From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: Using ``chmod'' in build phases Date: Tue, 2 Jan 2018 16:28:02 +0000 Message-ID: <20180102162802.5kgpmhboqewhptjx@abyayala> References: <87h8s42uqs.fsf@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="op4bhax3npmvx6wi" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35976) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1eWPQa-0001TI-HF for guix-devel@gnu.org; Tue, 02 Jan 2018 11:28:38 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1eWPQX-0006EX-8H for guix-devel@gnu.org; Tue, 02 Jan 2018 11:28:36 -0500 Received: from aibo.runbox.com ([91.220.196.211]:43464) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1eWPQW-0006Dq-Tp for guix-devel@gnu.org; Tue, 02 Jan 2018 11:28:33 -0500 Content-Disposition: inline In-Reply-To: <87h8s42uqs.fsf@gmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Vong Cc: guix-devel@gnu.org --op4bhax3npmvx6wi Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Alex Vong transcribed 12K bytes: > Hello, >=20 > Running ``LC_ALL=3DC grep -r chmod'' on ``guix/gnu/packages'', gives the > following result. As you can see, various modes are used, such as 644, > 755, 555, 666, 777, 664. > Do we have a guide on which mode should be > prefered? As far as I know we don't have such a guide. If someone would write one, it should go into the Contributing chapter imo. > I personally always used 644 for non-executable files, and 755 > for directories and executable files. Any idea? >=20 >=20 > networking.scm: (chmod "." #o755) > commencement.scm: (chmod program #o555)) > Binary file admin.go matches > Binary file fpga.go matches > mail.scm: (chmod "mb2md" #o555)) > Binary file ssh.go matches > Binary file package-management.go matches > irc.scm: (("/bin/chmod") "chmod") > irc.scm: ;; Furthermore bsdinstalls has a reference to /etc/chm= od here, which > irc.scm: (("/bin/chmod") "chmod") > patches/libbase-use-own-logging.patch: // We do an explicit fchmod here= because we assume that the caller really > patches/libbase-use-own-logging.patch: if (fchmod(fd, mode) =3D=3D -1) { > patches/libbase-use-own-logging.patch:- ALOGE("android::WriteStringToF= ile fchmod failed: %s", strerror(errno)); > patches/libbase-use-own-logging.patch:+ PLOG(ERROR) << "android::Write= StringToFile fchmod failed"; > patches/findutils-localstatedir.patch: chmod +x $@ > patches/nss-pkgconfig.patch:+ chmod 0644 nss.pc > patches/nss-pkgconfig.patch:+ chmod 0755 nss-config > patches/4store-fix-buildsystem.patch:! chmod 1777 $(DESTDIR)@FS_STORE_RO= OT@ > patches/cdrtools-3.01-mkisofs-isoinfo.patch:- fchmodat(AT_FDCWD, fname, f= stat_buf.st_mode, AT_SYMLINK_NOFOLLOW); > patches/cdrtools-3.01-mkisofs-isoinfo.patch:+ fchmodat(AT_FDCWD, fname, f= stat_buf.st_mode, AT_SYMLINK_NOFOLLOW); > patches/tcsh-fix-autotest.patch: chmod a+x args.sh > patches/tcsh-fix-autotest.patch:-chmod a+x script.sh subdir/script.sh > patches/tcsh-fix-autotest.patch:+#chmod a+x script.sh subdir/script.sh > patches/perl-file-path-CVE-2017-6512.patch:https://anonscm.debian.org/cgi= t/perl/perl.git/diff/debian/patches/fixes/file_path_chmod_race.diff?id=3De7= b50f8fb6413f8ddfbbfda2d531615fb029e2d3 > patches/perl-file-path-CVE-2017-6512.patch:Subject: Prevent directory chm= od race attack. > patches/perl-file-path-CVE-2017-6512.patch:CVE-2017-6512 is a race condit= ion attack where the chmod() of directories > patches/perl-file-path-CVE-2017-6512.patch:the directory-permission loose= ning logic to systems where fchmod() is > patches/perl-file-path-CVE-2017-6512.patch:Patch-Name: fixes/file_path_ch= mod_race.diff > patches/perl-file-path-CVE-2017-6512.patch:- or ch= mod( $nperm, $root ) > patches/perl-file-path-CVE-2017-6512.patch:+ # This uses f= chmod to avoid traversing outside of the proper > patches/perl-file-path-CVE-2017-6512.patch:+ or= eval { chmod( $nperm, $root_fh ) } > patches/perl-file-path-CVE-2017-6512.patch:+my $fchmod_supported =3D 0; > patches/perl-file-path-CVE-2017-6512.patch:+ eval { $fchmod_supported = =3D chmod( $perm, $fh); }; > patches/perl-file-path-CVE-2017-6512.patch:+ skip "fchmod of directori= es not supported on this platform", 3 unless $fchmod_supported; > patches/perl-file-path-CVE-2017-6512.patch: # http://perldoc.perl.o= rg/perlport.html#chmod > patches/perl-file-path-CVE-2017-6512.patch: skip "Windows chmod test = skipped", $skip_count > patches/perl-file-path-CVE-2017-6512.patch:+ skip "fchmod() on directo= ries is not supported on this platform", $skip_count > patches/perl-file-path-CVE-2017-6512.patch:+ unless $fchmod_suppor= ted; > patches/perl-file-path-CVE-2017-6512.patch:- $dir =3D catdir($tmp_base= , 'chmod_test'); > patches/perl-file-path-CVE-2017-6512.patch:+ $dir =3D catdir($tmp_= base, sprintf("chmod_test%04o", $input)); > patches/portmidi-modular-build.patch:- COMMAND chmod +x pmdefaults/pmde= faults > patches/byobu-writable-status.patch:+ chmod +w "$BYOBU_CONFIG_DIR/$f" > patches/proot-test-fhs.patch:@@ -34,7 +34,7 @@ chmod +x ${ROOTFS}/${TMP_A= BS} > patches/rsync-CVE-2017-17434-pt2.patch: extern struct chmod_mode_struct *= daemon_chmod_modes; > Binary file tex.go matches > Binary file networking.go matches > virtualization.scm: (chmod "samba-wrapper" #o755) > Binary file graphviz.go matches > tex.scm: "batchmode; " > tex.scm: "batchmode; " > tex.scm: "batchmode; " > tex.scm: (and (zero? (system* "luatex" "-ini" "-interaction= =3Dbatchmode" > tex.scm: (zero? (system* "tex" "-ini" "-interaction=3D= batchmode" > tex.scm: (zero? (system* "latex" "-ini" "-interacti= on=3Dbatchmode" > tex.scm: (zero? (system* format "-ini" "-interactio= n=3Dbatchmode" > tex.scm: (zero? (system* "luatex" "-ini" "-interact= ion=3Dbatchmode" > tex.scm: "batchmode; " > tex.scm: "batchmode; " > Binary file autotools.go matches > ssh.scm: (chmod (string-append (assoc-ref outputs "out") > Binary file python.go matches > Binary file maths.go matches > cups.scm: (for-each (lambda (file) (chmod file #o644)) > cups.scm: (for-each (lambda (file) (chmod file #o644)) > axoloti.scm: (chmod target #o555)) > python.scm: (chmod file #o755)) > python.scm: (chmod new #o755) > Binary file wget.go matches > Binary file bioinformatics.go matches > kodi.scm: (("autoreconf -vif") "chmod -R u+w .")) > Binary file perl.go matches > c.scm: (chmod port #o777))) > Binary file axoloti.go matches > Binary file ocaml.go matches > ocaml.scm: (chmod "src/strings.ml" #o600) > conkeror.scm: (chmod launcher #o555))))))) > Binary file java.go matches > Binary file emacs.go matches > text-editors.scm: (zero? (system* "chmod" "-R" "u+w" "../te= st"))))))) > nvi.scm: (chmod "configure" #o0755))))) > disk.scm: (chmod exe #o555) > Binary file backup.go matches > Binary file music.go matches > audio.scm: (chmod file #o644)) > music.scm: (chmod (string-append out "/share/Aria/Docume= ntation") #o555) > music.scm: (chmod (string-append out "/share/Aria/score"= ) #o555) > music.scm: (chmod (string-append bin "/tuxguitar") #o555) > music.scm: (for-each (cut chmod <> #o644) > Binary file zile.go matches > emacs.scm: (chmod exwm-executable #o555) > emacs.scm: (chmod exwm-executable #o555) > perl.scm: (chmod dso #o755)) > perl.scm: (chmod "blib/arch/auto/Digest/MD5/MD5.so" #o755))))= )) > Binary file bootstrap.go matches > tls.scm: (chmod file #o644)) > certs.scm: (chmod "certdata2pem.py" #o555) > java.scm: (chmod target #o755) > java.scm: (chmod (string-append bin tool) #o755)) > java.scm: (chmod target #o755) > java.scm: (string-append line "; chmod -R u+w $(BOO= T_DIR)"))) > java.scm: (zero? (system* "chmod" "-R" "u+w" "openjdk"= )) > java.scm: (("/bin/chmod") (which "chmod"))) > java.scm: ;; The cacerts files we are going to overwrite = are chmod'ed as > java.scm: (chmod (string-append (assoc-ref outputs "out") > java.scm: (chmod (string-append (assoc-ref outputs "jdk") > java.scm: (chmod (string-append bin "/antlr3") #o755)))) > java.scm: (chmod (string-append bin "/antlr3") #o755) > java.scm: (chmod (string-append bin "/antlr3") #o755)))) > java.scm: (chmod (string-append bin "/mvel2") #o755)) > backup.scm: (chmod target-file-location #o755) > Binary file c.go matches > linux.scm: (chmod ".config" #o666)) > linux.scm: (chmod file #o666)) > linux.scm: (chmod "e2fsck" #o555)))))) > linux.scm: (chmod "zerofree" #o555) > linux.scm: (chmod file #o755)) > linux.scm: (chmod target #o555))))) > Binary file kodi.go matches > Binary file monitoring.go matches > Binary file virtualization.go matches > Binary file audio.go matches > Binary file certs.go matches > fpga.scm: (zero? (system* "chmod" "+w" "abc/abc"))))) > Binary file tls.go matches > package-management.scm: (chmod po #o66= 6)) > Binary file text-editors.go matches > Binary file commencement.go matches > uml.scm: (chmod wrapper #o555)) > Binary file disk.go matches > Binary file graphics.go matches > graphviz.scm: (chmod "test/boolean/test.sh" #o777)) > web.scm: (chmod "woof" #o555)) > Binary file netpbm.go matches > bootloaders.scm: (zero? (system* "chmod" "a+w" "utils/isohy= brid.in")))) > Binary file uml.go matches > bootstrap.scm: (chmod bin-dir #o755) > bootstrap.scm: (chmod guile #o555) > bootstrap.scm: (chmod bin-dir #o555)))))) > bootstrap.scm: (chmod "bin" #o755) > bootstrap.scm: (chmod "bin" #o555) > bootstrap.scm: (chmod "lib" #o755) > bootstrap.scm: (chmod "." #o755) > bootstrap.scm: (chmod "gcc" #o555)))))) > engineering.scm: (chmod (string-append out "/bin/" scrip= t) #o555))) > Binary file conkeror.go matches > Binary file bootstrap/x86_64-linux/mkdir matches > Binary file bootstrap/armhf-linux/mkdir matches > Binary file bootstrap/i686-linux/mkdir matches > Binary file bootstrap/mips64el-linux/mkdir matches > Binary file bootstrap/aarch64-linux/mkdir matches > Binary file readline.go matches > Binary file games.go matches > Binary file irc.go matches > readline.scm: (for-each (lambda (f) (chmod f #o755)) > readline.scm: (for-each (lambda (f) (chmod f #o644)) > wget.scm: (chmod file #o755)) > games.scm: (chmod (string-append bin "/roguebox-adventu= res") #o555) > games.scm: (chmod port #o777))))) > games.scm: (chmod "redeclipse_linux" #o555) > games.scm: (chmod "redeclipse_server_linux" #o555))) > games.scm: (chmod higan #o555) > games.scm: (chmod prog #o755) > games.scm: (chmod wrapper #o555) > zile.scm: (chmod file #o755)) > lisp.scm: (chmod wrapper #o755)) > lisp.scm: (chmod script #o755) > Binary file base.go matches > Binary file cups.go matches > bioinformatics.scm: (chmod wrapper #o555))))))) > bioinformatics.scm: (chmod (string-append target "GESS.py")= #o555) > bioinformatics.scm: (chmod "_pytadbit/_version.py" #o664) > bioinformatics.scm: (chmod "README.rst" #o664) > autotools.scm: (chmod (string-append bin "/autoconf") #o555))))= ))) > Binary file nvi.go matches > monitoring.scm: (("chmod g\\+s.*" all) > Binary file web.go matches > version-control.scm: (chmod new #o555)) > admin.scm: (chmod "bind/bind.tar.gz" #o644) > Binary file linux.go matches > graphics.scm: (chmod "brdf" #o555)))))))) > Binary file bootloaders.go matches > Binary file version-control.go matches > base.scm: (chmod ld #o555) > Binary file mail.go matches > netpbm.scm: (chmod "config.mk" #o664) > simulation.scm: ;; 'chmod' step is needed before running the applicat= ions. For > simulation.scm: ;; $ chmod -R u+w . > Binary file lisp.go matches > maths.scm: (chmod "src/maxima" #o555) > maths.scm: (chmod wrapper #o555)))) > Binary file engineering.go matches >=20 >=20 > Cheers, > Alex --=20 GnuPG: A88C8ADD129828D7EAC02E52E22F9BBFEE348588 GnuPG: https://c.n0.is/ng0_pubkeys/tree/keys WWW: https://n0.is --op4bhax3npmvx6wi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEqIyK3RKYKNfqwC5S4i+bv+40hYgFAlpLsxIACgkQ4i+bv+40 hYh8Ig/+Lb0yhH4SKS3h5gSbidHApATEXneBQXc4Rg37fUNio2wXLVhE4A8XElwC gjHraEtL5ZfPNkd/WY4zOvcRdBO1k5NrHtyvtqtI7t1G3N6n90IESi5MnoK7C50P GrowkEfktydtWY2PUOEn5Mbq65FJcEublvrj9dNHZvSFwQq8sxSwpmFsWh45PS52 lozsO/lJHIKXn6+tzprQCmQrKwKCVkaBDyzoliKdnX0uHXsJVCTfusHNpDUktyNC 61KipcjZvbBlY7ut4JyfnaHkX98DRPBLkjAOiP26ME8swrKt3iojamEM7kSL8Hhm wFaD73/G7g6IRUdk2S+vSe+FxCSzyGiHkw16Hs+w2+ZZsRRNG5ikGaBnGuWAXISz XfcZL6+ZvqTbP6UGdE2yzgvtw6gMjIVG+TJXLcrHny6NTFNxmVf8KxzNNEWqS02t 0WdZVYbL9X8qxh2UW0SEOFhFPYeRQIga+oNB3UY/uJx4m2+Qbvy3sLLC+ky4+lyh LaWOmw3FeoTidC7vCRosBtefR61L3R1RsYdjpOw3pxOcOQvQ9h1evzET5NUnmXTc wmUnUpOZ9ntjWb0sgIPW/Zm6cbZirX6Ff81vsnTF2rdTKeakwlS2tXX0h71DHISa 6DsQ9VT0Q62ogYvoQwqMwSFragdEKRB6Noc/W7F+/4G6UWHx0Ts= =gDXY -----END PGP SIGNATURE----- --op4bhax3npmvx6wi--