bug#38422: .png files in /gnu/store with executable permissions (555)

[Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix@gnu.org>]

[-- Attachment #1: Type: text/plain, Size: 3731 bytes --]

Bengt, Ricardo,

I see similar results here with ‘guix install moka-icon-theme’, 
and I'm sure the rest of my (and everyone's) store is full of 
misperm'd files too.  It's kind of generally known.

This seems to be particularly common in Meson packages: for some 
reason, Meson installs everything as executable by default.

Bengt Richter 写道：
> Is this zero-day stuff with a nasty somewhere, waiting for 
> referencing
> by another nasty, or am I being paranoid?

What's the threat model there?  Respectfully, I think you might 
be, but maybe I'm naive…

Otherwise I consider this a merely cosmetic issue, but we still 
welcome fixes for those!

Checking whether Meson behaves differently on other distributions 
would be a good start.

Ricardo Wurmus 写道：
> Bengt Richter <bokr@bokr.com> writes:
>
>> $ find /gnu -type f -perm /111 -iname '*png'|xargs stat -c '%a 
>> %A %N'|cut -d '-' -f5,6,7,8|less|uniq -c|less
>> --8<---------------cut 
>> here---------------start------------->8---
>>       1 x 
>>       '/gnu/store/.links/1s94fymqj8xba55rg8xbdni9a215kxsxkddyh2qyb7y6fl7srpng'
>>       1 x 
>>       '/gnu/store/.links/05dsk06ffdwgjdqgsy03zhnsrcd44yyi8ylk9qyb1a3n89aplpng'
>>      97 x 
>>      '/gnu/store/jf7i57glqykwgm1k7zb5k8x6f1yd47l8-faba-icon-theme
>>       1 x 
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdparttopng'
>>       1 x 
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gdtopng'
>>       1 x 
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/webpng'
>>       1 x 
>>       '/gnu/store/k83hj06qj142xv6rqpfh3mcdf3149q09-gd-2.2.5/bin/gd2topng'
>>       1 x 
>>       '/gnu/store/x9c77i6r5fmarslij6ng81awgrxblplm-texlive-bin-20180414/bin/dvipng'
>>   34143 x 
>>   '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme
>>       1 x 
>>       '/gnu/store/7mxkdn6cp7x8sac49p2g80qw5j1aavi3-texlive-20180414/bin/dvipng'
>>      62 x 
>>      '/gnu/store/6d79d8za76pj5f2flhckpmdvdgqhqxaa-docbook-xsl-1.79.1/xml/xsl/docbook
>>       1 x 
>>       '/gnu/store/azd3rg350gjkgzvzps3s4j3kpz5kxh57-texlive-bin-20180414/bin/dvipng'
>>       1 x 
>>       '/gnu/store/9w1hi2hr4zczc5jd5r2xmff9zf4gwc1n-texlive-union-49435/bin/dvipng'
>>       1 x 
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdparttopng'
>>       1 x 
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gdtopng'
>>       1 x 
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/webpng'
>>       1 x 
>>       '/gnu/store/5hv33gy8w247v3dcf4dfa8p0ijkmiz5x-gd-2.2.5/bin/gd2topng'
>>       1 x 
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdparttopng'
>>       1 x 
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gdtopng'
>>       1 x 
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/webpng'
>>       1 x 
>>       '/gnu/store/9jgmsnx36wv8ymgalwd1zlmq3z34bqf0-gd-2.2.5/bin/gd2topng'
>>
>> --8<---------------cut 
>> here---------------end--------------->8---
>
> Maybe I’m missing something, but none of the above are PNGs.
> Most of them are executables, others are directories, so having 
> them
> executable is expected.

Bengt's clever pipeline tallies the number of executable *png 
files in each top-level store directory.  It does not include 
directories.

It's true that the '*png' above should be replaced with '*.png', 
but these /bin files are just the very noisy outliers.

The meat is in:

> 34143 x 
> '/gnu/store/yg6skr4v6vnj04rm5k9h3pa81mjivba7-moka-icon-theme

i.e. 34143 executable '*png' files in that directory alone.

Kind regards,

T G-R

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]