From ef8ebf3ed1c29e42808eedc0f9e801033e04abe3 Mon Sep 17 00:00:00 2001
From: Jens Maus <mail@jens-maus.de>
Date: Mon, 25 Sep 2023 16:09:37 +0200
Subject: [PATCH] integrated modifications so that hss_led can be run in
 non-priviledged mode under a dedicated hssled user context rather than root.
 This required not only introduction of a user and group but also incorporates
 a udev rule which will make sure the /sys/class/leds nodes have the right
 permissions. Furthermore, hss_led also needs to create
 /var/status/hasInternet and thus we had to modify global umask and directory
 permissions for that part as well (this refs #599).

---
 buildroot-external/overlay/base-raspmatic/etc/monitrc  |  2 +-
 .../overlay/base-raspmatic_oci/etc/init.d/rcS          |  3 +++
 .../overlay/base-raspmatic_oci/etc/monitrc             |  2 +-
 .../etc/network/if-up.d/eQ3StartNetwork                |  3 +++
 .../overlay/base/etc/init.d/S06InitSystem              | 10 +++++-----
 .../overlay/base/etc/init.d/S47InitRFHardware          |  2 +-
 buildroot-external/overlay/base/etc/init.d/rcS         |  3 +++
 .../overlay/base/etc/network/if-up.d/eQ3StartNetwork   |  3 +++
 buildroot-external/overlay/base/etc/profile.d/umask.sh |  1 +
 .../overlay/base/lib/udev/rules.d/82-hss_led.rules     |  4 ++++
 buildroot-external/overlay/base/root/.bash_profile     |  3 ---
 buildroot-external/package/occu/occu.mk                |  7 +++++++
 .../external/overlay/base/etc/init.d/rcS               |  3 +++
 .../external/overlay/base/etc/profile.d/umask.sh       |  1 +
 14 files changed, 36 insertions(+), 11 deletions(-)
 create mode 100644 buildroot-external/overlay/base/etc/profile.d/umask.sh
 create mode 100644 buildroot-external/overlay/base/lib/udev/rules.d/82-hss_led.rules
 create mode 100644 buildroot-external/package/recovery-system/external/overlay/base/etc/profile.d/umask.sh

diff --git a/buildroot-external/overlay/base-raspmatic/etc/monitrc b/buildroot-external/overlay/base-raspmatic/etc/monitrc
index 7e90b926da..de39f16b2f 100644
--- a/buildroot-external/overlay/base-raspmatic/etc/monitrc
+++ b/buildroot-external/overlay/base-raspmatic/etc/monitrc
@@ -26,7 +26,7 @@ check program hw-watchdogEnabled with path "/usr/bin/test -c /dev/watchdog"
 # hss_led service monitoring
 check process hss_led with pidfile /var/run/hss_led.pid
     group homematic
-    start = "/sbin/start-stop-daemon -S -q -b -m -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6"
+    start = "/sbin/start-stop-daemon -S -q -b -m -c hssled:hssled -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6"
     stop = "/sbin/start-stop-daemon -K -q -p /var/run/hss_led.pid"
     #if failed port 8182 type udp for 5 cycles then restart
     if not exist for 1 cycles then restart
diff --git a/buildroot-external/overlay/base-raspmatic_oci/etc/init.d/rcS b/buildroot-external/overlay/base-raspmatic_oci/etc/init.d/rcS
index ed436e71d4..e1c30efdf7 100755
--- a/buildroot-external/overlay/base-raspmatic_oci/etc/init.d/rcS
+++ b/buildroot-external/overlay/base-raspmatic_oci/etc/init.d/rcS
@@ -4,6 +4,9 @@
 # Start all init scripts in /etc/init.d
 # executing them in numerical order.
 
+# make sure we have a secure umask
+umask 0002
+
 # mount all filesystems
 /bin/mount -a
 
diff --git a/buildroot-external/overlay/base-raspmatic_oci/etc/monitrc b/buildroot-external/overlay/base-raspmatic_oci/etc/monitrc
index 769f9cc3d1..41b3cbbfac 100644
--- a/buildroot-external/overlay/base-raspmatic_oci/etc/monitrc
+++ b/buildroot-external/overlay/base-raspmatic_oci/etc/monitrc
@@ -10,7 +10,7 @@ set httpd unixsocket /var/run/monit.sock
 # hss_led service monitoring
 check process hss_led with pidfile /var/run/hss_led.pid
     group homematic
-    start = "/sbin/start-stop-daemon -S -q -b -m -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6"
+    start = "/sbin/start-stop-daemon -S -q -b -m -c hssled:hssled -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6"
     stop = "/sbin/start-stop-daemon -K -q -p /var/run/hss_led.pid"
     #if failed port 8182 type udp for 5 cycles then restart
     if not exist for 1 cycles then restart
diff --git a/buildroot-external/overlay/base-raspmatic_oci/etc/network/if-up.d/eQ3StartNetwork b/buildroot-external/overlay/base-raspmatic_oci/etc/network/if-up.d/eQ3StartNetwork
index f130a9ca2c..e7f7188d39 100755
--- a/buildroot-external/overlay/base-raspmatic_oci/etc/network/if-up.d/eQ3StartNetwork
+++ b/buildroot-external/overlay/base-raspmatic_oci/etc/network/if-up.d/eQ3StartNetwork
@@ -1,6 +1,9 @@
 #!/bin/sh
 # shellcheck shell=dash disable=SC2169 source=/dev/null
 
+# make sure we have a secure umask
+umask 0002
+
 # source all data from /var/hm_mode
 [[ -r /var/hm_mode ]] && . /var/hm_mode
 
diff --git a/buildroot-external/overlay/base/etc/init.d/S06InitSystem b/buildroot-external/overlay/base/etc/init.d/S06InitSystem
index bbac0e6fe6..92a8b7c246 100755
--- a/buildroot-external/overlay/base/etc/init.d/S06InitSystem
+++ b/buildroot-external/overlay/base/etc/init.d/S06InitSystem
@@ -13,9 +13,6 @@ init_system() {
     HM_MODE="HM-LGW"
   fi
 
-  # general umask so that we will have rwrw--
-  umask 0002
-
   # ensure some pathes are there and have
   # correct permissions
   mkdir -p /var/log
@@ -31,6 +28,8 @@ init_system() {
   mkdir -p /var/empty
   mkdir -p /var/etc
   mkdir -p /var/status
+  chmod g+s /var/status
+  chgrp status /var/status
   mkdir -p /var/empty
   chmod 0700 /var/empty
 
@@ -95,10 +94,11 @@ init_system() {
   fi
 
   # if no shadow file with password information is in place we have to
-  # put the template file there.
+  # put the template file there and ensure proper permissions
   if [[ ! -s /etc/config/shadow ]] ; then
     cp -a ${CFG_TEMPLATE_DIR}/shadow /etc/config/
   fi
+  chmod 0640 /etc/config/shadow
 
   # load bcm2835 watchdog kernel module if this is
   # a raspberrypi
@@ -125,7 +125,7 @@ start() {
 
   # start hss_led if it exists and we are not in HMLGW mode
   if [[ "${HM_MODE}" != "HM-LGW" ]] && [[ -x /bin/hss_led ]]; then
-    start-stop-daemon -S -q -b -m -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6
+    start-stop-daemon -S -q -b -m -c hssled:hssled -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6
   fi
 
   # call rc.postinit after init of system is finished
diff --git a/buildroot-external/overlay/base/etc/init.d/S47InitRFHardware b/buildroot-external/overlay/base/etc/init.d/S47InitRFHardware
index a8d7475608..ce8f162788 100755
--- a/buildroot-external/overlay/base/etc/init.d/S47InitRFHardware
+++ b/buildroot-external/overlay/base/etc/init.d/S47InitRFHardware
@@ -319,7 +319,7 @@ query_rf_parameters() {
       start-stop-daemon -K -q -p /var/run/hss_led.pid
       if [[ -x /bin/hss_led ]]; then
         sleep 2
-        start-stop-daemon -S -q -b -m -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6
+        start-stop-daemon -S -q -b -m -c hssled:hssled -p /var/run/hss_led.pid --exec /bin/hss_led -- -l 6
       fi
     fi
   fi
diff --git a/buildroot-external/overlay/base/etc/init.d/rcS b/buildroot-external/overlay/base/etc/init.d/rcS
index d9017c836e..860f4d8ee4 100755
--- a/buildroot-external/overlay/base/etc/init.d/rcS
+++ b/buildroot-external/overlay/base/etc/init.d/rcS
@@ -4,6 +4,9 @@
 # Start all init scripts in /etc/init.d
 # executing them in numerical order.
 
+# make sure we have a secure umask
+umask 0002
+
 # perform systemwide fsck
 /sbin/fsck -A -R -p
 
diff --git a/buildroot-external/overlay/base/etc/network/if-up.d/eQ3StartNetwork b/buildroot-external/overlay/base/etc/network/if-up.d/eQ3StartNetwork
index 27ef53a992..7225013a71 100755
--- a/buildroot-external/overlay/base/etc/network/if-up.d/eQ3StartNetwork
+++ b/buildroot-external/overlay/base/etc/network/if-up.d/eQ3StartNetwork
@@ -1,6 +1,9 @@
 #!/bin/sh
 # shellcheck shell=dash disable=SC2169 source=/dev/null
 
+# make sure we have a secure umask
+umask 0002
+
 # source all data from /var/hm_mode
 [[ -r /var/hm_mode ]] && . /var/hm_mode
 
diff --git a/buildroot-external/overlay/base/etc/profile.d/umask.sh b/buildroot-external/overlay/base/etc/profile.d/umask.sh
new file mode 100644
index 0000000000..032f1e5b89
--- /dev/null
+++ b/buildroot-external/overlay/base/etc/profile.d/umask.sh
@@ -0,0 +1 @@
+umask 0002
diff --git a/buildroot-external/overlay/base/lib/udev/rules.d/82-hss_led.rules b/buildroot-external/overlay/base/lib/udev/rules.d/82-hss_led.rules
new file mode 100644
index 0000000000..0867529ba2
--- /dev/null
+++ b/buildroot-external/overlay/base/lib/udev/rules.d/82-hss_led.rules
@@ -0,0 +1,4 @@
+# make sure all led nodes in /sys are generated with group permissions that hss_led
+# can access them accordingly
+SUBSYSTEM=="leds", ACTION=="add", RUN+="/bin/chgrp -R hssled /sys%p", RUN+="/bin/chmod -R g=u /sys%p"
+SUBSYSTEM=="leds", ACTION=="change", ENV{TRIGGER}!="none", RUN+="/bin/chgrp -R hssled /sys%p", RUN+="/bin/chmod -R g=u /sys%p"
diff --git a/buildroot-external/overlay/base/root/.bash_profile b/buildroot-external/overlay/base/root/.bash_profile
index d67f03deb5..d67ab81175 100644
--- a/buildroot-external/overlay/base/root/.bash_profile
+++ b/buildroot-external/overlay/base/root/.bash_profile
@@ -1,9 +1,6 @@
 #!/bin/sh
 # shellcheck shell=dash source=/dev/null
 # .bash_profile
-
-umask 022
-
 if [ -f ~/.bashrc ]; then
     . ~/.bashrc
 fi
diff --git a/buildroot-external/package/occu/occu.mk b/buildroot-external/package/occu/occu.mk
index 5eedc88d89..04d8cb9b41 100644
--- a/buildroot-external/package/occu/occu.mk
+++ b/buildroot-external/package/occu/occu.mk
@@ -24,6 +24,7 @@ ifeq ($(BR2_PACKAGE_OCCU),y)
 
 		# shadow file setup
 		touch $(TARGET_DIR)/usr/local/etc/config/shadow
+		chmod 0640 $(TARGET_DIR)/usr/local/etc/config/shadow
 		rm -f $(TARGET_DIR)/etc/shadow
 		ln -snf config/shadow $(TARGET_DIR)/etc/
 
@@ -132,4 +133,10 @@ define OCCU_WRAP_WEBUI_JS
 endef
 OCCU_POST_PATCH_HOOKS += OCCU_WRAP_WEBUI_JS
 
+define OCCU_USERS
+	-      -1 hm     -1 * - - -      homematic access group
+	-      -1 status -1 * - - -      status access group
+	hssled -1 hssled -1 * - - status hss_led user
+endef
+
 $(eval $(generic-package))
diff --git a/buildroot-external/package/recovery-system/external/overlay/base/etc/init.d/rcS b/buildroot-external/package/recovery-system/external/overlay/base/etc/init.d/rcS
index 77ec2d1489..ae519214c2 100755
--- a/buildroot-external/package/recovery-system/external/overlay/base/etc/init.d/rcS
+++ b/buildroot-external/package/recovery-system/external/overlay/base/etc/init.d/rcS
@@ -4,6 +4,9 @@
 # Start all init scripts in /etc/init.d
 # executing them in numerical order.
 
+# make sure we have a secure umask
+umask 0002
+
 # Parameters (default values)
 RECOVERY_SPLASHSCREEN_TITLE="CCU Recovery"
 
diff --git a/buildroot-external/package/recovery-system/external/overlay/base/etc/profile.d/umask.sh b/buildroot-external/package/recovery-system/external/overlay/base/etc/profile.d/umask.sh
new file mode 100644
index 0000000000..032f1e5b89
--- /dev/null
+++ b/buildroot-external/package/recovery-system/external/overlay/base/etc/profile.d/umask.sh
@@ -0,0 +1 @@
+umask 0002