root free chap6

Robert Connolly cendres at videotron.ca
Thu Jan 22 03:54:39 PST 2004


This builds and boots. I think a few extra things could be done to minimize 
root in chap6.

Chap5
After coreutils make install, cp src/su /tools/bin/su
Don't make it suid or anything.

Chap6

cat > /etc/passwd << "EOF"
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/:
EOF

Makedev...

Leave the gid 0. Leave /usr itself owned by root, so user bin can't
create new top directories.
Binutils likes to rm /tools/bin/ld?

chown -R bin /usr/*
chown -R bin /opt
chown -R bin /bin
chown -R bin /tools
chown bin /lib
chown bin /sbin
chown bin /etc
chown bin /boot
chown -R bin /var

This is for psmisc creating /dev/initctl
chown bin /dev

chown -R bin:root /sources

/root, /home, /tmp, /lost+found, /proc remain owned by root.
/etc/{group,mtab,passwd} are still owned by root too.

Before Linux Kernel Header Chap6

su - bin

HOME=/
TERM=$TERM PS1='\u:\w\$ '
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin
export HOME TERM PATH

Coreutils
If you want to run the check-root tests you'll need to logout to root,
cd to the source... and su back to finish.

Findutils
Use --localstatedir=/var/lib/misc

Kbd
sed -e 's at -o root@ @g' -i src/Makefile

ProcPS
sed -e 's at --owner 0 --group 0 at --owner 1 --group 1 at g' -i Makefile

Shadow
Run these after chap6.
/usr/sbin/pwconv
/usr/sbin/grpconv
passwd root

Sysklogd
make MAN_OWNER=bin install

Sysvinit
make BIN_OWNER=bin BIN_GROUP=bin -C src install

Util-Linux
sed -e 's at -o root@ @g' -i MCONFIG
./configure
make HAVE_KILL=yes HAVE_SLN=yes USE_TTY_GROUP=no
make HAVE_KILL=yes HAVE_SLN=yes USE_TTY_GROUP=no install

Revised chroot.

chmod -s /bin/su /bin/mount /bin/umount
chmod -s /usr/bin/passwd /usr/bin/chage /usr/bin/chfn \
 /usr/bin/chsh /usr/bin/expiry /usr/bin/gpasswd /usr/bin/newgrp

chown 0:0 /dev
chown 0:0 /dev/initctl
chown -R 0:0 /boot
chown -R 0 /bin
chown -R 0 /lib
chown -R 0 /sbin
chown -R 0:0 /etc
chown -R 0:0 /var
chown 0 /opt
chown -R 0 /tools

chgrp tty /usr/bin/write

Don't let 'other' have read/execute permission on suid bins.

chmod 4710 /bin/su
chmod 4750 /usr/bin/passwd
groupadd locals
chown root:locals /bin/su /usr/bin/passwd

Su back to bin before building the kernel.

And before rebooting:

/usr/sbin/pwconv
/usr/sbin/grpconv
passwd root




More information about the hlfs-dev mailing list