[OLPC Security] Activity home dirs (was Re: OLPC XO Opera browser as Sugar activity)

Thu Jun 26 18:10:11 EDT 2008

On Thu, Jun 26, 2008 at 08:53:47AM +0200, Bert Freudenberg wrote:
> 
> Am 26.06.2008 um 01:22 schrieb John Gilmore:
> 
> >> The activity start script should configure Opera to put its
> >> configuration file in $SUGAR_ACTIVITY_ROOT/data instead of
> >> $HOME/.opera. Also it should set umask to 0002 so the config file is
> >> group-writable (otherwise the next activity instance cannot  
> >> overwrite).
> >>
> >> See http://wiki.laptop.org/go/Low-level_Activity_API#File_Access
> >
> >>> QSettings: error creating /home/olpc/isolation/1/uid_to_home_dir/
> >>> 10000/.qt
> >>> opera: Can not use personal directory: /home/olpc/isolation/1/
> >>> uid_to_home_dir/10000/.opera
> >
> > This looks more like a bug in Rainbow than in Opera.

It was considered to be a feature at the time it was introduced.

> > Why would Sugar or Rainbow be setting $HOME to a rainbow-created
> > directory that the activity can't make subdirectories in?

Because the spec it was built to said that activities should be
permitted to write to precisely three directories named 'tmp', 'data',
and 'instance'. Furthermore, it was entirely unclear at the time which
one $HOME should point to.

> > (The universe of Unix programs isn't going to rewrite itself because
> > OLPC decided that $SUGAR_ACTIVITY_ROOT is the right place to keep your
> > files on Unix.  $HOME has been that place for decades.  Rainbow is
> > already setting $HOME.  It's just apparently setting it to something
> > that doesn't work.)
> >
> >> Also it should set umask to 0002 so the config file is
> >> group-writable (otherwise the next activity instance cannot  
> >> overwrite).

rainbow >= 0.7.4 (available since Nov. 10, 2007) sets umask(0) before
running the activity. However, we found that several important library
calls like mkstemp, mkdtemp, and the equivalent file creation code used
by xulrunner hardcode the use of modes like 0700 and 0600 for
directories and files that they create. It would not surprise me if
Opera behaved similarly. 

> > If Rainbow runs the same activity as many different UIDs that share a
> > single group ID, then yes, Rainbow should be setting the umask so that
> > files are created group-writeable by default.  There should be no need
> > to modify ordinary Unix programs for this.
> 
> Agreed, but Peter's question was about build 708 so it might be fixed  
> in the mean time. 

rainbow >= 0.7.12 causes $HOME to be writable. This change has been
available since April 10, 2008 in joyride and is expected to be included in
our next major release.

> $SUGAR_ACTIVITY_ROOT/instance now, which should work at least, but I  
> think is also wrong as it is not shared between activity instances.  

As a result of the fact that xulrunner hardcodes the use of modes like
0700 and 0600 in its file creation code, I decided that we should set
$HOME == $SAR/instance by default so that programs would be less likely
to encounter files they couldn't write. Activities which dislike this
default are fully capable of changing themselves when they are executed.

That being said, I'm open to arguments about what the default should be.
Have you got some mechanism for setting $HOME to $SAR/data which would
be safe in the face of programs like xulrunner?

(For what it's worth, I happen think that the real defect is that uids
and instance dirs are deleted on reboot and recreated on activity resume
rather than being persistent and reused at activity resume.
Unfortunately, though I intend to address this issue as soon as my other
responsibilities permit, it will probably be a while before that
happens. Interested onlookers should definitely take initiative here and
then submit their results for discussion and possible merging.)

> But that won't help machines in the field now so I gave a recipe that  
> would work around that bug.

Thanks!

Michael