auc: preserve image's uci-defaults upon upgrade #22144
Conversation
There was a problem hiding this comment.
The concept itself is ok and I understand the use-case for it.
The implementation needs to be improved regarding the current use-after-free problem, in style (variable declarations in the middle of the function should go to the top -- or the whole thing into a function of its own) and proper error handling has to be added.
utils/auc/src/auc.c
Outdated
| if (addr == MAP_FAILED) | ||
| handle_error("mmap"); | ||
|
|
||
| blobmsg_add_string(&reqbuf, "defaults", addr); |
There was a problem hiding this comment.
You should use an allocated buffer (ie. grep for blobmsg_add_string_buffer to find example) because otherwise...
There was a problem hiding this comment.
I believe we don't need any additional buffer here.
Fixed.
utils/auc/src/auc.c
Outdated
|
|
||
| blobmsg_add_string(&reqbuf, "defaults", addr); | ||
|
|
||
| munmap(addr, sb.st_sizei + 1); |
There was a problem hiding this comment.
... all access after this would be use-after-free (and blobmsg_add_string above doesn't duplicate the string!).
There was a problem hiding this comment.
Moving the unmap further down may work, but the good solution would look more like this:
https://github.com/openwrt/netifd/blob/7a58b995fdbecd9beed57e4d66d42cb3cf66aee2/system-linux.c#L2614
There was a problem hiding this comment.
Oh, please let me don't do that - it was a whole idea of using mmap() instead of fread() - to not allocate buffers manually and let OS do work for us in a best way possible!
|
Thanks for review Daniel! |
bam80
force-pushed
the
uci-defaults
branch
3 times, most recently
from
6b32a4d to
318b5f6
Compare
bam80
force-pushed
the
uci-defaults
branch
2 times, most recently
from
6c92f50 to
18c9730
Compare
|
@dangowrt could we proceed please? |
|
Ping please? |
|
@dangowrt ping please? |
|
@efahl thank you for the review, could you merge it? |
|
Not me, I'm just another person who submits PRs like you, without commit privileges. |
There was a problem hiding this comment.
Please explain the use-case of this new feature. I can imagine it, but it should be written in the commit description which currently sounds almost like if you were fixing a bug:
Without this, we can get inaccessible device after upgrade.
Apart from that the code looks acceptable, given that all of auc is not exactly beautiful and should be re-written in ucode once we got libuclient bindings for ucode, I would merge this once the commit description gives some information about what is being done and why and how one can use that feature and what it is typically used for.
|
@bam80, maybe you can get some ideas here to rewrite the commit message: My use case is to define port mappings on my generic devices (x86), so I go to https://firmware-selector.openwrt.org/, add a script that does something like If I do auc, that gets wiped out on upgrade, so I have to manually run the selector, paste that in again, download and so on... Would be very much more convenient if I do see others using the defaults mechanism to do file system resizing using the expand root script, here's a recent example: https://forum.openwrt.org/t/resize-emmc-partition-and-attended-sysupgrade/181712/4 |
uci-defaults scripts are essential for accessing device after firmware reset.
The device or user-facing PC might have no (easy accessible) Ethernet ports,
or wired LAN might not be accessible for any other reason.
In this case, uci-defaults script can contain code to setup WiFi AP on
the very first boot, thus granting the access.
Such uci-defaults script should survive the firmware upgrade with AUC,
if it was in the firmware image initially.
Otherwise, access to the device can be lost next time user performs firmware Reset.
This patch fixes it by passing the file
/rom/etc/uci-defaults/99-asu-defaults (the path used by OpenWrt Firmware Selector)
for inclusion to a new firmware image using "defaults" BuildRequest member:
"defaults: string; Custom shell script embedded in firmware image
to be run on first boot."
https://sysupgrade.openwrt.org/ui/
Signed-off-by: Andrey Butirsky <[email protected]>
|
How about? Achieve feature parity with firmware selector, which allows inclusion of first boot uci-defaults files without rebuilding from scratch. And now that I'm really thinking about it, it would be even nicer to expose the filename in a command line option, so that users could add or modify the existing
|
|
I think my commit message is good enough, if @dangowrt doesn't think so - I can make further adjustments. Regarding the path, |
|
I agree your commit message is fine, our paths crossed, I didn't see your new commit until after I had posted. I think you misunderstand my But, yes, I agree, let's not complicate the issue now, leave things as-is and get the commit done then think about enhancements later. |
|
I'm still trying to get all the pieces into my head, as there are a lot of different moving parts here. The reason I keep thinking this is best solved at the And then there's the issue with ext4, since there's no And then there is the issue of carrying over other custom |
|
@efahl no need to put all the issues into the one bin, that would just make things more complicated. Let's please keep this discussion dedicated to the issue here. |
bam80
changed the title
bam80
changed the title
@rmilecki I see those commits were without PRs, does it mean you have the merge rights? |
@rmilecki I adopted your suggestion for the description, please let me know if you see it satisfiable, I'll transfer it to the commit message then. |
|
@efahl: quick summary:
@bam80: I mean to take care of this Pull Request, just give me few days to find time for it |
On the contrary, there really is only one issue, namely "how do we maintain custom uci-defaults across sysupgrades." If there is a general solution to this in the infrastructure layer (i.e., After looking into how all of sysupgrade, firmware selector, LuCI ASU, auc, ASU server and the downloads site interact, I don't think this very specific patch to auc is appropriate, I think it should be addressed where all current and future clients of sysupgrade will benefit. |
|
I can't imagine modifying squashfs of downloaded firmware to append Now I'm thinking about it there is probably another solution: preserving files during factory reset. The more I think of it the more sense it makes. It may be a bit counter-intuitive but I don't see why we couldn't keep a list of critical files and preserve them. |
Yes, this is the same route I've been thinking along. If there were an alternate mechanism that did something like 1) stashing these files somewhere rather than embedding the files in the .img; or 2) augmenting On obvious advantage is that for ext4, this PR simply doesn't work, so something else needs to be done. (Simple test case: use firmware selector to build an ext4 image with a custom uci-defaults file; install that, then run auc with this PR's patch, see that your custom uci-defaults are silently gone.) |
That would diminish all the purpose of the factory reset: The patch here provides clear, non obtrusive way to fix the problem: Other problems mentioned will be addressed in a separate PRs. |
Wouldn't this make persistent malware much easier? |
In other case, such uci-default script might contain malicious code, thus re-connect device to the botnet on the very first boot? Moreover I hope, that folks will enjoy this new feature and start uploading something really juicy, not just boring WiFi secrets :-) |
This is out of scope of this patch. What you have in the uci-default is solely up to you, only you control it and the ability to put random things in it is already given by the BuildRequest API and used by the OpenWrt Firmware Selector. |
|
Once again, there is no single point where the problem could be solved once and for all. We have two cases which need to be handled a bit differently:
For the ro image-based system, core principle to follow is: That is best solved with help of the ASU server, considering it has an API to embed the There are 3 known clients currently talking to the ASU server:
While the AUC and Atttended SysUpgrade clients use common The rw rootfs-based systems without stable image have it's own specific: One thing left to be care for the rw systems:
I don't actually see an issue here on this stage: nothing prevents you from using the same ASU server's established That concludes the all that have to be done here. So I'm asking let's please finish with this PR and move on to the others. |
I disagree. The feature could be implemented in @ynezz comment hits the point here:
Imho configuration (which usually includes some secret or confidential parts such as passwords or private keys) should always stay local. Uploading it and processing on a server isn't a responsible thing to do imho and we should try to avoid that. That being said, I'd rather like to see more ways to append such information to the image locally than having the server do that. |
Of course it should, it must!
This patch is about |
Imho this is problematic to begin with as people will happily submit their WiFi credentials, PPPoE passwords or even Wireguard private keys there, and that make the asu server an ever more lucrative target. The fact that people decided to have this in asu and the firmware selector gives my cold shivers and I really would not want to be quoted having said "ok" to this. |
|
@dangowrt I understand your concern but the point is the ASU server's Regarding the introduction of the API itself, I think it was maybe a reasonable tradeoff as otherwise how else would you get an access to a newly flashed device if there is no LAN? We also have to consider there is no alternative solution implemented at the moment, while the problem itself is quite significant. So could we come to a compromise maybe?
Would that work? |
What's the plan for the ext4-based file systems which do not have the Sorry I'm very late to the party, but it looks like an issue which is easily solved by making a custom upgrade image which has the necessary customizations (uci-defaults script) baked in, rather than creating a code which works differently for for different platforms, which tries to preserve an initial customization in the image flashed. IMHO if your customizations cannot be preserved thru "keep settings", you should really be making a new custom image when upgrading. Also, you're only considering the use-case where it's desirable that the changes from the previously created image persist. What about users who want a clean slate upon upgrade (or if the reset is required) and you're forcing them to carry some customizations into the new image? Sorry, I realize some work and testing went into this PR, however I'd NACK it for the reasons above and reasons @ynezz brought up. |
@stangri
The solution would allow to not even touch
Good catch, the patch doesn't take care about wiping the current If you nevertheless think it needs to be done to accept this patch, please let me know and I'll add the feature. |
|
Add an input box in ASU's advanced mode (similar to Firmware Selector Web). |
|
Add |
I don't see the point - this won't work for the reset case when all the configuration is wiped. And for the other cases, the config changes that have been made by |
The content in the input box is based on /etc/99-asu-defaults, which is the script executed during the initial boot and is sent to the server. It is definitely kept in ROM. When you upgrade again, you can modify the content in the input box to your preferred configuration and send it to the server again. However, you must keep "cp /etc/uci-defaults/99-asu-defaults /etc/99-asu-defaults" at the end of /etc/uci-defaults/99-asu-defaults to prepare for the next upgrade. |
You mean, make the input file name/content to send to the server configurable? I would suggest other scheme: Anyway, I think it's not necessary here as the patch includes bare minimum. |
|
This script is for upgrading OpenWrt firmware and supports preserving user configuration and installed packages after resetting the device: |
|
@CTCD I see you pass |
uci-defaults scripts are essential for accessing device after firmware reset.
The device or user-facing PC might have no (easy accessible) Ethernet ports,
or wired LAN might not be accessible for any other reason.
In this case, uci-defaults script can contain code to setup WiFi AP on
the very first boot, thus granting the access.
Such uci-defaults script should survive the firmware upgrade with AUC,
if it was in the firmware image initially.
Otherwise, access to the device can be lost next time user performs firmware Reset.
This patch fixes it by passing the file
/rom/etc/uci-defaults/99-asu-defaults (the path used by ASU server)
for inclusion to a new firmware image using BuildRequest API's "defaults" member which allows specifying a content of that uci-defaults script:
https://sysupgrade.openwrt.org/ui/
fixes openwrt/asu#575
@hauke @ynezz @aparcar