From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tobias Geerinckx-Rice via Bug reports for GNU Guix Subject: bug#38422: .png files in /gnu/store with executable permissions (555) Date: Fri, 29 Nov 2019 12:28:26 +0100 Message-ID: <87r21q9b1h.fsf@nckx> References: <20191129075938.GA55971@PhantoNv4ArchGx.localdomain> <87r21r9fn1.fsf@elephly.net> Reply-To: Tobias Geerinckx-Rice Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:53030) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iaeST-0005D7-1Q for bug-guix@gnu.org; Fri, 29 Nov 2019 06:29:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iaeSP-0006ZK-ML for bug-guix@gnu.org; Fri, 29 Nov 2019 06:29:07 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:53459) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1iaeSP-0006PT-Af for bug-guix@gnu.org; Fri, 29 Nov 2019 06:29:05 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1iaeSM-0005q4-7o for bug-guix@gnu.org; Fri, 29 Nov 2019 06:29:02 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-reply-to: <87r21r9fn1.fsf@elephly.net> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Bengt Richter , 38422@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Bengt, Ricardo, I see similar results here with =E2=80=98guix install moka-icon-theme=E2=80= =99,=20 and I'm sure the rest of my (and everyone's) store is full of=20 misperm'd files too. It's kind of generally known. This seems to be particularly common in Meson packages: for some=20 reason, Meson installs everything as executable by default. Bengt Richter =E5=86=99=E9=81=93=EF=BC=9A > Is this zero-day stuff with a nasty somewhere, waiting for=20 > referencing > by another nasty, or am I being paranoid? What's the threat model there? Respectfully, I think you might=20 be, but maybe I'm naive=E2=80=A6 Otherwise I consider this a merely cosmetic issue, but we still=20 welcome fixes for those! Checking whether Meson behaves differently on other distributions=20 would be a good start. Ricardo Wurmus =E5=86=99=E9=81=93=EF=BC=9A > Bengt Richter writes: > >> $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a=20 >> %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less >> --8<---------------cut=20 >> here---------------start------------->8--- >> 1 x=20 >> '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7= srpng' >> 1 x=20 >> '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89a= plpng' >> 97 x=20 >> '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme >> 1 x=20 >> '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdpartto= png' >> 1 x=20 >> '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng' >> 1 x=20 >> '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng' >> 1 x=20 >> '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng' >> 1 x=20 >> '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/= bin/dvipng' >> 34143 x=20 >> '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme >> 1 x=20 >> '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/= dvipng' >> 62 x=20 >> '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml= /xsl/docbook >> 1 x=20 >> '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/= bin/dvipng' >> 1 x=20 >> '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/b= in/dvipng' >> 1 x=20 >> '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdpartto= png' >> 1 x=20 >> '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng' >> 1 x=20 >> '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng' >> 1 x=20 >> '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng' >> 1 x=20 >> '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdpartto= png' >> 1 x=20 >> '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng' >> 1 x=20 >> '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng' >> 1 x=20 >> '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng' >> >> --8<---------------cut=20 >> here---------------end--------------->8--- > > Maybe I=E2=80=99m missing something, but none of the above are PNGs. > Most of them are executables, others are directories, so having=20 > them > executable is expected. Bengt's clever pipeline tallies the number of executable *png=20 files in each top-level store directory. It does not include=20 directories. It's true that the '*png' above should be replaced with '*.png',=20 but these /bin files are just the very noisy outliers. The meat is in: > 34143 x=20 > '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme i.e. 34143 executable '*png' files in that directory alone. Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfo+u0AlEeO9y5k0W2Imw8BjFSTwFAl3hANoACgkQ2Imw8BjF STyoQw/8DY28FMGC7nexg4kH6CfHc7IQS3YoWG6EosQfagSQdKF0dZlWtQhuDLLH l3e3yhXI03Aumu+mI/TkZcpNmUAWmkeuWUqlqb3ZRjQvbLUJaztRj23bb/ahVzQi WGfHM9GejPLMDg70947V/SQPYcRo4MYf9lL5n2rEL2DvagSaTU6JfeOXbw3Xkchz +AhyLvAPqt+8G8YIGSs7cyqYx/id+Gwal6rqs6zae0jD7dw/rIAOjqiDiCUPvGGD U0saWXxkNi3YRpLsUExBj+RkCs8ZqATHq4/nB0a2aWbx4P3VjDlnZB+gAwLw4EB9 CidFl9QfiF6JzYtrYDuW7vN2mks/2hJjMNwrHXubeA8P4oMybOL20R43sGnBBy6J WKi/S7toUAy2B4FV91d2GD2aqk62rScyMYN6tVFHmZaGA1s2hWAtrMns1xGz2ERq XWsZd6DookQ9ezZlpw2M+WWLzKA4D8whZWE2WNIfVCEQw752liWScawQMJyJ3ahk ZzOeNZs001esxdyoorYrZLRVHvAJ9SQrLXEnKNf7vQOR/WztKRM3UQlyyuQr4pFQ agSRmHGwBKfKJ7+UzvOdRPXdkCzwI9TpS7sG6mtWgO2wF6AfUMfJhMnHmLw532U7 tQG9DltBQNx/CDt9zgp4JI9skaSTVlJs+S+hBiWVAebE6AqMvyw= =aFZ0 -----END PGP SIGNATURE----- --=-=-=--