From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: bug#38422: .png files in /gnu/store with executable permissions (555) Date: Fri, 29 Nov 2019 07:20:41 -0500 Message-ID: <878sny6fgr.fsf@netris.org> References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:33325) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iafHk-0001Co-7p for bug-guix@gnu.org; Fri, 29 Nov 2019 07:22:09 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iafHf-00086A-Op for bug-guix@gnu.org; Fri, 29 Nov 2019 07:22:06 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:53692) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iafHf-00085K-K3 for bug-guix@gnu.org; Fri, 29 Nov 2019 07:22:03 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iafHe-0007RW-Fo for bug-guix@gnu.org; Fri, 29 Nov 2019 07:22:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Bengt Richter Cc: 38422@debbugs.gnu.org Hi Bengt, Bengt Richter wrote: > I was wanting to check on some executable files in the store, > and happened to see some executable .png files ;-/ > > I suspect they came in when I was playing with icecat > and let it load a "theme", but I am not sure some didn't > also happen trying to get firefox radio buttons to work ;-/ Certainly not. Unless you ran icecat as root, it would not have sufficient permissions to modify /gnu/store. Installing a theme or addon in IceCat, or changing its configuration, modifies files in your ~/.mozilla, not /gnu/store. > Anyway, does anyone else get 555 permissions on files like these? > These are all *.png files with 555 permissons, but I trimmed back to see common prefixes. > Obviously the moka-con-theme was most of it, but also faba and docbook look iffy. I looked at docbook-xsl-1.79.1, since I happen to have it installed on my system. Some of the *.png files are incorrectly given executable permissions within the upstream source tarball itself. I guess it's probably the same issue with moka-icon-theme and faba-icon-theme, since I don't see anything in our package code that would have done it. Most of the entries in your list that end with "png" but not ".png" are actually programs whose name ends with "png", so they *should* be executable. The files in /gnu/store/.links that end with "png" are just random chance, because the file names themselves are hashes. > Is this zero-day stuff with a nasty somewhere, waiting for referencing > by another nasty, or am I being paranoid? I think you're being paranoid in this case. I don't see anything here to be concerned about, just some minor sloppiness by 3 upstreams. > What is the safe way to detoxify this mess? The proper solution is to send bug reports to the upstream developers of docbook-xsl, faba-icon-theme, and moka-icon-theme, asking them to fix the permissions of the *.png files in their source tarballs. > I know I shouldn't directly chmod anything in store, right? Right, *never* modify files in /gnu/store directly. > The icecat discussion got moved to mozilla, Which discussion are you referring to? Thanks, Mark