FS#69976 - [cgit] way of packaging leads to false positive UID/GID mismatch with paccheck
Attached to Project:
Community Packages
Opened by jxir (jxir) - Saturday, 13 March 2021, 17:21 GMT
Last edited by Christian Hesse (eworm) - Sunday, 14 March 2021, 22:02 GMT
Opened by jxir (jxir) - Saturday, 13 March 2021, 17:21 GMT
Last edited by Christian Hesse (eworm) - Sunday, 14 March 2021, 22:02 GMT
|
Details
cgit-1.2.3-1
Running "paccheck --file-properties cgit" yields the following output: cgit: '/var/cache/cgit' UID mismatch (expected 0/root) cgit: '/var/cache/cgit' GID mismatch (expected 0/root) This is because this directory is first created with root ownership in the PKGBUILD: package() { ... mkdir -p "$pkgdir/usr/lib/cgit" ... } and then the ownership is changed by the cgit.install script: post_install() { ... chown -v http:http var/cache/cgit ... } In my opinion, the proper way to do this would be: package() { ... install -d -o http -g http "$pkgdir/usr/lib/cgit/" ... } |
This task depends upon
Closed by Christian Hesse (eworm)
Sunday, 14 March 2021, 22:02 GMT
Reason for closing: Fixed
Additional comments about closing: cgit 1.2.3-3
Sunday, 14 March 2021, 22:02 GMT
Reason for closing: Fixed
Additional comments about closing: cgit 1.2.3-3
cgit-1.2.3-1
Running "paccheck --file-properties cgit" yields the following output:
cgit: '/var/cache/cgit' UID mismatch (expected 0/root)
cgit: '/var/cache/cgit' GID mismatch (expected 0/root)
This is because this directory is first created with root ownership in the PKGBUILD:
package() {
...
install -vd "$pkgdir/var/cache/$pkgname"
...
}
and then the ownership is changed by the cgit.install script:
post_install() {
...
chown -v http:http var/cache/cgit
...
}
In my opinion, the proper way to do this would be:
package() {
...
install -vd -o http -g http "$pkgdir/var/cache/$pkgname"
...
}
However user 'http' has a fixed uid 33, so we could changes this. Lukas, any reason we have it that way?
I would suggest another solution, though: Let's drop the directory from package and create it from tmpfiles. Concerns?
For statically fixed uid/gid, it's okay to do it in the PKGBUILD.
As it's hardcoded in /usr/lib/sysusers.d/arch.conf and should thus be always available on the build host, it probably would not break to use -o http -g http, but fixing it to 33 achieves the exact same results so you might as well.
The difference between tmpfiles and install -o 33 in package() comes down to, I guess, whether you think pacman should remove the directory with the package in the event the directory happens to be empty.