FS#47625 - [devtools] extra-x86_64-build fails when root's umask is 027

Attached to Project: Arch Linux
Opened by Pierre Neidhardt (Ambrevar) - Monday, 04 January 2016, 23:04 GMT
Last edited by Eli Schwartz (eschwartz) - Wednesday, 21 August 2019, 04:49 GMT
Task Type Bug Report
Category Arch Projects
Status Closed
Assigned To Pierre Schmitz (Pierre)
Evangelos Foutras (foutrelis)
Eli Schwartz (eschwartz)
Architecture All
Severity Low
Priority Normal
Reported Version 4.2.1
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Summary and Info:
The title is a bit too specific as this regards any mask that removes folder access to others, and (probably) all build scripts.
These helper scripts will create /var/lib/archbuild/{repo}-{arch} with root's current umask, which can prevent current user from accessing those folders. Then the scripts will fails:

==> Building in chroot for [extra] (i686)...
==> Creating clean working copy [ambrevar]...done
==> ERROR: /var/lib/archbuild/extra-i686/ambrevar/etc/makepkg.conf not found.
Aborting...
==> ERROR: Could not download sources.


The process fails at mkarchroot:478:

download_sources() {
local builddir="$(mktemp -d)"
chmod 1777 "$builddir"

# Ensure sources are downloaded
if [[ -n $SUDO_USER ]]; then
sudo -u $SUDO_USER env SRCDEST="$SRCDEST" BUILDDIR="$builddir" \
makepkg --config="$copydir/etc/makepkg.conf" --verifysource -o


A possible fix would be to add 'umask 022' before creating the folder in the build scripts, i.e.

umask 022
mkdir -p "${chroots}/${repo}-${arch}"


Steps to Reproduce:
* Setup root session to use a umask 027 (or any mask that removes folder access to others).
* Remove /var/lib/archbuild if existing.
* Run `sudo extra-x86_64-build`,
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Wednesday, 21 August 2019, 04:49 GMT
Reason for closing:  Fixed
Additional comments about closing:  https://git.archlinux.org/devtools.git/c ommit/?id=40a90e2cab479cc64903a62b42eb61 7a8a7e5842
Comment by Pierre Neidhardt (Ambrevar) - Thursday, 14 January 2016, 08:08 GMT
It's 'mkchrootpkg', not 'mkarchroot'.
Comment by Evangelos Foutras (foutrelis) - Thursday, 14 January 2016, 09:04 GMT
You probably mean makechrootpkg; as mentioned on IRC, commitpkg is affected too (detached signatures having too restrictive permissions).

Perhaps we could call umask from lib/common.sh which gets included in all scripts; haven't looked much into it yet though. [1]

[1] https://projects.archlinux.org/devtools.git/tree/lib/common.sh
Comment by Pierre Neidhardt (Ambrevar) - Thursday, 14 January 2016, 09:14 GMT
Indeed, damn these names are confusing me :)
Comment by Augusto Hack (hack.augusto) - Saturday, 25 August 2018, 18:46 GMT
This just bit me, here is a commit that adds the required umask 0022 : https://github.com/hackaugusto/devtools/tree/umask , where can I open a PR for this change?

Loading...