From: paper42 <paper42@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: [PR PATCH] [Updated] common/hooks/post-install: add fix permissions hook
Date: Sun, 22 Aug 2021 22:57:18 +0200 [thread overview]
Message-ID: <20210822205718.zEf71cifel3_BvfGMCrpNchd9wBJyG_uq4voCDrn05Q@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-30139@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1283 bytes --]
There is an updated pull request by paper42 against master on the void-packages repository
https://github.com/paper42/void-packages 0001-common-hooks-post-install-add-fix-permissions-hook.patch
https://github.com/void-linux/void-packages/pull/30139
common/hooks/post-install: add fix permissions hook
Some packages install files with wrong permissions, but sometimes we can detect and fix them.
## /usr/share/man: 644
this rule matches a lot of files, mainly because it matches 444 permissions too
* packages which install manpages with 755 permissions: nvimpager, sloccount
* packages which install manpages with 444 permissions: lowdown, mdocml, dhcpcd, openresolv, all perl packages, lua5.3 (but not 5.1, 5.2 and 5.4)
## /etc/apparmor.d: 600
I chose 600 because that's what aa-genprof creates.
* packages which install apparmor profiles wrong permissions: apparmor (644), brillo (640), firejail (644), mako (640) (these permission measurements may be wrong in some cases)
The package lists are not complete.
Are there any other common directories which should be included in this hook? Is forcing 644 in /usr/share/man too strict? Should affected packages be revbumped?
A patch file from https://github.com/void-linux/void-packages/pull/30139.patch is attached
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: github-pr-0001-common-hooks-post-install-add-fix-permissions-hook.patch-30139.patch --]
[-- Type: text/x-diff, Size: 11454 bytes --]
From ab642a7736841e245f19ef682a0dc608ed761a88 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 2 Jul 2021 01:04:48 +0200
Subject: [PATCH 01/10] hooks/post-install: add fix permissions hook
---
Manual.md | 4 +++
common/environment/setup-subpkg/subpkg.sh | 3 ++
.../hooks/post-install/14-fix-permissions.sh | 33 +++++++++++++++++++
3 files changed, 40 insertions(+)
create mode 100644 common/hooks/post-install/14-fix-permissions.sh
diff --git a/Manual.md b/Manual.md
index 4316363f66c4..890457819e1c 100644
--- a/Manual.md
+++ b/Manual.md
@@ -760,6 +760,10 @@ Examples:
```
A special value `noarch` used to be available, but has since been removed.
+- `nocheckperms` If set, xbps-src will not fail on common permission errors (world writable files, etc.)
+
+- `nofixperms` If set, xbps-src will not fix common permission errors (executable manpages, etc.)
+
<a id="explain_depends"></a>
#### About the many types of `depends` variables
diff --git a/common/environment/setup-subpkg/subpkg.sh b/common/environment/setup-subpkg/subpkg.sh
index 0243d2400481..6edab5d882e1 100644
--- a/common/environment/setup-subpkg/subpkg.sh
+++ b/common/environment/setup-subpkg/subpkg.sh
@@ -8,6 +8,9 @@ unset -v depends run_depends replaces provides conflicts tags
# hooks/post-install/03-strip-and-debug-pkgs
unset -v nostrip nostrip_files
+# hooks/post-install/14-fix-permissions
+unset -v nocheckperms nofixperms
+
# hooks/pre-pkg/04-generate-runtime-deps
unset -v noverifyrdeps skiprdeps allow_unknown_shlibs shlib_requires
diff --git a/common/hooks/post-install/14-fix-permissions.sh b/common/hooks/post-install/14-fix-permissions.sh
new file mode 100644
index 000000000000..57b76ae9f485
--- /dev/null
+++ b/common/hooks/post-install/14-fix-permissions.sh
@@ -0,0 +1,33 @@
+# This hook fixes permissions in common places
+
+change_file_perms() {
+ local dir="${PKGDESTDIR}${1}"
+ # permission mask for matching the files
+ local permmask="$2"
+ # permissions which will be set on matched files
+ local perms="$3"
+ if [ -d "$dir" ]; then
+ find "$dir" -type f -perm "/$permmask" -exec chmod -v "$perms" {} +
+ fi
+}
+
+hook() {
+ if [ -z "$nocheckperms" ]; then
+ # check that no files have permission write for all users
+ find "$PKGDESTDIR" -type f -perm -0002 | while read -r file; do
+ msg_error "$pkgver: file ${file#$PKGDESTDIR} has write permission for all users\n"
+ done
+ fi
+
+ if [ -z "$nofixperms" ]; then
+ change_file_perms "/usr/share/man" 133 644
+ change_file_perms "/etc/apparmor.d" 111 644
+ change_file_perms "/usr/share/applications" 133 644
+ change_file_perms "/usr/share/help" 133 644
+ change_file_perms "/usr/share/icons" 133 644
+ change_file_perms "/usr/share/locale" 133 644
+ change_file_perms "/usr/share/metainfo" 133 644
+ change_file_perms "/usr/share/appdata" 133 644
+ change_file_perms "/usr/include" 133 644
+ fi
+}
From b21917e051bcb79fa3dd6feb777ed2dd7ad78fa4 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:13:01 +0200
Subject: [PATCH 02/10] python3-simplegeneric: fix permissions
---
srcpkgs/python3-simplegeneric/template | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/python3-simplegeneric/template b/srcpkgs/python3-simplegeneric/template
index 1d52210254c4..e5972608a2a3 100644
--- a/srcpkgs/python3-simplegeneric/template
+++ b/srcpkgs/python3-simplegeneric/template
@@ -1,7 +1,7 @@
# Template file for 'python3-simplegeneric'
pkgname=python3-simplegeneric
version=0.8.1
-revision=6
+revision=7
wrksrc="simplegeneric-${version}"
build_style=python3-module
hostmakedepends="unzip python3-setuptools"
@@ -12,3 +12,7 @@ license="ZPL-2.1"
homepage="https://pypi.org/project/simplegeneric/"
distfiles="${PYPI_SITE}/s/simplegeneric/simplegeneric-${version}.zip"
checksum=dc972e06094b9af5b855b3df4a646395e43d1c9d0d39ed345b7393560d0b9173
+
+post_install() {
+ chmod -R o-w ${DESTDIR}/usr/lib/python*/site-packages/*.egg-info/
+}
From 3aee72bf793f04e20d28dd44ecaf9a5ef9c33bad Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:14:01 +0200
Subject: [PATCH 03/10] python3-olefile: fix permissions
---
srcpkgs/python3-olefile/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/python3-olefile/template b/srcpkgs/python3-olefile/template
index d76ec0ee8adc..4213ca32532f 100644
--- a/srcpkgs/python3-olefile/template
+++ b/srcpkgs/python3-olefile/template
@@ -1,7 +1,7 @@
# Template file for 'python3-olefile'
pkgname=python3-olefile
version=0.46
-revision=4
+revision=5
wrksrc="olefile-${version}"
build_style=python3-module
hostmakedepends="unzip python3-setuptools"
@@ -14,5 +14,6 @@ distfiles="${PYPI_SITE}/o/olefile/olefile-${version}.zip"
checksum=133b031eaf8fd2c9399b78b8bc5b8fcbe4c31e85295749bb17a87cba8f3c3964
post_install() {
+ chmod -R o-w ${DESTDIR}/usr/lib/python*/site-packages/*.egg-info/
vlicense LICENSE.txt
}
From 4315851c479affbdcb40ec5e6d40785a10573866 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:16:40 +0200
Subject: [PATCH 04/10] brother-brscan3: fix permissions
---
srcpkgs/brother-brscan3/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/brother-brscan3/template b/srcpkgs/brother-brscan3/template
index 38bf432986e9..4ca8965c65a3 100644
--- a/srcpkgs/brother-brscan3/template
+++ b/srcpkgs/brother-brscan3/template
@@ -1,7 +1,7 @@
# Template file for 'brother-brscan3'
pkgname=brother-brscan3
version=0.2.13
-revision=1
+revision=2
archs="i686 x86_64"
create_wrksrc=yes
hostmakedepends="tar"
@@ -44,6 +44,7 @@ do_install() {
ln -sf /usr/lib/libbrscandec3.so.1.0.0 ${DESTDIR}/usr/lib/libbrscandec3.so
vmkdir /opt/Brother
vcopy "./usr/local/Brother/*" /opt/Brother/
+ chmod o-w ${DESTDIR}/opt/Brother/sane/brsanenetdevice3.cfg
vlicense LICENSE
}
From 4dc1cf6c3cddccdc465e1dd266bc0d20cf60d60a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:18:24 +0200
Subject: [PATCH 05/10] heyu: fix permissions
---
srcpkgs/heyu/template | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/srcpkgs/heyu/template b/srcpkgs/heyu/template
index 93b3ad7cc582..2537b473e4fa 100644
--- a/srcpkgs/heyu/template
+++ b/srcpkgs/heyu/template
@@ -1,7 +1,7 @@
# Template file for 'heyu'
pkgname=heyu
version=2.10.1
-revision=3
+revision=4
build_style=configure
configure_script="./Configure"
configure_args="linux"
@@ -26,7 +26,7 @@ do_install() {
vbin heyu
vmkdir etc/heyu
- vinstall x10config.sample 0666 etc/heyu x10.conf
+ vinstall x10config.sample 0644 etc/heyu x10.conf
vman heyu.1
vman x10config.5
From 1ac21178fe6a33b8c18841ae8b3bf760eeaf3c47 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:21:30 +0200
Subject: [PATCH 06/10] occt: fix permissions
---
srcpkgs/occt/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/occt/template b/srcpkgs/occt/template
index 9298edc76e08..bbf04b932396 100644
--- a/srcpkgs/occt/template
+++ b/srcpkgs/occt/template
@@ -2,7 +2,7 @@
pkgname=occt
reverts=7.5.0_1
version=7.4.0p1
-revision=3
+revision=4
_gittag="V${version//./_}"
wrksrc=occt-${_gittag}
build_style=cmake
@@ -27,6 +27,7 @@ post_install() {
vmkdir /etc/profile.d
vinstall ${FILESDIR}/opencascade.sh 644 /etc/profile.d
+ chmod 755 ${DESTDIR}/usr/bin/draw.sh
}
occt-devel_package() {
From f02d794ab9481b57dd56b0da77920146d8c02bfd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 14:40:25 +0200
Subject: [PATCH 07/10] vscode: fix permissions
---
srcpkgs/vscode/template | 1 +
1 file changed, 1 insertion(+)
diff --git a/srcpkgs/vscode/template b/srcpkgs/vscode/template
index 24e5aca3b26a..be9c90ea2294 100644
--- a/srcpkgs/vscode/template
+++ b/srcpkgs/vscode/template
@@ -66,4 +66,5 @@ do_install() {
-e 's|"$CLI"|"$CLI" --app="${VSCODE_PATH}/resources/app"|g' \
-i "$DESTDIR"/usr/lib/code-oss/bin/code-oss
vlicense LICENSE.txt
+ chmod -R o-w ${DESTDIR}/usr/lib/code-oss/resources/app/
}
From 5f9012175bdce2a86adad4adbff115827e4dd3d7 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 14 Aug 2021 20:34:21 +0200
Subject: [PATCH 08/10] lbreakout2: do not check file permissions
---
srcpkgs/lbreakout2/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/lbreakout2/template b/srcpkgs/lbreakout2/template
index 00eee1c29030..72e535247672 100644
--- a/srcpkgs/lbreakout2/template
+++ b/srcpkgs/lbreakout2/template
@@ -1,7 +1,7 @@
# Template file for 'lbreakout2'
pkgname=lbreakout2
version=2.6.5
-revision=2
+revision=3
build_style=gnu-configure
configure_args="--enable-sdl-net --localstatedir=/var/games/$pkgname"
make_install_args="doc_dir=/usr/share/doc"
@@ -12,6 +12,7 @@ license="GPL-2.0-or-later"
homepage="http://lgames.sourceforge.net"
distfiles="${SOURCEFORGE_SITE}/lgames/$pkgname-$version.tar.gz"
checksum=9104d6175553da3442dc6a5fc407a669e2f5aff3eedc5d30409eb003b7a78d6f
+nocheckperms=yes # uses a world-writable .hscr file for global leaderboard
post_install() {
vinstall ${FILESDIR}/lbreakout2.desktop 644 usr/share/applications
From 797f9682f69e48afc799214f2b843e685f986bcd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 14 Aug 2021 20:34:41 +0200
Subject: [PATCH 09/10] lbreakouthd: do not check file permissions
---
srcpkgs/lbreakouthd/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/lbreakouthd/template b/srcpkgs/lbreakouthd/template
index 1f9accfb4ab9..f5e6c2fef8d3 100644
--- a/srcpkgs/lbreakouthd/template
+++ b/srcpkgs/lbreakouthd/template
@@ -1,7 +1,7 @@
# Template file for 'lbreakouthd'
pkgname=lbreakouthd
version=1.0.6
-revision=1
+revision=2
build_style=gnu-configure
configure_args="--localstatedir=/var/${pkgname}"
makedepends="SDL2-devel SDL2_mixer-devel SDL2_image-devel SDL2_ttf-devel"
@@ -11,3 +11,4 @@ license="GPL-2.0-or-later"
homepage="http://lgames.sourceforge.net/LBreakoutHD/"
distfiles="${SOURCEFORGE_SITE}/lgames/$pkgname-$version.tar.gz"
checksum=df5f8ad88bcf20bd34e1dfd77697b49a168d83ad43d8fdf5a3fee1fe272e15bd
+nocheckperms=yes # uses a world-writable .hscr file for global leaderboard
From f1fa3f6becc123cd1aa4db6d393c7d3e53aa29b2 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 14 Aug 2021 20:34:44 +0200
Subject: [PATCH 10/10] ltris: do not check file permissions
---
srcpkgs/ltris/template | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/srcpkgs/ltris/template b/srcpkgs/ltris/template
index b2484148df6b..8286b070561c 100644
--- a/srcpkgs/ltris/template
+++ b/srcpkgs/ltris/template
@@ -1,7 +1,7 @@
# Template file for 'ltris'
pkgname=ltris
version=1.2.3
-revision=1
+revision=2
build_style=gnu-configure
configure_args="--localstatedir=/var/games/ltris"
hostmakedepends="bison"
@@ -12,4 +12,5 @@ license="GPL-2.0-or-later"
homepage="http://lgames.sourceforge.net/index.php?project=LTris"
distfiles="${SOURCEFORGE_SITE}/lgames/$pkgname-$version.tar.gz"
checksum=0ec4ad053e066a296529e923c2f626fa0a19c094c5ae03e44359f9c9e50955a8
+nocheckperms=yes # uses a world-writable .hscr file for global leaderboard
CFLAGS+=" -fgnu89-inline"
next prev parent reply other threads:[~2021-08-22 20:57 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-10 22:52 [PR PATCH] " paper42
2021-04-10 23:14 ` [PR REVIEW] " Duncaen
2021-04-10 23:15 ` Duncaen
2021-04-10 23:15 ` Duncaen
2021-04-10 23:17 ` Duncaen
2021-04-10 23:19 ` Duncaen
2021-04-10 23:19 ` Duncaen
2021-04-10 23:19 ` Duncaen
2021-04-10 23:20 ` Duncaen
2021-04-10 23:27 ` Duncaen
2021-04-11 1:09 ` ericonr
2021-04-20 23:11 ` [PR REVIEW] " paper42
2021-04-20 23:13 ` [PR PATCH] [Updated] " paper42
2021-04-20 23:26 ` paper42
2021-04-20 23:50 ` [PR REVIEW] " Duncaen
2021-04-20 23:51 ` Duncaen
2021-04-20 23:55 ` Duncaen
2021-04-21 21:11 ` ericonr
2021-04-29 15:56 ` [PR PATCH] [Updated] " paper42
2021-04-29 15:56 ` paper42
2021-04-29 15:57 ` [PR REVIEW] " paper42
2021-05-06 9:51 ` [PR PATCH] [Updated] " paper42
2021-07-01 23:04 ` paper42
2021-07-01 23:05 ` paper42
2021-07-01 23:05 ` paper42
2021-08-05 20:19 ` paper42
2021-08-05 20:19 ` paper42
2021-08-05 20:23 ` paper42
2021-08-05 21:10 ` Duncaen
2021-08-05 21:10 ` Duncaen
2021-08-06 18:53 ` [PR REVIEW] " ericonr
2021-08-06 18:53 ` ericonr
2021-08-06 18:53 ` ericonr
2021-08-06 18:53 ` ericonr
2021-08-06 22:08 ` [PR PATCH] [Updated] " paper42
2021-08-06 22:18 ` [PR REVIEW] " paper42
2021-08-06 22:18 ` paper42
2021-08-14 18:43 ` [PR PATCH] [Updated] " paper42
2021-08-14 19:47 ` paper42
2021-08-14 21:22 ` [PR REVIEW] " ericonr
2021-08-14 21:22 ` ericonr
2021-08-22 20:57 ` paper42 [this message]
2021-08-22 20:59 ` paper42
2021-08-26 19:45 ` [PR PATCH] [Updated] " paper42
2021-08-26 19:46 ` [PR PATCH] [Merged]: " paper42
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210822205718.zEf71cifel3_BvfGMCrpNchd9wBJyG_uq4voCDrn05Q@z \
--to=paper42@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).