[pacman-dev] [PATCH] pacman-db-upgrade: set umask 022
This prevents the database from becoming inaccessible for non-root users when the script was executed with a umask of 027. Signed-off-by: Peter Wu <peter@lekensteyn.nl> --- Hi, It would probably be a good idea to set umask 022 for /var/cache/pacman/archives/ as well, but that is not as severe as this issue. If there are people who actually use 'umask 027' to make their packages unreadable, what about a global Umask setting in pacman.conf (defaulting to 022?). Kind regards, Peter --- scripts/pacman-db-upgrade.sh.in | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/pacman-db-upgrade.sh.in b/scripts/pacman-db-upgrade.sh.in index 7bb277b..e2bb290 100644 --- a/scripts/pacman-db-upgrade.sh.in +++ b/scripts/pacman-db-upgrade.sh.in @@ -19,6 +19,9 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # +# Avoid creating world-unreadable files +umask 022 + # gettext initialization export TEXTDOMAIN='pacman-scripts' export TEXTDOMAINDIR='@localedir@' -- 2.2.1
On 20/12/14 20:58, Peter Wu wrote:
It would probably be a good idea to set umask 022 for /var/cache/pacman/archives/ as well
What is that directory?
On Saturday 20 December 2014 21:00:57 Allan McRae wrote:
On 20/12/14 20:58, Peter Wu wrote:
It would probably be a good idea to set umask 022 for /var/cache/pacman/archives/ as well
What is that directory?
Typo: s/archives/pkg/ -- Kind regards, Peter https://lekensteyn.nl
On 20/12/14 20:58, Peter Wu wrote:
This prevents the database from becoming inaccessible for non-root users when the script was executed with a umask of 027.
Signed-off-by: Peter Wu <peter@lekensteyn.nl> ---
Applied.
Hi,
It would probably be a good idea to set umask 022 for /var/cache/pacman/archives/ as well, but that is not as severe as this issue.
If there are people who actually use 'umask 027' to make their packages unreadable, what about a global Umask setting in pacman.conf (defaulting to 022?).
I am happy with that staying how it is. A non-root user does not particularly need access to these files. Allan
On Tuesday 23 December 2014 11:18:51 Allan McRae wrote:
It would probably be a good idea to set umask 022 for /var/cache/pacman/archives/ as well, but that is not as severe as this issue.
If there are people who actually use 'umask 027' to make their packages unreadable, what about a global Umask setting in pacman.conf (defaulting to 022?).
I am happy with that staying how it is. A non-root user does not particularly need access to these files.
Allan
(S)he does not? What about copying the package to a different (virtual) machine? Or extracting a config file and look for differences? The status quo is that the permissions of cache dir items depend on the umask of the executing process which is 022 on a default installation. When I have a need to read the tarball contents, I first have to run: sudo chmod -R o+r /var/cache/pacman/pkg/ With this in mind, would you still be opposed to changing the default umask, or introducing a umask setting in pacman.conf? -- Kind regards, Peter https://lekensteyn.nl
participants (2)
-
Allan McRae
-
Peter Wu