Closed Bug 254303 Opened 21 years ago Closed 21 years ago

1.7.2 tar.gz package has wrong permissions

Categories

(SeaMonkey :: Installer, defect)

Product:
SeaMonkey
Component:
Installer
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hm, Assigned: dbaron)

References

Details

(Keywords: fixed-aviary1.0, fixed1.7.5, Whiteboard: [patch]fixed1.7.3)

Attachments

(2 files, 1 obsolete file)

patch
5.15 KB, patch
bryner
: review+
asa
: approval-aviary+
mkaply
: approval1.7.5+
asa
: approval1.8a3+
Details | Diff | Splinter Review
patch for firefox installer
1.10 KB, patch
bryner
: review+
bryner
: superreview+
asa
: approval-aviary+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040803 MultiZilla/1.6.4.0b Just installed the tar.gz package. The package unpacks as follows: nathan:/usr/local # l mozilla/ insgesamt 5080 drwxrwxrwx 12 500 500 4096 2004-08-04 19:16 ./ drwxr-xr-x 20 root root 4096 2004-08-04 19:19 ../ -rw-r--r-- 1 root root 0 2004-08-04 19:16 .autoreg -rw-rw-rw- 1 500 500 30869 1999-10-06 04:14 LICENSE -rw-rw-rw- 1 500 500 9542 2004-03-13 07:25 README.txt -rwxrwxrwx 1 500 500 20424 2004-08-03 22:07 TestGtkEmbed* -rw-rw-rw- 1 500 500 208 2002-08-02 00:59 bloaturls.txt drwxrwxr-x 22 500 500 4096 2004-08-04 19:16 chrome/ drwxrwxrwx 4 500 500 8192 2004-08-04 19:16 components/ drwxrwxrwx 8 500 500 87 2004-08-03 21:51 defaults/ -rwxrwxrwx 1 500 500 5460 2004-08-03 22:07 dirver* -rwxrwxrwx 1 500 500 14552 2004-08-03 22:07 elf-dynstr-gc* drwxrwxrwx 2 500 500 83 2004-08-03 18:59 greprefs/ etc. etc. i.e. most dirs and files are world writable and belong to a non-root user. As a workaround, one can chmod -R go-w mozilla chown -R root.root mozilla Please correct this problem - it imposes a security risk for many non-savvy users. Reproducible: Always Steps to Reproduce: 1. 2. 3.
There's also bug 254309 for Firefox. I couldn't find any earlier bugs to dupe this against, that's hard to believe. :P
Um, what's your umask, and what version of tar are you using? My version of tar (1.13.25) respects my umask when extracting, as it should. I don't think this is a problem in our tar.gz file.
Of course this is a bug in your tarball, just do $ tar xvfpz mozilla mozilla-i686-pc-linux-gnu-1.7.2-installer.tar.gz $ ls -al mozilla/ So unpacking as a normal user can get you these permissions as well (you just have to preserve the original permissions) or unpack as root (I bet there many out there who do this). Only difference is that unpacking as root will give you some high UID/GID for the files while unpacking as a user gives you the UID/GID of your user. Fix for this is simple: Repackage the tarball with correct permissions, maybe even UID/GID 0 to avoid any confusion/errors.
(In reply to comment #3) > Um, what's your umask, and what version of tar are you using? My version of tar > (1.13.25) respects my umask when extracting, as it should. I don't think this > is a problem in our tar.gz file. I unpacked the file as root, and the standard umask is 022. tar is 1.13.25 like yours. Just look at the tar package using tar ztvf, and you see what I mean. The package has been built like this to begin with, which it should not be.
If you're using -p as one of the options to tar, you're explicitly requesting that your umask be ignored. Original reporter: were you using -p as well?
I agree about the ownership, though. We should probably run tar with --owner=0 --group=0. But I'm really not sure about running with --mode="o-w" or --mode="go-w". And while we're there, should we use --numeric-owner? For the record, what |info tar| says about -p is: `--preserve-permissions' `--same-permissions' `-p' When `tar' is extracting an archive, it normally subtracts the users' umask from the permissions specified in the archive and uses that number as the permissions to create the destination file. Specifying this option instructs `tar' that it should use the permissions directly from the archive. *Note Writing::.
(In reply to comment #7) > I agree about the ownership, though. We should probably run tar with --owner=0 > --group=0. But I'm really not sure about running with --mode="o-w" or > --mode="go-w". And while we're there, should we use --numeric-owner? I was using tar zxvf, nothing else. Yes I _could_ use -p but that doesn't change anything because I was unpacking as root which preserves everything to begin with. I just re-tried with tar zxpvf as root, umask 0022: hm@nathan:/tmp> l mozilla insgesamt 5080 drwxrwxrwx 12 hm users 4096 2004-08-03 22:07 ./ drwxrwxrwt 55 root root 12288 2004-08-05 12:38 ../ -rw-rw-rw- 1 hm users 30869 1999-10-06 04:14 LICENSE -rw-rw-rw- 1 hm users 9542 2004-03-13 07:25 README.txt -rwxrwxrwx 1 hm users 20424 2004-08-03 22:07 TestGtkEmbed* -rw-rw-rw- 1 hm users 208 2002-08-02 00:59 bloaturls.txt drwxrwxr-x 21 hm users 4096 2004-08-03 21:52 chrome/ drwxrwxrwx 4 hm users 8192 2004-08-03 22:07 components/ drwxrwxrwx 8 hm users 87 2004-08-03 21:51 defaults/ -rwxrwxrwx 1 hm users 5460 2004-08-03 22:07 dirver* ... It would be the best solution to add chmod, chown to the Makefile section that builds the tar archive. Everything else burdens non-savvy users. Please. And while you're at it, re-check the other packaging mechanisms...
Attached patch patch (obsolete) — Splinter Review
(untested)
Assignee: general → dbaron
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [patch]
Comment on attachment 155499 [details] [diff] [review] patch This does what I expect. Any opinions on o-w or go-w would be appreciated.
Attachment #155499 - Flags: review?(bryner)
Attachment #155499 - Attachment description: possible patch → patch
Attached patch patchSplinter Review
Actually, I've decided on go-w. And the first segment in the deliver.pl changes belongs to bug 231083.
Attachment #155731 - Flags: review?(bryner) → review+
Comment on attachment 155731 [details] [diff] [review] patch a=asa for 1.8a3.
Attachment #155731 - Flags: approval1.8a3? → approval1.8a3+
Fix checked in to trunk, 2004-08-16 17:14 -0700.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Comment on attachment 155731 [details] [diff] [review] patch a=mkaply for 1.7
Attachment #155731 - Flags: approval1.7.3? → approval1.7.3+
Fix checked in to MOZILLA_1_7_BRANCH, 2004-08-17 13:24 -0700.
Keywords: fixed1.7
Fix checked in to MOZILLA_1_7_2_BRANCH, 2004-08-27 13:35 -0700.
Whiteboard: [patch] → [patch]fixed1.7.2+
Comment on attachment 155731 [details] [diff] [review] patch a=asa for aviary checkin.
Attachment #155731 - Flags: approval-aviary? → approval-aviary+
Fix checked in to AVIARY_1_0_20040515_BRANCH, 2004-08-27 14:40 -0700.
Keywords: fixed-aviary1.0
Attachment #157344 - Flags: superreview?(bryner)
Attachment #157344 - Flags: review?(bryner)
Attachment #157344 - Flags: superreview?(bryner)
Attachment #157344 - Flags: superreview+
Attachment #157344 - Flags: review?(bryner)
Attachment #157344 - Flags: review+
Comment on attachment 157344 [details] [diff] [review] patch for firefox installer Checked in to trunk, 2004-08-30 12:57 -0700.
*** Bug 254309 has been marked as a duplicate of this bug. ***
Comment on attachment 157344 [details] [diff] [review] patch for firefox installer a=asa for branch checkin.
Attachment #157344 - Flags: approval-aviary? → approval-aviary+
Comment on attachment 157344 [details] [diff] [review] patch for firefox installer Checked in to AVIARY_1_0_20040515_BRANCH, 2004-09-01 17:34 -0700.
Whiteboard: [patch]fixed1.7.2+ → [patch]fixed1.7.3
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: