make-initrd-ng: fix file permissions (#405190)

ElvishJerricco · web-flow · commit cf1934c1a50c · 2025-05-08T10:26:02.000-04:00
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
@@ -1296,7 +1296,7 @@ in
   systemd-initrd-luks-unl0kr = handleTest ./systemd-initrd-luks-unl0kr.nix { };
   systemd-initrd-modprobe = handleTest ./systemd-initrd-modprobe.nix { };
   systemd-initrd-shutdown = handleTest ./systemd-shutdown.nix { systemdStage1 = true; };
-  systemd-initrd-simple = handleTest ./systemd-initrd-simple.nix { };
+  systemd-initrd-simple = runTest ./systemd-initrd-simple.nix;
   systemd-initrd-swraid = handleTest ./systemd-initrd-swraid.nix { };
   systemd-initrd-vconsole = handleTest ./systemd-initrd-vconsole.nix { };
   systemd-initrd-networkd = handleTest ./systemd-initrd-networkd.nix { };
diff --git a/nixos/tests/systemd-initrd-simple.nix b/nixos/tests/systemd-initrd-simple.nix
@@ -1,17 +1,17 @@
-import ./make-test-python.nix (
-  { lib, pkgs, ... }:
-  {
-    name = "systemd-initrd-simple";
-
-    nodes.machine =
-      { pkgs, ... }:
-      {
-        testing.initrdBackdoor = true;
-        boot.initrd.systemd.enable = true;
-        virtualisation.fileSystems."/".autoResize = true;
-      };
-
-    testScript = ''
+{
+  name = "systemd-initrd-simple";
+
+  nodes.machine =
+    { pkgs, ... }:
+    {
+      testing.initrdBackdoor = true;
+      boot.initrd.systemd.enable = true;
+      virtualisation.fileSystems."/".autoResize = true;
+    };
+
+  testScript =
+    # python
+    ''
       import subprocess
 
       with subtest("testing initrd backdoor"):
@@ -50,6 +50,8 @@ import ./make-test-python.nix (
           newAvail = machine.succeed("df --output=avail / | sed 1d")
 
           assert int(oldAvail) < int(newAvail), "File system did not grow"
+
+      with subtest("no warnings from systemd about write permissions"):
+          machine.fail("journalctl -b 0 | grep 'is marked world-writable, which is a security risk as it is executed with privileges'")
     '';
-  }
-)
+}
diff --git a/pkgs/build-support/kernel/make-initrd-ng/src/main.rs b/pkgs/build-support/kernel/make-initrd-ng/src/main.rs
@@ -212,7 +212,7 @@ fn copy_file<
         }
 
         // Remove writable permissions
-        permissions.set_mode(permissions.mode() ^ 0o222);
+        permissions.set_mode(permissions.mode() & 0o555);
         fs::set_permissions(&target, permissions)
             .wrap_err_with(|| format!("failed to remove writable permissions for {:?}", target))?;
     };

Original file line number	Diff line number	Diff line change
`@@ -212,7 +212,7 @@ fn copy_file<`
`212`	`212`	`}`
`213`	`213`
`214`	`214`	`// Remove writable permissions`
`215`		`- permissions.set_mode(permissions.mode() ^ 0o222);`
	`215`	`+ permissions.set_mode(permissions.mode() & 0o555);`
`216`	`216`	`fs::set_permissions(&target, permissions)`
`217`	`217`	`.wrap_err_with(\|\| format!("failed to remove writable permissions for {:?}", target))?;`
`218`	`218`	`};`