Menu

#87 request to adjust distribution tarball permissions

v1.0 (example)
open
nobody
None
5
2016-01-10
2016-01-10
Richard PALO
No

In pkgsrc, we encounter the fact that the .egg-info files in the tarball have inappropriate
permissions to install as is.

richard@omnis:/home/richard$ tar tpvfa /export/pub/src/distfiles/pyparsing-2.0.6.tar.gz |grep egg-info
-rwxrwxrwx   0/0        0 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/
-rw-rw-rw-   0/0        1 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/dependency_links.txt
-rw-rw-rw-   0/0      943 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/PKG-INFO
-rw-rw-rw-   0/0     4945 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/SOURCES.txt
-rw-rw-rw-   0/0       10 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/top_level.txt

This means that we have to fix these up manually in the pkgsrc install script to avoid group/world write.

Please generate the tarball with these permissions already set to non-writeable for group/world.

cheers

Related

Bugs: #87

Discussion

  • Paul McGuire

    Paul McGuire - 2016-01-10

    Richard -

    Got your note, not sure how I will accomplish this, as I do pretty much all
    development for pyparsing on Windows, and simply take the defaults in
    setuptools when building my releases. That is, I don't create the tarballs
    by hand. In fact, these particular files aren't even in my source tree, I
    simply use the "setup dist" command which builds these files automatically.

    Is there another Python package that you can point me to that distributes
    these files with the desired permissions? I'll contact that package's
    maintainers to get help on how to configure these files appropriately.

    Conversely, can you fill me in on the risk posed by leaving these
    permissions as-is?

    Cheers,

    -- Paul

    From: Richard PALO [mailto:rpalo@users.sf.net]
    Sent: Sunday, January 10, 2016 10:38 AM
    To: Ticket 87 87@bugs.pyparsing.p.re.sf.net
    Subject: [pyparsing:bugs] #87 request to adjust distribution tarball
    permissions

    [bugs:#87] http://sourceforge.net/p/pyparsing/bugs/87/ request to adjust
    distribution tarball permissions

    Status: open
    Group: v1.0 (example)
    Created: Sun Jan 10, 2016 04:37 PM UTC by Richard PALO
    Last Updated: Sun Jan 10, 2016 04:37 PM UTC
    Owner: nobody

    In pkgsrc, we encounter the fact that the .egg-info files in the tarball
    have inappropriate
    permissions to install as is.

    richard@omnis:/home/richard$ tar tpvfa
    /export/pub/src/distfiles/pyparsing-2.0.6.tar.gz |grep egg-info
    -rwxrwxrwx 0/0 0 nov. 14 04:29 2015
    pyparsing-2.0.6/pyparsing.egg-info/
    -rw-rw-rw- 0/0 1 nov. 14 04:29 2015
    pyparsing-2.0.6/pyparsing.egg-info/dependency_links.txt
    -rw-rw-rw- 0/0 943 nov. 14 04:29 2015
    pyparsing-2.0.6/pyparsing.egg-info/PKG-INFO
    -rw-rw-rw- 0/0 4945 nov. 14 04:29 2015
    pyparsing-2.0.6/pyparsing.egg-info/SOURCES.txt
    -rw-rw-rw- 0/0 10 nov. 14 04:29 2015
    pyparsing-2.0.6/pyparsing.egg-info/top_level.txt

    This means that we have to fix these up manually in the pkgsrc install
    script to avoid group/world write.

    Please generate the tarball with these permissions already set to
    non-writeable for group/world.

    cheers

    Sent from sourceforge.net because you indicated interest in
    https://sourceforge.net/p/pyparsing/bugs/87/

    To unsubscribe from further messages, please visit
    https://sourceforge.net/auth/subscriptions/

    This email has been checked for viruses by Avast antivirus software.
    https://www.avast.com/antivirus

     

    Related

    Bugs: #87

    alternate

  • Richard PALO

    Richard PALO - 2016-01-10

    Hi, in this case, you should be able to simply set the correct file protections initially
    and commit them to your source code management system.

    In theory that is all.

    I did a quick test here (on UNIX, though) and python setup.py sdisk --formats=gztar
    did the "right" thing.

     

  • Richard PALO

    Richard PALO - 2016-01-10

    I just realised you mentioned that you don't manage these files in your SCM.
    In that case, you will need to make sure your default file creation mode mask
    (on 'nix UMASK) is set to 0022 which means don't change anything for the special protection bits or for the owner, but avoid group/world write.

     

    • Paul McGuire

      Paul McGuire - 2016-01-10

      What would the Windows equivalent of UMASK be?

      And can you remind me of the security issue that we are addressing with this
      change? None of these files is used at runtime.

      -- Paul

      From: Richard PALO [mailto:rpalo@users.sf.net]
      Sent: Sunday, January 10, 2016 11:42 AM
      To: [pyparsing:bugs] 87@bugs.pyparsing.p.re.sf.net
      Subject: [pyparsing:bugs] #87 request to adjust distribution tarball
      permissions

      I just realised you mentioned that you don't manage these files in your SCM.
      In that case, you will need to make sure your default file creation mode
      mask
      (on 'nix UMASK) is set to 0022 which means don't change anything for the
      special protection bits

      This email has been checked for viruses by Avast antivirus software.
      https://www.avast.com/antivirus

       
      alternate

  • Richard PALO

    Richard PALO - 2016-01-10

    You may perhaps get a more reasonable answer from the python setuptools forum if need be, I'm afraid I cannot steer you.

    As far as security goes, I suggest you search system file and directory protection policies in general. I believe it goes with out saying that not every Tom, Dick, or Harry should be able to modify any files in system directories without elevated privilege.
    cheers

     

Log in to post a comment.