[pacman-dev] [PATCH] Fix consistency of downloaded sources permissions

Sébastien Luttringer seblu at seblu.net
Mon Dec 9 19:59:24 EST 2013 

Calls to makepg -g and makepkg to download a source files, result in different
permissions on the file if user umask != 0022.

Run makepkg with -g option, will download source files before makepkg set umask
to 0022. Downloaded files permissions will depend on user umask.
Run bare makepkg, will call download source routines after umask was set
to 0022. Downloaded files permissions will be group and world readable.

A collateral damage:
When a user who has a restricted umask (like 077),
update a PKGBUKLD with updpkgsums (which call makepkg -g),
and call a devtools scripts (extra-i686-build) to build the package,
he will get a 'Permission denied',
because the builder (another makepkg call) will be run as nobody user.

Another side effect, when several users share a SRCDEST directory, they cannot
access to files generated by another user with restricted umask.
Altough, this can be workarounded by default ACL in the SRCDEST directory.

The oldest commit with this umask is the first git commit (d04baab) with no
revelent informations provided about the purpose of using an umask.
The last commit moving the umask was 171808. The precious commit message
refered to bug FS#9242 and FS#9362 which recommend to put umask at the top
in makepkg.

This patch put the umask definition at the "beginning" of the makepkg script.
This let us rely that all files generated by makepkg will be with 0022 umask.

Signed-off-by: Sébastien Luttringer <seblu at seblu.net>
---
 scripts/makepkg.sh.in | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 28e8e7a..81354df 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -2544,6 +2544,9 @@ There is NO WARRANTY, to the extent permitted by law.\n")"
 
 # PROGRAM START
 
+# ensure we have a sane umask set
+umask 0022
+
 # determine whether we have gettext; make it a no-op if we do not
 if ! type -p gettext >/dev/null; then
 	gettext() {
@@ -2979,9 +2982,6 @@ else
 	fi
 fi
 
-# ensure we have a sane umask set
-umask 0022
-
 # get back to our src directory so we can begin with sources
 mkdir -p "$srcdir"
 chmod a-s "$srcdir"
-- 
1.8.4.2

More information about the pacman-dev mailing list