From 318cd1f0969c07ab225754ebe2b687654c417dbf Mon Sep 17 00:00:00 2001
From: Zach van Rijn <me@zv.io>
Date: Thu, 16 Nov 2023 23:18:19 +0000
Subject: adelie-build-txz: improve permissions alignment w/ 'hscript-image'

As used by 'automedia', directory permissions for '/root' were too
permissive. A change to this script and separately to 'automedia'
are required in order to have '/root' be 0700. To facilitate the
bind mounts for installing QEMU emulators for media creation, this
directory was inadvertently created with the wrong umask.

The '/usr', '/usr/sbin', and '/etc' directories were found to be
inconsistent with the output of 'hscript-image' for rootfs tarball
media, so the appropriate umask is now set.

A full audit for permissions should be performed.
---
 adelie-build-txz | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/adelie-build-txz b/adelie-build-txz
index 71b2d1b..a41ddf2 100755
--- a/adelie-build-txz
+++ b/adelie-build-txz
@@ -133,15 +133,28 @@ install_pkgs() {
 		readonly ARCH_PKGS="$(cat packages/arch/$ARCH 2>/dev/null | tr '\n' ' ' || echo '')"
 	fi
 
-	mkdir -p rootfs-$ARCH/etc/apk
+	(
+		umask 022
+		mkdir -p rootfs-$ARCH/etc/apk
+	)
 	cp -r /etc/apk/keys rootfs-$ARCH/etc/apk/
+
 	# Disable grub trigger.
 	mkdir -p rootfs-$ARCH/etc/default
 	printf "ADELIE_MANUAL_CONFIG=1\n" >> rootfs-$ARCH/etc/default/grub
+
 	mkdir -p rootfs-$ARCH/dev
 	mknod rootfs-$ARCH/dev/urandom c 1 9
-	mkdir -p rootfs-$ARCH/usr/sbin
-	mkdir -p rootfs-$ARCH/root
+
+	(
+		umask 022
+		mkdir -p rootfs-$ARCH/usr/sbin
+	)
+
+	(
+		umask 077
+		mkdir -p rootfs-$ARCH/root
+	)
 	cp -r bin rootfs-$ARCH/root/bin
 	apk --arch $ARCH \
 		${CACHE:+--cache-dir "${CACHE}"} \
-- 
cgit v1.2.3-60-g2f50