ostree icon indicating copy to clipboard operation
ostree copied to clipboard

Published 20 hours ago verified publisher icon ostreedev

lib: unify user-mode canonical mask to 0775

Open lucab opened this issue 3 years ago • 5 comments

This aligns all canonical permissions masks to 0775, which is relevant for bare-user-only mode. Such mask is already used for user-mode pulls and checkouts; however the commit logic/modifier was using a different and smaller mask (0755), which resulted in asymmetries across operations.

Context: I noticed some misalignment around this while touching https://github.com/ostreedev/ostree/issues/2410. I guess it was supposed to be done in https://github.com/ostreedev/ostree/pull/913, but somehow it didn't happen there. I did some history reading and found https://github.com/flatpak/flatpak/pull/837#issuecomment-306737654 which seems to suggest this larger mask would be beneficial for some flatpak content.

lucab avatar Aug 25 '21 09:08 lucab

/cc @alexlarsson @cgwalters

lucab avatar Aug 25 '21 09:08 lucab

I would also like to have an ack from the flatpak maintainers before merging because this will basically mainly affect that. Looks like that may be @smcv ?

cgwalters avatar Aug 27 '21 11:08 cgwalters

Sorry, I am not in a position to make this decision on behalf of Flatpak. I'm doing some release-management stuff at the moment, and I've been working with the containerization side of Flatpak, but don't understand the "big picture" of how Flatpak interacts with libostree.

smcv avatar Aug 27 '21 15:08 smcv

From the flatpak side this should be fine. The only difference is that a new build could produce a file that has a group writeable bit set (where it was stripped before), but those would be allowed already by older flatpak versions (by the 775 validation), so should be fine.

Security wise this would mean potentially leaving a root-group writable directory in the app checkouts, which should be fine too.

alexlarsson avatar Oct 14 '21 12:10 alexlarsson

@lucab: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/images 02f86aa999a8e8becaac6fb01f9f28ca33a39ae7 link true /test images
ci/prow/fcos-e2e 02f86aa999a8e8becaac6fb01f9f28ca33a39ae7 link true /test fcos-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Jun 29 '23 14:06 openshift-ci[bot]