GNU bug report logs - #51442
Non-default umask when using guix system leads to wrong file permissions

Previous Next

Package: guix;

Reported by: Josselin Poiret <dev <at> jpoiret.xyz>

Date: Wed, 27 Oct 2021 15:25:01 UTC

Severity: important

To reply to this bug, email your comments to 51442 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#51442; Package guix. (Wed, 27 Oct 2021 15:25:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Josselin Poiret <dev <at> jpoiret.xyz>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Wed, 27 Oct 2021 15:25:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Josselin Poiret <dev <at> jpoiret.xyz>
To: bug-guix <at> gnu.org
Subject: Non-default umask when using guix system leads to wrong file
 permissions
Date: Wed, 27 Oct 2021 15:24:20 +0000

Hi,

As reported on IRC by wonko
(https://logs.guix.gnu.org/guix/2021-10-27.log#115445), when running
‘guix system’ under a different umask, some files are created with the
wrong permissions.  This can happen because ‘sudo’ does by default keeps
the umask it is running on (by ORing it with the default one, often
022).

I'm not sure what would be the best way to go about this, I suggest
checking if umask == #o022, and if not, print a warning and set it to
#o022, and only in ‘guix system’.

What do you think?

Best,
Josselin Poiret
Severity set to 'important' from 'normal' Request was from Ludovic Courtès <ludo <at> gnu.org> to control <at> debbugs.gnu.org. (Thu, 28 Oct 2021 22:46:01 GMT) Full text and rfc822 format available.
Information forwarded to bug-guix <at> gnu.org:
bug#51442; Package guix. (Fri, 29 Oct 2021 19:12:01 GMT) Full text and rfc822 format available.

Message #10 received at 51442 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Josselin Poiret <dev <at> jpoiret.xyz>
Cc: 51442 <at> debbugs.gnu.org
Subject: Re: bug#51442: Non-default umask when using guix system leads to
 wrong file permissions
Date: Fri, 29 Oct 2021 21:10:52 +0200

[Message part 1 (text/plain, inline)]
Hi,

Josselin Poiret <dev <at> jpoiret.xyz> skribis:

> As reported on IRC by wonko
> (https://logs.guix.gnu.org/guix/2021-10-27.log#115445),

wonko mentions files in /etc (those are created by the activation
snippets).

> when running ‘guix system’ under a different umask, some files are
> created with the wrong permissions.  This can happen because ‘sudo’
> does by default keeps the umask it is running on (by ORing it with the
> default one, often 022).
>
> I'm not sure what would be the best way to go about this, I suggest
> checking if umask == #o022, and if not, print a warning and set it to
> #o022, and only in ‘guix system’.

Perhaps the best fix would be to set the umask explicitly before
activation snippets run, like so (untested):


[Message part 2 (text/x-patch, inline)]
diff --git a/gnu/services.scm b/gnu/services.scm
index 1655218f2d..b79436d3f3 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -617,6 +617,10 @@ (define actions
                       (use-modules (gnu build activation)
                                    (guix build utils))
 
+                      ;; Set the correct umask so files are created with the
+                      ;; expected permissions.
+                      (umask #o022)
+
                       ;; Make sure the user accounting database exists.  If it
                       ;; does not exist, 'setutxent' does not create it and
                       ;; thus there is no accounting at all.

[Message part 3 (text/plain, inline)]
WDYT?

Thanks,
Ludo’.
Information forwarded to bug-guix <at> gnu.org:
bug#51442; Package guix. (Sat, 30 Oct 2021 20:49:02 GMT) Full text and rfc822 format available.

Message #13 received at 51442 <at> debbugs.gnu.org (full text, mbox):

From: Josselin Poiret <dev <at> jpoiret.xyz>
To: Ludovic Courtès <ludo <at> gnu.org>
Cc: 51442 <at> debbugs.gnu.org
Subject: Re: bug#51442: Non-default umask when using guix system leads to
 wrong file permissions
Date: Sat, 30 Oct 2021 20:48:18 +0000

Hi,

Ludovic Courtès <ludo <at> gnu.org> writes:
> Perhaps the best fix would be to set the umask explicitly before
> activation snippets run, like so (untested):
> [snip]
> WDYT?

I forgot about those too! I guess they're run in two different contexts:
once when `guix reconfigure` happens, and another one in the boot
script. This would work here, but not be nearly enough: in init, you
also have the populate-root-file-system procedure which will create many
directories without set permissions, and if they are created with a-r,
it will also cause havok (I think the first issue wonko reported was
about the directories not being readable).

I still think that the whole init/reconfigure commands should have their
umask set to #o022 as a sane default, even for future changes to them:
whatever they're touching is supposed to be "the system" itself and not
user files, so inherited user-set umasks shouldn't matter. It just feels
like we're trying to fight back against 'sudo' preserving things when it
shouldn't but alas.

Best,
Josselin Poiret
This bug report was last modified 3 years and 232 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.