From 8d6fa7eb07b597ab030a3353bf3b17843a46d134 Mon Sep 17 00:00:00 2001
From: Christian Stadelmann <dev@genodeftest.de>
Date: Sat, 5 Nov 2016 13:32:53 +0100
Subject: [PATCH] Makefile: fix filesystem permissions

This change fixes filesystem permissions:
* set right permissions even if build machine has umask 0077
* /etc/passwd must not be readable by user
* make sure filesystem gets unmounted if build fails
* include directories for setting permissions
* exclude others from /home/user and /root directories
* set executable bit in /bin/ even if build machine umask tries to prevent that
---
 Makefile | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index b678bd6..8030885 100644
--- a/Makefile
+++ b/Makefile
@@ -55,6 +55,7 @@ clean:
 	cargo clean --manifest-path schemes/redoxfs/Cargo.toml
 	cargo clean --manifest-path schemes/tcpd/Cargo.toml
 	cargo clean --manifest-path schemes/udpd/Cargo.toml
+	-$(FUMOUNT) $(BUILD)/filesystem/
 	rm -rf initfs/bin
 	rm -rf filesystem/bin
 	rm -rf build
@@ -434,6 +435,7 @@ $(BUILD)/filesystem.bin: \
 		filesystem/bin/sh \
 		filesystem/bin/smith \
 		filesystem/bin/tar
+	-$(FUMOUNT) $(BUILD)/filesystem/
 	rm -rf $@ $(BUILD)/filesystem/
 	echo exit | cargo run --manifest-path schemes/redoxfs/Cargo.toml --bin redoxfs-utility $@ 256
 	mkdir -p $(BUILD)/filesystem/
@@ -442,14 +444,19 @@ $(BUILD)/filesystem.bin: \
 	sleep 2
 	pgrep redoxfs-fuse
 	cp -RL filesystem/* $(BUILD)/filesystem/
-	chown -R 0:0 $(BUILD)/filesystem/
-	chown -R 1000:1000 $(BUILD)/filesystem/home/user/
-	chmod 700 $(BUILD)/filesystem/root/
-	chmod 700 $(BUILD)/filesystem/home/user/
+	chmod -R uog+rX $(BUILD)/filesystem
+	chmod -R uog-w $(BUILD)/filesystem
+	chmod -R 555 $(BUILD)/filesystem/bin/
+	chmod -R u+rwX $(BUILD)/filesystem/root
+	chmod -R og-rwx $(BUILD)/filesystem/root
+	chmod -R u+rwX $(BUILD)/filesystem/home/user
+	chmod -R og-rwx $(BUILD)/filesystem/home/user
 	chmod +s $(BUILD)/filesystem/bin/su
 	chmod +s $(BUILD)/filesystem/bin/sudo
 	mkdir $(BUILD)/filesystem/tmp
 	chmod 1777 $(BUILD)/filesystem/tmp
+	chown -R 0:0 $(BUILD)/filesystem
+	chown -R 1000:1000 $(BUILD)/filesystem/home/user
 	sync
 	-$(FUMOUNT) $(BUILD)/filesystem/
 	rm -rf $(BUILD)/filesystem/