FS#75537 - [kdesu] contains file owned by nobody

Attached to Project: Arch Linux
Opened by David Runge (dvzrv) - Sunday, 07 August 2022, 17:38 GMT
Last edited by Antonio Rojas (arojas) - Thursday, 22 September 2022, 18:41 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Antonio Rojas (arojas)
Felix Yan (felixonmars)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: The package contains a file owned by nobody. From a security and filesystem perspective this should not be the case.

Please use systemd-tmpfiles in case the file does indeed need to be owned by another user.

Additional info:

* kdesu 5.96.0-1
* https://gitlab.archlinux.org/archlinux/repod/-/issues/61

Steps to reproduce:

```
repod-file package inspect /mnt/mirror/extra/os/x86_64/kdesu-5.96.0-1-x86_64.pkg.tar.zst
Traceback (most recent call last):
File "/usr/lib/python3.10/site-packages/repod/files/mtree.py", line 360, in from_file
MTreeEntryV1(
File "pydantic/main.py", line 341, in pydantic.main.BaseModel.__init__
pydantic.error_wrappers.ValidationError: 1 validation error for MTreeEntryV1
gid
ensure this value is less than 1000 (type=value_error.number.not_lt; limit_value=1000)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/bin/repod-file", line 8, in <module>
sys.exit(repod_file())
File "/usr/lib/python3.10/site-packages/repod/cli/cli.py", line 189, in repod_file
repod_file_package(args=args)
File "/usr/lib/python3.10/site-packages/repod/cli/cli.py", line 33, in repod_file_package
model = asyncio.run(
File "/usr/lib/python3.10/asyncio/runners.py", line 44, in run
return loop.run_until_complete(main)
File "/usr/lib/python3.10/asyncio/base_events.py", line 646, in run_until_complete
return future.result()
File "/usr/lib/python3.10/site-packages/repod/files/package.py", line 106, in from_file
mtree=MTree.from_file(
File "/usr/lib/python3.10/site-packages/repod/files/mtree.py", line 374, in from_file
raise RepoManagementValidationError(
repod.errors.RepoManagementValidationError: An error occured when validating mtree data!
Basic settings: {'type_': 'file', 'uid': 0, 'gid': 0, 'mode': '644'}
File settings: {'name': '/usr/lib/kf5/kdesud', 'time': 1656788300.0, 'mode': '2755', 'gid': 65534, 'size': 63496, 'md5': 'cd3692218139f9195ea7c8f263d9e8c1', 'sha256': 'db68b6c69180149def49156012effb7a1399db084e50b29a3222a34593b62ef0'}
1 validation error for MTreeEntryV1
gid
ensure this value is less than 1000 (type=value_error.number.not_lt; limit_value=1000)
```
This task depends upon

Closed by  Antonio Rojas (arojas)
Thursday, 22 September 2022, 18:41 GMT
Reason for closing:  Fixed
Additional comments about closing:  kdesu 5.98.0-2
Comment by Antonio Rojas (arojas) - Saturday, 27 August 2022, 19:46 GMT
I'm not sure what I'm supposed to do here. The gid is intentionally set to nogroup by upstream [1][2][3]. If that is somehow wrong, it should be taken up upstream (by someone who understands why it's wrong, that wouldn't be me).

[1] https://invent.kde.org/frameworks/kdesu/-/blob/master/src/kdesud/CMakeLists.txt#L45
[2] https://invent.kde.org/frameworks/kdesu/-/commit/a9bcd8a0ed470e3531264b247eeb055a0fed89b7
[3] https://lists.debian.org/debian-qt-kde/2010/05/msg00450.html

Loading...