request to adjust distribution tarball permissions
Brought to you by:
ptmcg
In pkgsrc, we encounter the fact that the .egg-info files in the tarball have inappropriate
permissions to install as is.
richard@omnis:/home/richard$ tar tpvfa /export/pub/src/distfiles/pyparsing-2.0.6.tar.gz |grep egg-info -rwxrwxrwx 0/0 0 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/ -rw-rw-rw- 0/0 1 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/dependency_links.txt -rw-rw-rw- 0/0 943 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/PKG-INFO -rw-rw-rw- 0/0 4945 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/SOURCES.txt -rw-rw-rw- 0/0 10 nov. 14 04:29 2015 pyparsing-2.0.6/pyparsing.egg-info/top_level.txt
This means that we have to fix these up manually in the pkgsrc install script to avoid group/world write.
Please generate the tarball with these permissions already set to non-writeable for group/world.
cheers
Richard -
Got your note, not sure how I will accomplish this, as I do pretty much all
development for pyparsing on Windows, and simply take the defaults in
setuptools when building my releases. That is, I don't create the tarballs
by hand. In fact, these particular files aren't even in my source tree, I
simply use the "setup dist" command which builds these files automatically.
Is there another Python package that you can point me to that distributes
these files with the desired permissions? I'll contact that package's
maintainers to get help on how to configure these files appropriately.
Conversely, can you fill me in on the risk posed by leaving these
permissions as-is?
Cheers,
-- Paul
From: Richard PALO [mailto:rpalo@users.sf.net]
Sent: Sunday, January 10, 2016 10:38 AM
To: Ticket 87 87@bugs.pyparsing.p.re.sf.net
Subject: [pyparsing:bugs] #87 request to adjust distribution tarball
permissions
[bugs:#87] http://sourceforge.net/p/pyparsing/bugs/87/ request to adjust
distribution tarball permissions
Status: open
Group: v1.0 (example)
Created: Sun Jan 10, 2016 04:37 PM UTC by Richard PALO
Last Updated: Sun Jan 10, 2016 04:37 PM UTC
Owner: nobody
In pkgsrc, we encounter the fact that the .egg-info files in the tarball
have inappropriate
permissions to install as is.
richard@omnis:/home/richard$ tar tpvfa
/export/pub/src/distfiles/pyparsing-2.0.6.tar.gz |grep egg-info
-rwxrwxrwx 0/0 0 nov. 14 04:29 2015
pyparsing-2.0.6/pyparsing.egg-info/
-rw-rw-rw- 0/0 1 nov. 14 04:29 2015
pyparsing-2.0.6/pyparsing.egg-info/dependency_links.txt
-rw-rw-rw- 0/0 943 nov. 14 04:29 2015
pyparsing-2.0.6/pyparsing.egg-info/PKG-INFO
-rw-rw-rw- 0/0 4945 nov. 14 04:29 2015
pyparsing-2.0.6/pyparsing.egg-info/SOURCES.txt
-rw-rw-rw- 0/0 10 nov. 14 04:29 2015
pyparsing-2.0.6/pyparsing.egg-info/top_level.txt
This means that we have to fix these up manually in the pkgsrc install
script to avoid group/world write.
Please generate the tarball with these permissions already set to
non-writeable for group/world.
cheers
Sent from sourceforge.net because you indicated interest in
https://sourceforge.net/p/pyparsing/bugs/87/
To unsubscribe from further messages, please visit
https://sourceforge.net/auth/subscriptions/
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Related
Bugs: #87
Hi, in this case, you should be able to simply set the correct file protections initially
and commit them to your source code management system.
In theory that is all.
I did a quick test here (on UNIX, though) and python setup.py sdisk --formats=gztar
did the "right" thing.
I just realised you mentioned that you don't manage these files in your SCM.
In that case, you will need to make sure your default file creation mode mask
(on 'nix UMASK) is set to 0022 which means don't change anything for the special protection bits or for the owner, but avoid group/world write.
What would the Windows equivalent of UMASK be?
And can you remind me of the security issue that we are addressing with this
change? None of these files is used at runtime.
-- Paul
From: Richard PALO [mailto:rpalo@users.sf.net]
Sent: Sunday, January 10, 2016 11:42 AM
To: [pyparsing:bugs] 87@bugs.pyparsing.p.re.sf.net
Subject: [pyparsing:bugs] #87 request to adjust distribution tarball
permissions
I just realised you mentioned that you don't manage these files in your SCM.
In that case, you will need to make sure your default file creation mode
mask
(on 'nix UMASK) is set to 0022 which means don't change anything for the
special protection bits
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
You may perhaps get a more reasonable answer from the python setuptools forum if need be, I'm afraid I cannot steer you.
As far as security goes, I suggest you search system file and directory protection policies in general. I believe it goes with out saying that not every Tom, Dick, or Harry should be able to modify any files in system directories without elevated privilege.
cheers