a secure umask
+umask 0002
+
 # mount all filesystems
 /bin/mount -a
 

diff --git a/buildroot-external/overlay/base-raspmatic_oci/etc/monitrc b/buildroot-external/overlay/base-raspmatic_oci/etc/monitrc
@@ -10,7 +10,7 @@ set httpd unixsocket /var/run/monit.sock
 # hss_led service monitoring
 check process hss_led with pidfile /var/run/hss_led.pid
     group homematic
-    start = "/sbin/start-stop-daemon -S -q -b -m -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6"
+    start = "/sbin/start-stop-daemon -S -q -b -m -c hssled:hssled -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6"
     stop = "/sbin/start-stop-daemon -K -q -p /var/run/hss_led.pid"
     #if failed port 8182 type udp for 5 cycles then restart
     if not exist for 1 cycles then restart

diff --git a/buildroot-external/overlay/base-raspmatic_oci/etc/network/if-up.d/eQ3StartNetwork b/buildroot-external/overlay/base-raspmatic_oci/etc/network/if-up.d/eQ3StartNetwork
@@ -1,6 +1,9 @@
 #!/bin/sh
 # shellcheck shell=dash disable=SC2169 source=/dev/null
 
+# make sure we have a secure umask
+umask 0002
+
 # source all data from /var/hm_mode
 [[ -r /var/hm_mode ]] && . /var/hm_mode
 

diff --git a/buildroot-external/overlay/base/etc/init.d/S06InitSystem b/buildroot-external/overlay/base/etc/init.d/S06InitSystem
@@ -13,9 +13,6 @@ init_system() {
     HM_MODE="HM-LGW"
   fi
 
-  # general umask so that we will have rwrw--
-  umask 0002
-
   # ensure some pathes are there and have
   # correct permissions
   mkdir -p /var/log
@@ -31,6 +28,8 @@ init_system() {
   mkdir -p /var/empty
   mkdir -p /var/etc
   mkdir -p /var/status
+  chmod g+s /var/status
+  chgrp status /var/status
   mkdir -p /var/empty
   chmod 0700 /var/empty
 
@@ -95,10 +94,11 @@ init_system() {
   fi
 
   # if no shadow file with password information is in place we have to
-  # put the template file there.
+  # put the template file there and ensure proper permissions
   if [[ ! -s /etc/config/shadow ]] ; then
     cp -a ${CFG_TEMPLATE_DIR}/shadow /etc/config/
   fi
+  chmod 0640 /etc/config/shadow
 
   # load bcm2835 watchdog kernel module if this is
   # a raspberrypi
@@ -125,7 +125,7 @@ start() {
 
   # start hss_led if it exists and we are not in HMLGW mode
   if [[ "${HM_MODE}" != "HM-LGW" ]] && [[ -x /bin/hss_led ]]; then
-    start-stop-daemon -S -q -b -m -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6
+    start-stop-daemon -S -q -b -m -c hssled:hssled -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6
   fi
 
   # call rc.postinit after init of system is finished

diff --git a/buildroot-external/overlay/base/etc/init.d/S47InitRFHardware b/buildroot-external/overlay/base/etc/init.d/S47InitRFHardware
@@ -319,7 +319,7 @@ query_rf_parameters() {
       start-stop-daemon -K -q -p /var/run/hss_led.pid
       if [[ -x /bin/hss_led ]]; then
         sleep 2
-        start-stop-daemon -S -q -b -m -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6
+        start-stop-daemon -S -q -b -m -c hssled:hssled -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6
       fi
     fi
   fi

diff --git a/buildroot-external/overlay/base/etc/init.d/rcS b/buildroot-external/overlay/base/etc/init.d/rcS
@@ -4,6 +4,9 @@
 # Start all init scripts in /etc/init.d
 # executing them in numerical order.
 
+# make sure we have a secure umask
+umask 0002
+
 # perform systemwide fsck
 /sbin/fsck -A -R -p
 

diff --git a/buildroot-external/overlay/base/etc/network/if-up.d/eQ3StartNetwork b/buildroot-external/overlay/base/etc/network/if-up.d/eQ3StartNetwork
@@ -1,6 +1,9 @@
 #!/bin/sh
 # shellcheck shell=dash disable=SC2169 source=/dev/null
 
+# make sure we have a secure umask
+umask 0002
+
 # source all data from /var/hm_mode
 [[ -r /var/hm_mode ]] && . /var/hm_mode
 

diff --git a/buildroot-external/overlay/base/etc/profile.d/umask.sh b/buildroot-external/overlay/base/etc/profile.d/umask.sh
@@ -0,0 +1 @@
+umask 0002
diff --git a/buildroot-external/overlay/base/lib/udev/rules.d/82-hss_led.rules b/buildroot-external/overlay/base/lib/udev/rules.d/82-hss_led.rules
@@ -0,0 +1,4 @@
+# make sure all led nodes in /sys are generated with group permissions that hss_led
+# can access them accordingly
+SUBSYSTEM=="leds", ACTION=="add", RUN+="/bin/chgrp -R hssled /sys%p", RUN+="/bin/chmod -R g=u /sys%p"
+SUBSYSTEM=="leds", ACTION=="change", ENV{TRIGGER}!="none", RUN+="/bin/chgrp -R hssled /sys%p", RUN+="/bin/chmod -R g=u /sys%p"
diff --git a/buildroot-external/overlay/base/root/.bash_profile b/buildroot-external/overlay/base/root/.bash_profile
@@ -1,9 +1,6 @@
 #!/bin/sh
 # shellcheck shell=dash source=/dev/null
 # .bash_profile
-
-umask 022
-
 if [ -f ~/.bashrc ]; then
     . ~/.bashrc
 fi
diff --git a/buildroot-external/package/occu/occu.mk b/buildroot-external/package/occu/occu.mk
@@ -24,6 +24,7 @@ ifeq ($(BR2_PACKAGE_OCCU),y)
 
 		# shadow file setup
 		touch $(TARGET_DIR)/usr/local/etc/config/shadow
+		chmod 0640 $(TARGET_DIR)/usr/local/etc/config/shadow
 		rm -f $(TARGET_DIR)/etc/shadow
 		ln -snf config/shadow $(TARGET_DIR)/etc/
 
@@ -132,4 +133,10 @@ define OCCU_WRAP_WEBUI_JS
 endef
 OCCU_POST_PATCH_HOOKS += OCCU_WRAP_WEBUI_JS
 
+define OCCU_USERS
+	-      -1 hm     -1 * - - -      homematic access group
+	-      -1 status -1 * - - -      status access group
+	hssled -1 hssled -1 * - - status hss_led user
+endef
+
 $(eval $(generic-package))
diff --git a/buildroot-external/package/recovery-system/external/overlay/base/etc/init.d/rcS b/buildroot-external/package/recovery-system/external/overlay/base/etc/init.d/rcS
@@ -4,6 +4,9 @@
 # Start all init scripts in /etc/init.d
 # executing them in numerical order.
 
+# make sure we have a secure umask
+umask 0002
+
 # Parameters (default values)
 RECOVERY_SPLASHSCREEN_TITLE="CCU Recovery"
 

diff --git a/buildroot-external/package/recovery-system/external/overlay/base/etc/profile.d/umask.sh b/buildroot-external/package/recovery-system/external/overlay/base/etc/profile.d/umask.sh
@@ -0,0 +1 @@
+umask 0002