Versions Compared

Old Version 14

changes.mady.by.user Mike Puckett

Saved on

compared with

New Version Current

changes.mady.by.user Mike Puckett

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • In buildroot1 in git, create a minimal Makefile
  • We need a high-level make that builds three buildroot images: LinuxRT 2019 64-bit and 32-bit and LinuxRT 2016 64-bit
    • Fetch 2019 buildroot tarball and get it to actually build (did this for 64-bit, need to build 32-bit and try it)
    • Fetch 2016 buildroot tarball and get it to actually build (and try it)
  • We need to get Eric Gumtow's changes (i.e., encourage Eric to check the changes he made in)
    • Incorporate/use Eric's changes to confirm that it works in the same way the RC3s he did worked (bug-per-bug)
  • Figure out what broke between RC1 and RC3 (with respect to chrt )
  • Add unit tests for all of the new ("security patch") functionality:
    • root has a password and it's the common one
    • all of the images now have the following user accounts and IDs:
      • acctf/acctest -> 11846/2459
      • flaci/facet -> 11121/2376
      • laci/lcls -> 8412/2211
      • spear/qb -> 7753/1080
    • /etc/SLACproperties exists and its contents are HAVE_ROOT_PASSWORD=1 (note: there's a /etc/site directory where these kinds of files were originally put – perhaps SLACproperties should be moved there?)
    • telnet is refused
    • chrt can be run on processes owned by root from the $IOC_USER account

From Marcio's e-mail:

* Make chrt work passwordless for laci, flaci, acctf, and spear users in LinuxRT 2019.08, 2016.11.1 (14h)
* Add sudo to CentOS 7 Lite and make "sudo chrt" work passwordless for laci, flaci, acctf, and spear users (2h)
* "iocConsole -t" must work passwordless in: LinuxRT 2019.08, 2016.11.1, CentOs (11h)
* "systemctl reboot" must operate passwordless for laci, flaci, acctf, and spear users in CentOS 7 Lite (2h)
* Add the configuration files for Buildroot in a Git repo (9h)
* Study a way to operate chrt using the same command for both LinuxRT and CentOS so we could use the same bash script for both (8h)
* Automated testing script (9h)

...

  • Questions/Notes from 2019-08:
    • Some of the same issues for what I built after applying Eric's buildroot-site changes that I found with 2016-11.1 apply to 2019-08, namely:
      • The telnet service was still running.
      • And, of course, chrt didn't work.
    • But, by exploring Eric's 2016-11-2 non-site directories, we found out why telnet wasn't working (that the root password came out correctly would indicate that maybe Eric used .config info from 2019-08 to fix it in his 2016-11 build?).
    • Since Eric did have chrt  working at one point, I'm exploring his other 2019-08 directories to see if I can glean anything from those:
      • Just using the images from Eric's directory named "buildroot-2019.08-2-bad-uids", I found that chrt worked!
      • After comparing my directory with Eric's where chrt worked, I found that the busybox config where it worked had the SUID features set and enabled (where it didn't work, they were neither enabled nor set).


Summary

  • In order to get all three LinuxRT variants to have ALL of the features functional the following needs to be done:
    • Ensure that BusyBox is configured such that telnet is disabled entirely (neither set nor enabled)
    • Ensure that BusyBox is configured such that SUID is enabled (set and enabled)
    • The starting point of the BusyBox config file comes from site/config/bb-1.25.x.config, which you need copy from the .config you construct from running make busybox-menuconfig . For 2019-08 it's site/config/bb-1.29.x.config. This file is set in the BR2_PACKAGE_BUSYBOX_CONFIG which is in the br-2016.11.1-common.config file (for 2019-08, it's in site/br2-external/configs/br-common.config).
    • Ensure that BuildRoot is configured such that the password method is sha-256 instead of md5:
      • The way you do this is via make menuconfig . It's part of the "System Configuration" changes – you switch from either MD5 or SHA-256 via the menu it provides.
      • Once that is complete, the top-level .config file is changed with that change. You can then diff this with .config.old.
      • Once you know the specific differences, you add those changes to the bottom of the common.config file – in 2016-11.1, this is in the site/config directory; in 2019-08, this in the site/br2-external/configs directory.
  • Although Eric didn't check them in yet, the rest of the changes in his site directory (which are essentially all of the changes that go into the RFS itself) work as expected (these are the changes for all of the user/groups and the /etc/SLACproperties file).
  • Note: I checked in changes to both the br-2019-08-dev and br-2016-11-dev buildroot-site branches that contain the base changes for an RC4 build.

To test the chrt changes, you can do something along the lines of this:

Code Block
[ laci@cpu-b34-sp07]$ chrt -p 6971
pid 6971's current scheduling policy: SCHED_FIFO
pid 6971's current scheduling priority: 50
[ laci@cpu-b34-sp07]$ chrt -pf 85 6971
pid 6971's current scheduling policy: SCHED_FIFO
pid 6971's current scheduling priority: 50
pid 6971's new scheduling policy: SCHED_FIFO
pid 6971's new scheduling priority: 85
[ laci@cpu-b34-sp07]$ chrt -p 6971
pid 6971's current scheduling policy: SCHED_FIFO
pid 6971's current scheduling priority: 85