* [PATCH] builddeb: fix file permissions before packaging
@ 2016-07-07 14:50 Henning Schild
2016-07-07 14:56 ` Henning Schild
2016-07-22 12:15 ` Michal Marek
0 siblings, 2 replies; 6+ messages in thread
From: Henning Schild @ 2016-07-07 14:50 UTC (permalink / raw)
To: linux-kernel, linux-kbuild, Michal Marek; +Cc: Henning Schild
Builddep is not very explicit about file permissions. Actually the file
permissions in the package are largely influenced by the umask of the
user cloning the git and building the package. If that umask does not
set go+r the resulting linux-headers package will prevent non-root users
from building out-of-tree modules. And that is probably just one
unexpected effect.
Being a packaging/install tool builddep should make sure the file
permissions are set correctly and not just derived from a value that is
never checked.
This patch derives the "r" and "x" bits for all files from the file
owner, all directories in the package will be 755.
Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
scripts/package/builddeb | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/scripts/package/builddeb b/scripts/package/builddeb
index 86e56fe..615e0ed 100755
--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -26,6 +26,11 @@ create_package() {
# Fix ownership and permissions
chown -R root:root "$pdir"
chmod -R go-w "$pdir"
+ # in case we are in a restrictive umask environment like 0077
+ # set permissions for dirs and derive "go"-"rx" permissions from "u"
+ find $pdir -type d -exec chmod 0755 {} +
+ find $pdir -type f -perm -u+r -exec chmod go+r {} +
+ find $pdir -type f -perm -u+x -exec chmod go+x {} +
# Create the package
dpkg-gencontrol $forcearch -Vkernel:debarch="${debarch}" -p$pname -P"$pdir"
--
2.7.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] builddeb: fix file permissions before packaging
2016-07-07 14:50 [PATCH] builddeb: fix file permissions before packaging Henning Schild
@ 2016-07-07 14:56 ` Henning Schild
2016-07-22 12:15 ` Michal Marek
1 sibling, 0 replies; 6+ messages in thread
From: Henning Schild @ 2016-07-07 14:56 UTC (permalink / raw)
To: Michal Marek; +Cc: linux-kernel, linux-kbuild
On Thu, 7 Jul 2016 16:50:37 +0200
Henning Schild <henning.schild@siemens.com> wrote:
> Builddep is not very explicit about file permissions. Actually the
> file permissions in the package are largely influenced by the umask
> of the user cloning the git and building the package. If that umask
> does not set go+r the resulting linux-headers package will prevent
> non-root users from building out-of-tree modules. And that is
> probably just one unexpected effect.
This problem was found in a CI-system (buildbot) running with a 0077
umask and building packages. These packages contained headers with 600
instead of 644 and users could not build there modules anymore.
Reproduce with "umask 0077", "git clone ..", ... "make deb-pkg"
> Being a packaging/install tool builddep should make sure the file
> permissions are set correctly and not just derived from a value that
> is never checked.
If that patch is not accepted i strongly suggest at least asserting
that the headers in linux-headers.deb have 644. I am not sure which is
the better solution, but builddeb should not produce such broken
packages.
> This patch derives the "r" and "x" bits for all files from the file
> owner, all directories in the package will be 755.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
> scripts/package/builddeb | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> index 86e56fe..615e0ed 100755
> --- a/scripts/package/builddeb
> +++ b/scripts/package/builddeb
> @@ -26,6 +26,11 @@ create_package() {
> # Fix ownership and permissions
> chown -R root:root "$pdir"
> chmod -R go-w "$pdir"
> + # in case we are in a restrictive umask environment like 0077
> + # set permissions for dirs and derive "go"-"rx" permissions
> from "u"
> + find $pdir -type d -exec chmod 0755 {} +
> + find $pdir -type f -perm -u+r -exec chmod go+r {} +
> + find $pdir -type f -perm -u+x -exec chmod go+x {} +
>
> # Create the package
> dpkg-gencontrol $forcearch -Vkernel:debarch="${debarch}"
> -p$pname -P"$pdir"
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] builddeb: fix file permissions before packaging
2016-07-07 14:50 [PATCH] builddeb: fix file permissions before packaging Henning Schild
2016-07-07 14:56 ` Henning Schild
@ 2016-07-22 12:15 ` Michal Marek
2016-07-22 12:46 ` [PATCHv2] " Henning Schild
2016-07-22 12:48 ` [PATCH] " Henning Schild
1 sibling, 2 replies; 6+ messages in thread
From: Michal Marek @ 2016-07-22 12:15 UTC (permalink / raw)
To: Henning Schild; +Cc: linux-kernel, linux-kbuild
On 2016-07-07 16:50, Henning Schild wrote:
> Builddep is not very explicit about file permissions. Actually the file
> permissions in the package are largely influenced by the umask of the
> user cloning the git and building the package. If that umask does not
> set go+r the resulting linux-headers package will prevent non-root users
> from building out-of-tree modules. And that is probably just one
> unexpected effect.
> Being a packaging/install tool builddep should make sure the file
> permissions are set correctly and not just derived from a value that is
> never checked.
>
> This patch derives the "r" and "x" bits for all files from the file
> owner, all directories in the package will be 755.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
> scripts/package/builddeb | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> index 86e56fe..615e0ed 100755
> --- a/scripts/package/builddeb
> +++ b/scripts/package/builddeb
> @@ -26,6 +26,11 @@ create_package() {
> # Fix ownership and permissions
> chown -R root:root "$pdir"
> chmod -R go-w "$pdir"
> + # in case we are in a restrictive umask environment like 0077
> + # set permissions for dirs and derive "go"-"rx" permissions from "u"
> + find $pdir -type d -exec chmod 0755 {} +
> + find $pdir -type f -perm -u+r -exec chmod go+r {} +
> + find $pdir -type f -perm -u+x -exec chmod go+x {} +
This can be simplified as
chmod -R a+rX "$pdir"
Michal
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCHv2] builddeb: fix file permissions before packaging
2016-07-22 12:15 ` Michal Marek
@ 2016-07-22 12:46 ` Henning Schild
2016-07-26 20:27 ` Michal Marek
2016-07-22 12:48 ` [PATCH] " Henning Schild
1 sibling, 1 reply; 6+ messages in thread
From: Henning Schild @ 2016-07-22 12:46 UTC (permalink / raw)
To: Michal Marek; +Cc: Henning Schild, linux-kernel, linux-kbuild
Builddep is not very explicit about file permissions. Actually the file
permissions in the package are largely influenced by the umask of the
user cloning the git and building the package. If that umask does not
set go+r the resulting linux-headers package will prevent non-root users
from building out-of-tree modules. And that is probably just one
unexpected effect.
Being a packaging/install tool builddep should make sure the file
permissions are set correctly and not just derived from a value that is
never checked.
This patch sets ugo read permissions for all packaged files and derives
the executable bit for directories and executables from the file-owner.
Signed-off-by: Henning Schild <henning.schild@siemens.com>
---
scripts/package/builddeb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/scripts/package/builddeb b/scripts/package/builddeb
index 86e56fe..f72ba49 100755
--- a/scripts/package/builddeb
+++ b/scripts/package/builddeb
@@ -26,6 +26,8 @@ create_package() {
# Fix ownership and permissions
chown -R root:root "$pdir"
chmod -R go-w "$pdir"
+ # in case we are in a restrictive umask environment like 0077
+ chmod -R a+rX "$pdir"
# Create the package
dpkg-gencontrol $forcearch -Vkernel:debarch="${debarch}" -p$pname -P"$pdir"
--
2.7.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] builddeb: fix file permissions before packaging
2016-07-22 12:15 ` Michal Marek
2016-07-22 12:46 ` [PATCHv2] " Henning Schild
@ 2016-07-22 12:48 ` Henning Schild
1 sibling, 0 replies; 6+ messages in thread
From: Henning Schild @ 2016-07-22 12:48 UTC (permalink / raw)
To: Michal Marek; +Cc: linux-kernel, linux-kbuild
Am Fri, 22 Jul 2016 14:15:32 +0200
schrieb Michal Marek <mmarek@suse.com>:
> On 2016-07-07 16:50, Henning Schild wrote:
> > Builddep is not very explicit about file permissions. Actually the
> > file permissions in the package are largely influenced by the umask
> > of the user cloning the git and building the package. If that umask
> > does not set go+r the resulting linux-headers package will prevent
> > non-root users from building out-of-tree modules. And that is
> > probably just one unexpected effect.
> > Being a packaging/install tool builddep should make sure the file
> > permissions are set correctly and not just derived from a value
> > that is never checked.
> >
> > This patch derives the "r" and "x" bits for all files from the file
> > owner, all directories in the package will be 755.
> >
> > Signed-off-by: Henning Schild <henning.schild@siemens.com>
> > ---
> > scripts/package/builddeb | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/scripts/package/builddeb b/scripts/package/builddeb
> > index 86e56fe..615e0ed 100755
> > --- a/scripts/package/builddeb
> > +++ b/scripts/package/builddeb
> > @@ -26,6 +26,11 @@ create_package() {
> > # Fix ownership and permissions
> > chown -R root:root "$pdir"
> > chmod -R go-w "$pdir"
> > + # in case we are in a restrictive umask environment like
> > 0077
> > + # set permissions for dirs and derive "go"-"rx"
> > permissions from "u"
> > + find $pdir -type d -exec chmod 0755 {} +
> > + find $pdir -type f -perm -u+r -exec chmod go+r {} +
> > + find $pdir -type f -perm -u+x -exec chmod go+x {} +
>
> This can be simplified as
>
> chmod -R a+rX "$pdir"
That 'X' is much nicer than the finds, learned something new today,
Thanks!
Henning
> Michal
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCHv2] builddeb: fix file permissions before packaging
2016-07-22 12:46 ` [PATCHv2] " Henning Schild
@ 2016-07-26 20:27 ` Michal Marek
0 siblings, 0 replies; 6+ messages in thread
From: Michal Marek @ 2016-07-26 20:27 UTC (permalink / raw)
To: Henning Schild; +Cc: linux-kernel, linux-kbuild
Dne 22.7.2016 v 14:46 Henning Schild napsal(a):
> Builddep is not very explicit about file permissions. Actually the file
> permissions in the package are largely influenced by the umask of the
> user cloning the git and building the package. If that umask does not
> set go+r the resulting linux-headers package will prevent non-root users
> from building out-of-tree modules. And that is probably just one
> unexpected effect.
> Being a packaging/install tool builddep should make sure the file
> permissions are set correctly and not just derived from a value that is
> never checked.
>
> This patch sets ugo read permissions for all packaged files and derives
> the executable bit for directories and executables from the file-owner.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
> scripts/package/builddeb | 2 ++
> 1 file changed, 2 insertions(+)
Applied to kbuild.git#misc, thanks.
Michal
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-07-26 20:27 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-07 14:50 [PATCH] builddeb: fix file permissions before packaging Henning Schild
2016-07-07 14:56 ` Henning Schild
2016-07-22 12:15 ` Michal Marek
2016-07-22 12:46 ` [PATCHv2] " Henning Schild
2016-07-26 20:27 ` Michal Marek
2016-07-22 12:48 ` [PATCH] " Henning Schild
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).