userid in NiChrome does not match with userid of the build machine, leading to permission denied error

[thienhoang23]

Commit id: 511cf6f

Build Machine Configurations:

• go toolchain version: go1.9.3 linux/amd64
• umask: 0022
• Perimission bits of ./usr/lib, ./usr/lib/[any_binary], ./lib, ./lib/[any_binary] in the NiChrome directory: 755

Steps for reproduction:

1. Plug in the usb stick into build machine and find out what device it is (in this case, it was /dev/sda)
2. From the project root directory, go to the usb subdirectory and build the usb command in this directory

$ cd usb && go build .

3. Install the u-root's command gpt. Change back to the root directory. Run the usb command.

$ go install github.com/u-root/u-root/cmds/gpt
$ cd ..
$ ./usb/usb -fetch=true -dev=/the/name/of/device

4. Unplug the usb stick from build machine and plug it into a Chromebook
5. Turn on a Chromebook. When the dev-mode screen appears, press Ctrl-U
6. After boot, observe that Chrome browser and user terminal do not start.
7. Ctrl-Alt-backspace to exit X11
8. Notice the following error message about permission denied error:
   X11 user startup: fork/exec /bbin/uinit: permission denied

The following are results of some further investigation after the above reproduction steps:

1. ls -a -l / in the test Chromebook show that /, /go, /lib, /tcz, /usr owned by the user who built the usb stick on the build machine (in this case, userid: 533858, groupid: 5762). Furthermore, the permission on / is 700

2. When I did chmod 755 / as a root and ran uinit -login, I got the following output:

Welcome to NiChrome!
Welcome to NiChrome!
Starting up user mode processes
Run wingo
Run flwm
Run AppChrome
Run chrome
aterm: can't open display :0
x11 user failed: X11 start /usr/local/bin/aterm []: exit startus 1
X11 user startup: exit status 1
wait: exit status 1
installcommand: trying to build {cmdName: wingo, Path [$PATH], err exit status 1, out can't load package: package github.com/u-root/wingo: open /src/github.com/u-root/wingo/cmd_hacks.go: permission denied } 

3. Upon entering ls -a -l /src/github.com/u-root/wingo, I found cmd_hacks.go and a lot other .go files all have permission 640

4. Upon changing the permissions in all the files in the /src/github.com/u-root/wingo directory tree to 755, running uinit -login again generated the following message:

Welcome to NiChrome!
Welcome to NiChrome!
Starting up user mode processes
Run wingo
Run flwm
Run AppChrome
Run chrome
aterm: can't open display :0
x11 user failed: X11 start /usr/local/bin/aterm []: exit startus 1
X11 user startup: exit status 1
wait: exit status 1

Cannot mount AppImage, please check your FUSE setup.
You might still be able to extract the contents of this AppImage
If you it with the --appimage-extract option.
See https://github.com/AppImage/AppImageKit/wiki/FUSE
for more information
Failed to open libnotify

open dir error: No such file or directory
installcommand: trying to build {cmdName: wingo, Path [$PATH], err exit status 1, out go install github.com/u-root/wingo/vendeor/github.com/BurntSushi/xgbutil/xrect: mkdir /pkg/linux_amd64/github.com/u-root/wingo: permission denied 
go install go/token: mkdir go/pkg/linux_amd64/go/: permission denied
go install go install github.com/u-root/wingo/vendeor/github.com/BurntSushi/xgbutil/xrect: mkdir go/pkg/linux_amd64/go/: permission denied
[more go install permission denied error]
}

5. Upon making everything in the /go and /pkg directory tree 777, run uinit -login again, generate the following message:

Welcome to NiChrome!
Welcome to NiChrome!
Starting up user mode processes
Run wingo
Run flwm
Run AppChrome
Run chrome
aterm: can't open display :0
x11 user failed: X11 start /usr/local/bin/aterm []: exit startus 1
X11 user startup: exit status 1
wait: exit status 1

installcommand: trying to build {cmdName: wingo, Path [$PATH], err exit status 1, out go install github.com/u-root/wingo: open /ubin/wingo: permission denied

6. Upon going into /ubin, there was no binary called wingo. However typing wingo onto the terminal would generate a response and wingo appears in /ubin. Now running the uinit -login will not generate the installcommand error anymore.

[rminnich]

Root should definitely not be 700! I wonder why that happened ...
can you cpio -ivt < initramfs.linux_amd64.cpio and see what it shows there?

[thienhoang23]

It shows root as 700

[rminnich]

My / is 0700 in the repo.

I think you need to work your way back to why the original uinit dologin() function is failing.
That's the key to this whole mess.

[rminnich]

So do this:
change cmds/uinit.go to NOT run the dologin command.
The run it by hand and it should fail.
The ls -l / and see what the mode on bbin is
chmod 755 /bbin and try again.
Then if that fails, check /
and try again.

[thienhoang23]

I changed cmds/uinit.go to not run the dologin command.

• After boost, / is owned by the build userid and has 700 permission, /bbin is owned by root and has 755 permission
• After run dologin command and have it fail, nothing changes
• After making root has permission 755, uinit fails on
  installcommand: trying to build {cmdName: wingo, Path [$PATH], err exit status 1, out can't load package: package github.com/u-root/wingo: open /src/github.com/u-root/wingo/cmd_hacks.go: permission denied }

[rminnich]

well this is a good first step. The permissions on / are wrong and we need to know why. So let's focus on that.