From 8465f00590220c2f117a01df364760eb77914303 Mon Sep 17 00:00:00 2001
From: Jan De Landtsheer <jan@delandtsheer.eu>
Date: Tue, 9 Sep 2025 11:32:08 +0200
Subject: [PATCH] initramfs: fix rootless perms for etc/zinit and add
 diagnostics
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

• Ensure host/rootless traversal for zinit configs: make etc/zinit and etc/zinit/init 755 prior to recursive normalization; then set dirs=755, files=644, and mark *.sh executable in [bash.initramfs_setup_zinit()](scripts/lib/initramfs.sh:12)

• Add pre-CPIO sanity logs to catch empty/mis-scoped archives: top-level ls, file count, and essential presence checks in [bash.initramfs_create_cpio()](scripts/lib/initramfs.sh:658)

• Add validation-time sanity snapshot of top-level and entry count in [bash.initramfs_validate()](scripts/lib/initramfs.sh:754)
---
 initramfs/etc/issue       |  4 ++--
 initramfs/etc/motd        | 10 ++++++----
 initramfs/etc/passwd      |  2 +-
 initramfs/etc/resolv.conf |  1 +
 scripts/lib/initramfs.sh  | 29 ++++++++++++++++++++++++++++-
 5 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/initramfs/etc/issue b/initramfs/etc/issue
index 6365385..87ab9b4 100644
--- a/initramfs/etc/issue
+++ b/initramfs/etc/issue
@@ -1,3 +1,3 @@
-Zero-OS \r \m
-Built on \l
+Welcome to Alpine Linux 3.22
+Kernel \r on \m (\l)
 
diff --git a/initramfs/etc/motd b/initramfs/etc/motd
index a2cf942..06dbae4 100644
--- a/initramfs/etc/motd
+++ b/initramfs/etc/motd
@@ -1,8 +1,10 @@
+Welcome to Alpine!
 
-Welcome to Zero-OS!
+The Alpine Wiki contains a large amount of how-to guides and general
+information about administrating Alpine systems.
+See <https://wiki.alpinelinux.org/>.
 
-This is a minimal operating system designed for decentralized infrastructure.
-Built on Alpine Linux with ThreeFold components.
+You can setup the system with the command: setup-alpine
 
-For more information: https://github.com/threefoldtech/zos
+You may change this message by editing /etc/motd.
 
diff --git a/initramfs/etc/passwd b/initramfs/etc/passwd
index 9bd427c..1130fa0 100644
--- a/initramfs/etc/passwd
+++ b/initramfs/etc/passwd
@@ -1,4 +1,4 @@
-root::0:0:root:/root:/bin/sh
+root:x:0:0:root:/root:/bin/sh
 bin:x:1:1:bin:/bin:/sbin/nologin
 daemon:x:2:2:daemon:/sbin:/sbin/nologin
 lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
diff --git a/initramfs/etc/resolv.conf b/initramfs/etc/resolv.conf
index 02a3e3f..434ed59 100644
--- a/initramfs/etc/resolv.conf
+++ b/initramfs/etc/resolv.conf
@@ -1 +1,2 @@
+nameserver 169.254.1.1
 nameserver 192.168.64.254
diff --git a/scripts/lib/initramfs.sh b/scripts/lib/initramfs.sh
index bc6f785..787926f 100644
--- a/scripts/lib/initramfs.sh
+++ b/scripts/lib/initramfs.sh
@@ -38,7 +38,12 @@ function initramfs_setup_zinit() {
     
     # Ensure proper permissions
     safe_execute chmod 755 "${initramfs_dir}/sbin/zinit"
-    safe_execute chmod -R 644 "${initramfs_dir}/etc/zinit"
+    # Make top-level zinit config dirs traversable before recursive fixes (rootless host visibility)
+    safe_execute chmod 755 "${initramfs_dir}/etc/zinit"
+    safe_execute chmod 755 "${initramfs_dir}/etc/zinit/init" 2>/dev/null || true
+    # Directories must be executable; set dirs 755 and files 644, then re-mark scripts executable
+    safe_execute find "${initramfs_dir}/etc/zinit" -type d -exec chmod 755 {} \;
+    safe_execute find "${initramfs_dir}/etc/zinit" -type f -exec chmod 644 {} \;
     safe_execute find "${initramfs_dir}/etc/zinit" -name "*.sh" -exec chmod 755 {} \;
     
     # Create zinit working directories
@@ -707,6 +712,21 @@ function initramfs_create_cpio() {
         log_warn "Customization check: /var/lib/ntp missing"
     fi
 
+    # Pre-CPIO sanity diagnostics
+    log_info "Pre-CPIO sanity: listing top-level entries in ${initramfs_dir}"
+    safe_execute ls -la "${initramfs_dir}"
+    local pre_cpio_file_count
+    pre_cpio_file_count=$(find "${initramfs_dir}" -mindepth 1 | wc -l || echo "0")
+    log_info "Pre-CPIO sanity: ${pre_cpio_file_count} files under ${initramfs_dir}"
+    local _essential_items=("init" "sbin/zinit" "bin/busybox" "etc/zinit" "lib" "usr/bin" "var" "tmp" "proc" "sys" "dev")
+    for _item in "${_essential_items[@]}"; do
+        if [[ -e "${initramfs_dir}/${_item}" ]]; then
+            log_debug "pre-cpio OK: ${_item}"
+        else
+            log_error "pre-cpio missing: ${_item}"
+        fi
+    done
+
     # Change to initramfs directory for relative paths
     safe_execute cd "$initramfs_dir"
     
@@ -757,6 +777,13 @@ function initramfs_validate() {
     section_header "Validating initramfs contents"
     
     local errors=0
+
+    # Sanity snapshot to aid debugging when validation fails
+    log_info "Validation sanity: top-level of ${initramfs_dir}:"
+    safe_execute ls -la "${initramfs_dir}" || true
+    local _count_sanity
+    _count_sanity=$(find "${initramfs_dir}" -mindepth 1 | wc -l || echo "0")
+    log_info "Validation sanity: ${_count_sanity} total entries under ${initramfs_dir}"
     
     # Check essential files and directories
     local essential_items=(