From ab642a7736841e245f19ef682a0dc608ed761a88 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Fri, 2 Jul 2021 01:04:48 +0200
Subject: [PATCH 01/10] hooks/post-install: add fix permissions hook

---
 Manual.md                                     |  4 +++
 common/environment/setup-subpkg/subpkg.sh     |  3 ++
 .../hooks/post-install/14-fix-permissions.sh  | 33 +++++++++++++++++++
 3 files changed, 40 insertions(+)
 create mode 100644 common/hooks/post-install/14-fix-permissions.sh

diff --git a/Manual.md b/Manual.md
index 4316363f66c4..890457819e1c 100644
--- a/Manual.md
+++ b/Manual.md
@@ -760,6 +760,10 @@ Examples:
 	```
 A special value `noarch` used to be available, but has since been removed.
 
+- `nocheckperms` If set, xbps-src will not fail on common permission errors (world writable files, etc.)
+
+- `nofixperms` If set, xbps-src will not fix common permission errors (executable manpages, etc.)
+
 <a id="explain_depends"></a>
 #### About the many types of `depends` variables
 
diff --git a/common/environment/setup-subpkg/subpkg.sh b/common/environment/setup-subpkg/subpkg.sh
index 0243d2400481..6edab5d882e1 100644
--- a/common/environment/setup-subpkg/subpkg.sh
+++ b/common/environment/setup-subpkg/subpkg.sh
@@ -8,6 +8,9 @@ unset -v depends run_depends replaces provides conflicts tags
 # hooks/post-install/03-strip-and-debug-pkgs
 unset -v nostrip nostrip_files
 
+# hooks/post-install/14-fix-permissions
+unset -v nocheckperms nofixperms
+
 # hooks/pre-pkg/04-generate-runtime-deps
 unset -v noverifyrdeps skiprdeps allow_unknown_shlibs shlib_requires
 
diff --git a/common/hooks/post-install/14-fix-permissions.sh b/common/hooks/post-install/14-fix-permissions.sh
new file mode 100644
index 000000000000..57b76ae9f485
--- /dev/null
+++ b/common/hooks/post-install/14-fix-permissions.sh
@@ -0,0 +1,33 @@
+# This hook fixes permissions in common places
+
+change_file_perms() {
+	local dir="${PKGDESTDIR}${1}"
+	# permission mask for matching the files
+	local permmask="$2"
+	# permissions which will be set on matched files
+	local perms="$3"
+	if [ -d "$dir" ]; then
+		find "$dir" -type f -perm "/$permmask" -exec chmod -v "$perms" {} +
+	fi
+}
+
+hook() {
+	if [ -z "$nocheckperms" ]; then
+		# check that no files have permission write for all users
+		find "$PKGDESTDIR" -type f -perm -0002 | while read -r file; do
+			msg_error "$pkgver: file ${file#$PKGDESTDIR} has write permission for all users\n"
+		done
+	fi
+
+	if [ -z "$nofixperms" ]; then
+		change_file_perms "/usr/share/man" 133 644
+		change_file_perms "/etc/apparmor.d" 111 644
+		change_file_perms "/usr/share/applications" 133 644
+		change_file_perms "/usr/share/help" 133 644
+		change_file_perms "/usr/share/icons" 133 644
+		change_file_perms "/usr/share/locale" 133 644
+		change_file_perms "/usr/share/metainfo" 133 644
+		change_file_perms "/usr/share/appdata" 133 644
+		change_file_perms "/usr/include" 133 644
+	fi
+}

From b21917e051bcb79fa3dd6feb777ed2dd7ad78fa4 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:13:01 +0200
Subject: [PATCH 02/10] python3-simplegeneric: fix permissions

---
 srcpkgs/python3-simplegeneric/template | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/python3-simplegeneric/template b/srcpkgs/python3-simplegeneric/template
index 1d52210254c4..e5972608a2a3 100644
--- a/srcpkgs/python3-simplegeneric/template
+++ b/srcpkgs/python3-simplegeneric/template
@@ -1,7 +1,7 @@
 # Template file for 'python3-simplegeneric'
 pkgname=python3-simplegeneric
 version=0.8.1
-revision=6
+revision=7
 wrksrc="simplegeneric-${version}"
 build_style=python3-module
 hostmakedepends="unzip python3-setuptools"
@@ -12,3 +12,7 @@ license="ZPL-2.1"
 homepage="https://pypi.org/project/simplegeneric/"
 distfiles="${PYPI_SITE}/s/simplegeneric/simplegeneric-${version}.zip"
 checksum=dc972e06094b9af5b855b3df4a646395e43d1c9d0d39ed345b7393560d0b9173
+
+post_install() {
+	chmod -R o-w ${DESTDIR}/usr/lib/python*/site-packages/*.egg-info/
+}

From 3aee72bf793f04e20d28dd44ecaf9a5ef9c33bad Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:14:01 +0200
Subject: [PATCH 03/10] python3-olefile: fix permissions

---
 srcpkgs/python3-olefile/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/python3-olefile/template b/srcpkgs/python3-olefile/template
index d76ec0ee8adc..4213ca32532f 100644
--- a/srcpkgs/python3-olefile/template
+++ b/srcpkgs/python3-olefile/template
@@ -1,7 +1,7 @@
 # Template file for 'python3-olefile'
 pkgname=python3-olefile
 version=0.46
-revision=4
+revision=5
 wrksrc="olefile-${version}"
 build_style=python3-module
 hostmakedepends="unzip python3-setuptools"
@@ -14,5 +14,6 @@ distfiles="${PYPI_SITE}/o/olefile/olefile-${version}.zip"
 checksum=133b031eaf8fd2c9399b78b8bc5b8fcbe4c31e85295749bb17a87cba8f3c3964
 
 post_install() {
+	chmod -R o-w ${DESTDIR}/usr/lib/python*/site-packages/*.egg-info/
 	vlicense LICENSE.txt
 }

From 4315851c479affbdcb40ec5e6d40785a10573866 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:16:40 +0200
Subject: [PATCH 04/10] brother-brscan3: fix permissions

---
 srcpkgs/brother-brscan3/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/brother-brscan3/template b/srcpkgs/brother-brscan3/template
index 38bf432986e9..4ca8965c65a3 100644
--- a/srcpkgs/brother-brscan3/template
+++ b/srcpkgs/brother-brscan3/template
@@ -1,7 +1,7 @@
 # Template file for 'brother-brscan3'
 pkgname=brother-brscan3
 version=0.2.13
-revision=1
+revision=2
 archs="i686 x86_64"
 create_wrksrc=yes
 hostmakedepends="tar"
@@ -44,6 +44,7 @@ do_install() {
 	ln -sf /usr/lib/libbrscandec3.so.1.0.0 ${DESTDIR}/usr/lib/libbrscandec3.so
 	vmkdir /opt/Brother
 	vcopy "./usr/local/Brother/*" /opt/Brother/
+	chmod o-w ${DESTDIR}/opt/Brother/sane/brsanenetdevice3.cfg
 	vlicense LICENSE
 }
 

From 4dc1cf6c3cddccdc465e1dd266bc0d20cf60d60a Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:18:24 +0200
Subject: [PATCH 05/10] heyu: fix permissions

---
 srcpkgs/heyu/template | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/srcpkgs/heyu/template b/srcpkgs/heyu/template
index 93b3ad7cc582..2537b473e4fa 100644
--- a/srcpkgs/heyu/template
+++ b/srcpkgs/heyu/template
@@ -1,7 +1,7 @@
 # Template file for 'heyu'
 pkgname=heyu
 version=2.10.1
-revision=3
+revision=4
 build_style=configure
 configure_script="./Configure"
 configure_args="linux"
@@ -26,7 +26,7 @@ do_install() {
 	vbin heyu
 
 	vmkdir etc/heyu
-	vinstall x10config.sample 0666 etc/heyu x10.conf
+	vinstall x10config.sample 0644 etc/heyu x10.conf
 
 	vman heyu.1
 	vman x10config.5

From 1ac21178fe6a33b8c18841ae8b3bf760eeaf3c47 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 13:21:30 +0200
Subject: [PATCH 06/10] occt: fix permissions

---
 srcpkgs/occt/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/occt/template b/srcpkgs/occt/template
index 9298edc76e08..bbf04b932396 100644
--- a/srcpkgs/occt/template
+++ b/srcpkgs/occt/template
@@ -2,7 +2,7 @@
 pkgname=occt
 reverts=7.5.0_1
 version=7.4.0p1
-revision=3
+revision=4
 _gittag="V${version//./_}"
 wrksrc=occt-${_gittag}
 build_style=cmake
@@ -27,6 +27,7 @@ post_install() {
 
 	vmkdir /etc/profile.d
 	vinstall ${FILESDIR}/opencascade.sh 644 /etc/profile.d
+	chmod 755 ${DESTDIR}/usr/bin/draw.sh
 }
 
 occt-devel_package() {

From f02d794ab9481b57dd56b0da77920146d8c02bfd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sun, 8 Aug 2021 14:40:25 +0200
Subject: [PATCH 07/10] vscode: fix permissions

---
 srcpkgs/vscode/template | 1 +
 1 file changed, 1 insertion(+)

diff --git a/srcpkgs/vscode/template b/srcpkgs/vscode/template
index 24e5aca3b26a..be9c90ea2294 100644
--- a/srcpkgs/vscode/template
+++ b/srcpkgs/vscode/template
@@ -66,4 +66,5 @@ do_install() {
 		-e 's|"$CLI"|"$CLI" --app="${VSCODE_PATH}/resources/app"|g' \
 		-i "$DESTDIR"/usr/lib/code-oss/bin/code-oss
 	vlicense LICENSE.txt
+	chmod -R o-w ${DESTDIR}/usr/lib/code-oss/resources/app/
 }

From 5f9012175bdce2a86adad4adbff115827e4dd3d7 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 14 Aug 2021 20:34:21 +0200
Subject: [PATCH 08/10] lbreakout2: do not check file permissions

---
 srcpkgs/lbreakout2/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/lbreakout2/template b/srcpkgs/lbreakout2/template
index 00eee1c29030..72e535247672 100644
--- a/srcpkgs/lbreakout2/template
+++ b/srcpkgs/lbreakout2/template
@@ -1,7 +1,7 @@
 # Template file for 'lbreakout2'
 pkgname=lbreakout2
 version=2.6.5
-revision=2
+revision=3
 build_style=gnu-configure
 configure_args="--enable-sdl-net --localstatedir=/var/games/$pkgname"
 make_install_args="doc_dir=/usr/share/doc"
@@ -12,6 +12,7 @@ license="GPL-2.0-or-later"
 homepage="http://lgames.sourceforge.net"
 distfiles="${SOURCEFORGE_SITE}/lgames/$pkgname-$version.tar.gz"
 checksum=9104d6175553da3442dc6a5fc407a669e2f5aff3eedc5d30409eb003b7a78d6f
+nocheckperms=yes # uses a world-writable .hscr file for global leaderboard
 
 post_install() {
 	vinstall ${FILESDIR}/lbreakout2.desktop 644 usr/share/applications

From 797f9682f69e48afc799214f2b843e685f986bcd Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 14 Aug 2021 20:34:41 +0200
Subject: [PATCH 09/10] lbreakouthd: do not check file permissions

---
 srcpkgs/lbreakouthd/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/lbreakouthd/template b/srcpkgs/lbreakouthd/template
index 1f9accfb4ab9..f5e6c2fef8d3 100644
--- a/srcpkgs/lbreakouthd/template
+++ b/srcpkgs/lbreakouthd/template
@@ -1,7 +1,7 @@
 # Template file for 'lbreakouthd'
 pkgname=lbreakouthd
 version=1.0.6
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--localstatedir=/var/${pkgname}"
 makedepends="SDL2-devel SDL2_mixer-devel SDL2_image-devel SDL2_ttf-devel"
@@ -11,3 +11,4 @@ license="GPL-2.0-or-later"
 homepage="http://lgames.sourceforge.net/LBreakoutHD/"
 distfiles="${SOURCEFORGE_SITE}/lgames/$pkgname-$version.tar.gz"
 checksum=df5f8ad88bcf20bd34e1dfd77697b49a168d83ad43d8fdf5a3fee1fe272e15bd
+nocheckperms=yes # uses a world-writable .hscr file for global leaderboard

From f1fa3f6becc123cd1aa4db6d393c7d3e53aa29b2 Mon Sep 17 00:00:00 2001
From: Michal Vasilek <michal@vasilek.cz>
Date: Sat, 14 Aug 2021 20:34:44 +0200
Subject: [PATCH 10/10] ltris: do not check file permissions

---
 srcpkgs/ltris/template | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/srcpkgs/ltris/template b/srcpkgs/ltris/template
index b2484148df6b..8286b070561c 100644
--- a/srcpkgs/ltris/template
+++ b/srcpkgs/ltris/template
@@ -1,7 +1,7 @@
 # Template file for 'ltris'
 pkgname=ltris
 version=1.2.3
-revision=1
+revision=2
 build_style=gnu-configure
 configure_args="--localstatedir=/var/games/ltris"
 hostmakedepends="bison"
@@ -12,4 +12,5 @@ license="GPL-2.0-or-later"
 homepage="http://lgames.sourceforge.net/index.php?project=LTris"
 distfiles="${SOURCEFORGE_SITE}/lgames/$pkgname-$version.tar.gz"
 checksum=0ec4ad053e066a296529e923c2f626fa0a19c094c5ae03e44359f9c9e50955a8
+nocheckperms=yes # uses a world-writable .hscr file for global leaderboard
 CFLAGS+=" -fgnu89-inline"