Re: [PR PATCH] [Updated] common/hooks/post-install: add fix permissions hook

[paper42 <paper42@users.noreply.github.com>]

[-- Attachment #1: Type: text/plain, Size: 1283 bytes --]

There is an updated pull request by paper42 against master on the void-packages repository

https://github.com/paper42/void-packages 0001-common-hooks-post-install-add-fix-permissions-hook.patch
https://github.com/void-linux/void-packages/pull/30139

common/hooks/post-install: add fix permissions hook
Some packages install files with wrong permissions, but sometimes we can detect and fix them.

## /usr/share/man: 644
this rule matches a lot of files, mainly because it matches 444 permissions too
* packages which install manpages with 755 permissions: nvimpager, sloccount
* packages which install manpages with 444 permissions: lowdown, mdocml, dhcpcd, openresolv, all perl packages, lua5.3 (but not 5.1, 5.2 and 5.4)

## /etc/apparmor.d: 600
I chose 600 because that's what aa-genprof creates.
* packages which install apparmor profiles wrong permissions: apparmor (644), brillo (640), firejail (644), mako (640) (these permission measurements may be wrong in some cases)

The package lists are not complete.

Are there any other common directories which should be included in this hook? Is forcing 644 in /usr/share/man too strict? Should affected packages be revbumped?

A patch file from https://github.com/void-linux/void-packages/pull/30139.patch is attached

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-common-hooks-post-install-add-fix-permissions-hook.patch-30139.patch --]
[-- Type: text/x-diff, Size: 2266 bytes --]

From 1b0d68c765a4890627350afa2e8d0a9381f43cbb Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 2 Jul 2021 01:04:48 +0200
Subject: [PATCH] hooks/post-install: add fix permissions hook

---
 common/environment/setup-subpkg/subpkg.sh     |  3 ++
 .../hooks/post-install/14-fix-permissions.sh  | 30 +++++++++++++++++++
 2 files changed, 33 insertions(+)
 create mode 100644 common/hooks/post-install/14-fix-permissions.sh

diff --git a/common/environment/setup-subpkg/subpkg.sh b/common/environment/setup-subpkg/subpkg.sh
index 0243d2400481..048e28f83577 100644
--- a/common/environment/setup-subpkg/subpkg.sh
+++ b/common/environment/setup-subpkg/subpkg.sh
@@ -5,6 +5,9 @@
 unset -v conf_files mutable_files preserve triggers alternatives
 unset -v depends run_depends replaces provides conflicts tags
 
+# hooks/post-install/14-fix-permissions
+unset -v nofixperms
+
 # hooks/post-install/03-strip-and-debug-pkgs
 unset -v nostrip nostrip_files
 
diff --git a/common/hooks/post-install/14-fix-permissions.sh b/common/hooks/post-install/14-fix-permissions.sh
new file mode 100644
index 000000000000..8960e514258a
--- /dev/null
+++ b/common/hooks/post-install/14-fix-permissions.sh
@@ -0,0 +1,30 @@
+# This hook fixes permissions in common places
+
+change_file_perms() {
+	local dir="${PKGDESTDIR}${1}"
+	# permission mask for matching the files
+	local permmask="$2"
+	# permissions which will be set on matched files
+	local perms="$3"
+	if [ -d "$dir" ]; then
+		find "$dir" -type f -perm "/$permmask" -exec chmod -v "$perms" {} +
+	fi
+}
+
+hook() {
+	[ -n "$nofixperms" ] && return 0
+	# check that no files have permission write for all users
+	find "$PKGDESTDIR" -type f -perm -0002 | while read -r file; do
+		msg_error "$pkgver: file ${file#$PKGDESTDIR} has write permission for all users\n"
+	done
+
+	change_file_perms "/usr/share/man" 133 644
+	change_file_perms "/etc/apparmor.d" 111 644
+	change_file_perms "/usr/share/applications" 133 644
+	change_file_perms "/usr/share/help" 133 644
+	change_file_perms "/usr/share/icons" 133 644
+	change_file_perms "/usr/share/locale" 133 644
+	change_file_perms "/usr/share/metainfo" 133 644
+	change_file_perms "/usr/share/appdata" 133 644
+	change_file_perms "/usr/include" 133 644
+}