FS#69976 - [cgit] way of packaging leads to false positive UID/GID mismatch with paccheck

Attached to Project: Community Packages
Opened by jxir (jxir) - Saturday, 13 March 2021, 17:21 GMT
Last edited by Christian Hesse (eworm) - Sunday, 14 March 2021, 22:02 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
Lukas Fleischer (lfleischer)
Christian Hesse (eworm)
Architecture All
Severity Very Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

cgit-1.2.3-1

Running "paccheck --file-properties cgit" yields the following output:

cgit: '/var/cache/cgit' UID mismatch (expected 0/root)
cgit: '/var/cache/cgit' GID mismatch (expected 0/root)

This is because this directory is first created with root ownership in the PKGBUILD:

package() {
...
mkdir -p "$pkgdir/usr/lib/cgit"
...
}

and then the ownership is changed by the cgit.install script:

post_install() {
...
chown -v http:http var/cache/cgit
...
}

In my opinion, the proper way to do this would be:

package() {
...
install -d -o http -g http "$pkgdir/usr/lib/cgit/"
...
}
This task depends upon

Closed by  Christian Hesse (eworm)
Sunday, 14 March 2021, 22:02 GMT
Reason for closing:  Fixed
Additional comments about closing:  cgit 1.2.3-3
Comment by jxir (jxir) - Saturday, 13 March 2021, 20:08 GMT
[Correction of my original post, which cites the wrong line of the PKGBUILD, my apologies!]

cgit-1.2.3-1

Running "paccheck --file-properties cgit" yields the following output:

cgit: '/var/cache/cgit' UID mismatch (expected 0/root)
cgit: '/var/cache/cgit' GID mismatch (expected 0/root)

This is because this directory is first created with root ownership in the PKGBUILD:

package() {
...
install -vd "$pkgdir/var/cache/$pkgname"
...
}

and then the ownership is changed by the cgit.install script:

post_install() {
...
chown -v http:http var/cache/cgit
...
}

In my opinion, the proper way to do this would be:

package() {
...
install -vd -o http -g http "$pkgdir/var/cache/$pkgname"
...
}
Comment by Christian Hesse (eworm) - Sunday, 14 March 2021, 20:11 GMT
For a lot of packages something like this makes sense when uid and gid a assigned dynamically...
However user 'http' has a fixed uid 33, so we could changes this. Lukas, any reason we have it that way?

I would suggest another solution, though: Let's drop the directory from package and create it from tmpfiles. Concerns?
Comment by Eli Schwartz (eschwartz) - Sunday, 14 March 2021, 21:15 GMT
For dynamically assigned uid/gid, you MUST use tmpfiles since pacman cannot encode it directly.

For statically fixed uid/gid, it's okay to do it in the PKGBUILD.

As it's hardcoded in /usr/lib/sysusers.d/arch.conf and should thus be always available on the build host, it probably would not break to use -o http -g http, but fixing it to 33 achieves the exact same results so you might as well.

The difference between tmpfiles and install -o 33 in package() comes down to, I guess, whether you think pacman should remove the directory with the package in the event the directory happens to be empty.
Comment by Christian Hesse (eworm) - Sunday, 14 March 2021, 22:02 GMT
Let's make it fool and future proof... Switched to using tmpfiles.

Loading...