[OLPC Security] Activity home dirs (was Re: OLPC XO Opera browser as Sugar activity)
Bert Freudenberg
bert at freudenbergs.de
Thu Jun 26 02:53:47 EDT 2008
Am 26.06.2008 um 01:22 schrieb John Gilmore:
>> The activity start script should configure Opera to put its
>> configuration file in $SUGAR_ACTIVITY_ROOT/data instead of
>> $HOME/.opera. Also it should set umask to 0002 so the config file is
>> group-writable (otherwise the next activity instance cannot
>> overwrite).
>>
>> See http://wiki.laptop.org/go/Low-level_Activity_API#File_Access
>
>>> QSettings: error creating /home/olpc/isolation/1/uid_to_home_dir/
>>> 10000/.qt
>>> opera: Can not use personal directory: /home/olpc/isolation/1/
>>> uid_to_home_dir/10000/.opera
>
> This looks more like a bug in Rainbow than in Opera.
>
> Why would Sugar or Rainbow be setting $HOME to a rainbow-created
> directory that the activity can't make subdirectories in?
>
> (The universe of Unix programs isn't going to rewrite itself because
> OLPC decided that $SUGAR_ACTIVITY_ROOT is the right place to keep your
> files on Unix. $HOME has been that place for decades. Rainbow is
> already setting $HOME. It's just apparently setting it to something
> that doesn't work.)
>
>> Also it should set umask to 0002 so the config file is
>> group-writable (otherwise the next activity instance cannot
>> overwrite).
>
> If Rainbow runs the same activity as many different UIDs that share a
> single group ID, then yes, Rainbow should be setting the umask so that
> files are created group-writeable by default. There should be no need
> to modify ordinary Unix programs for this.
Agreed, but Peter's question was about build 708 so it might be fixed
in the mean time. Indeed I remember discussion about that, although I
can't find the Trac report. I recall that HOME is set to
$SUGAR_ACTIVITY_ROOT/instance now, which should work at least, but I
think is also wrong as it is not shared between activity instances.
The right place would be $SUGAR_ACTIVITY_ROOT/data. And I think umask
is set by Sugar nowadays.
But that won't help machines in the field now so I gave a recipe that
would work around that bug.
- Bert -
More information about the Security
mailing list