From unknown Sun Jun 22 04:29:20 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51442: Non-default umask when using guix system leads to wrong file permissions Resent-From: Josselin Poiret Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 27 Oct 2021 15:25:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 51442 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: 51442@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16353482723218 (code B ref -1); Wed, 27 Oct 2021 15:25:01 +0000 Received: (at submit) by debbugs.gnu.org; 27 Oct 2021 15:24:32 +0000 Received: from localhost ([127.0.0.1]:50223 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mfkn2-0000pq-EW for submit@debbugs.gnu.org; Wed, 27 Oct 2021 11:24:32 -0400 Received: from lists.gnu.org ([209.51.188.17]:47610) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mfkmy-0000pe-6k for submit@debbugs.gnu.org; Wed, 27 Oct 2021 11:24:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60528) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mfkmx-0001tN-CO for bug-guix@gnu.org; Wed, 27 Oct 2021 11:24:27 -0400 Received: from jpoiret.xyz ([206.189.101.64]:34398) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mfkmv-00016b-Ly for bug-guix@gnu.org; Wed, 27 Oct 2021 11:24:26 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 7F2D5184F41 for ; Wed, 27 Oct 2021 15:24:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1635348261; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=RzgCq5F4pZ/Wl0zcsLyqF8erTdOVwHRs7+T3iZWFihY=; b=WIkCF3Vj1E8CgFIr2ht6FcTzA2VlIqyFWT/qvhTki+h8sNwDi/yiMZL+PcMT8EBPJRLffd 4DjLgSmydkrTErX3rbUNf7aObFqYazR4sM2XiTm6aa5z3IwJkk/ksU/WWluyNpocZoELQy 3U+1PxQHb49NTSaA8dEGgWjgemBPgjy0LO4bNwhOGAZREcrHDIeMZ70bzc9rLlMdmgvT18 4AfseC08WhAZCFDHMwfCbRewlLexnrucxFhhWCOn8qQZTx7nSoZnaZTDMweLBrsDq6DUMz pK/krckmfdA1QvaH72Ax6W19aMl960Ntt6CvkwUbtgnyln+2fRAkNIu9CMRnmA== From: Josselin Poiret Date: Wed, 27 Oct 2021 15:24:20 +0000 Message-ID: <87wnlya3tn.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz Received-SPF: pass client-ip=206.189.101.64; envelope-from=dev@jpoiret.xyz; helo=jpoiret.xyz X-Spam_score_int: 5 X-Spam_score: 0.5 X-Spam_bar: / X-Spam_report: (0.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.499, FROM_SUSPICIOUS_NTLD_FP=1.999, PDS_OTHER_BAD_TLD=0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.7 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, As reported on IRC by wonko (https://logs.guix.gnu.org/guix/2021-10-27.log#115445), when running =?UTF-8?Q?=E2=80=98guix_?= =?UTF-8?Q?system=E2=80=99?= under a different umask, some files are created with the wrong permissions. This can [...] Content analysis details: (1.7 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] 0.9 SPF_FAIL SPF: sender does not match SPF record (fail) [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;id=dev%40jpoiret.xyz;ip=209.51.188.17;r=debbugs.gnu.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.51.188.17 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [209.51.188.17 listed in list.dnswl.org] 0.5 FROM_SUSPICIOUS_NTLD_FP From abused NTLD 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.1 (/) Hi, As reported on IRC by wonko (https://logs.guix.gnu.org/guix/2021-10-27.log#115445), when running =E2=80=98guix system=E2=80=99 under a different umask, some files are creat= ed with the wrong permissions. This can happen because =E2=80=98sudo=E2=80=99 does by = default keeps the umask it is running on (by ORing it with the default one, often 022). I'm not sure what would be the best way to go about this, I suggest checking if umask =3D=3D #o022, and if not, print a warning and set it to #o022, and only in =E2=80=98guix system=E2=80=99. What do you think? Best, Josselin Poiret From debbugs-submit-bounces@debbugs.gnu.org Thu Oct 28 18:45:32 2021 Received: (at control) by debbugs.gnu.org; 28 Oct 2021 22:45:33 +0000 Received: from localhost ([127.0.0.1]:53463 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgE9M-0002dT-Os for submit@debbugs.gnu.org; Thu, 28 Oct 2021 18:45:32 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55664) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgE9H-0002dD-Se for control@debbugs.gnu.org; Thu, 28 Oct 2021 18:45:31 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:40178) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgE98-0005Xv-5s for control@debbugs.gnu.org; Thu, 28 Oct 2021 18:45:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-version:Subject:From:To:Date:in-reply-to: references; bh=uACpiE2oHZd1NfwNLv2Evh6+cZOY2kQoQapgbZhPiKQ=; b=Eol9nrdDBqklN/ Opy3no6LMQeeHMkloITiKfkCTOnRdAQIFBpo/jlZBIRcRy43GczPi4vFV4fJG+0uxn1K2X1Y0Zu3l OWxwC4QiXxOHdhgWU/4CnQeHDcNj4y16HrKtKJgOvFgjMN7WEzkEvYSyfO1imBlXp5L8uGzYlfuJ5 XmVgz5daoVL6D/0e06dKTcmY8K3S8DFO0lQr4EPE/Q0ddLsN+40OuM6slOdAJ4Gx0A1dvcCm+ejLi wbOi7xGvAoljjlUiX5LxzxDm8FqGhhr/+iPT2AVDW+I9mxPdNUs9wJhUZDolzrFXqx9kpJcjmkcog z6gAovWRYAduF1GYk6KQ==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:54870 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgE95-0004vL-9O for control@debbugs.gnu.org; Thu, 28 Oct 2021 18:45:16 -0400 Date: Fri, 29 Oct 2021 00:45:12 +0200 Message-Id: <875ytg4vlz.fsf@gnu.org> To: control@debbugs.gnu.org From: =?utf-8?Q?Ludovic_Court=C3=A8s?= Subject: control message for bug #51442 MIME-version: 1.0 Content-type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: control X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) severity 51442 important quit From unknown Sun Jun 22 04:29:20 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51442: Non-default umask when using guix system leads to wrong file permissions Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Fri, 29 Oct 2021 19:12:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51442 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Josselin Poiret Cc: 51442@debbugs.gnu.org Received: via spool by 51442-submit@debbugs.gnu.org id=B51442.163553466231384 (code B ref 51442); Fri, 29 Oct 2021 19:12:01 +0000 Received: (at 51442) by debbugs.gnu.org; 29 Oct 2021 19:11:02 +0000 Received: from localhost ([127.0.0.1]:55946 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgXHJ-0008A3-Md for submit@debbugs.gnu.org; Fri, 29 Oct 2021 15:11:01 -0400 Received: from eggs.gnu.org ([209.51.188.92]:55202) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgXHI-00089S-Qb for 51442@debbugs.gnu.org; Fri, 29 Oct 2021 15:11:01 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:50614) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgXHC-0006zW-UY; Fri, 29 Oct 2021 15:10:54 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=HmermBwLpuIqTt06coZh5q3gGA90iL0GYwOpIyDFgow=; b=AjCCgw8o8eB+6AzmCxTn T6HtRatkA5hk9gBJKCIWze2dxj9VzEK24HBoDn4EzFD0DMReAfA1YiHSqMcdLkC2ick+M2BoXER2e 9pLhXg3HQMifyuaqQqHkALw7TWbVVKGwcIF7AQgAmBKyOHfKFqu4XQ21YlLivppQqfNo+yoJYOWcq 5y2vUBaMvlyWCF+A6gXfgyYF7cVElogDogItsC2CanfwD4xIx2mcWT2W8FRU8pQbQZVq/qGbs6ONp l5loia08zLlg0Xo/n7MbiyFXnW7jV9dYiNM5feeDs6hK0p4+ex5Kve73MCTuroHQrJ4NJJVheWfBL Scg6k18fTkttBw==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:54876 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mgXHC-0008HR-I0; Fri, 29 Oct 2021 15:10:54 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <87wnlya3tn.fsf@jpoiret.xyz> Date: Fri, 29 Oct 2021 21:10:52 +0200 In-Reply-To: <87wnlya3tn.fsf@jpoiret.xyz> (Josselin Poiret's message of "Wed, 27 Oct 2021 15:24:20 +0000") Message-ID: <87k0hvy7cz.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Score: -0.3 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.3 (-) --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi, Josselin Poiret skribis: > As reported on IRC by wonko > (https://logs.guix.gnu.org/guix/2021-10-27.log#115445), wonko mentions files in /etc (those are created by the activation snippets). > when running =E2=80=98guix system=E2=80=99 under a different umask, some = files are > created with the wrong permissions. This can happen because =E2=80=98sud= o=E2=80=99 > does by default keeps the umask it is running on (by ORing it with the > default one, often 022). > > I'm not sure what would be the best way to go about this, I suggest > checking if umask =3D=3D #o022, and if not, print a warning and set it to > #o022, and only in =E2=80=98guix system=E2=80=99. Perhaps the best fix would be to set the umask explicitly before activation snippets run, like so (untested): --=-=-= Content-Type: text/x-patch Content-Disposition: inline diff --git a/gnu/services.scm b/gnu/services.scm index 1655218f2d..b79436d3f3 100644 --- a/gnu/services.scm +++ b/gnu/services.scm @@ -617,6 +617,10 @@ (define actions (use-modules (gnu build activation) (guix build utils)) + ;; Set the correct umask so files are created with the + ;; expected permissions. + (umask #o022) + ;; Make sure the user accounting database exists. If it ;; does not exist, 'setutxent' does not create it and ;; thus there is no accounting at all. --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable WDYT? Thanks, Ludo=E2=80=99. --=-=-=-- From unknown Sun Jun 22 04:29:20 2025 X-Loop: help-debbugs@gnu.org Subject: bug#51442: Non-default umask when using guix system leads to wrong file permissions Resent-From: Josselin Poiret Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 30 Oct 2021 20:49:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 51442 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 51442@debbugs.gnu.org Received: via spool by 51442-submit@debbugs.gnu.org id=B51442.16356269056941 (code B ref 51442); Sat, 30 Oct 2021 20:49:02 +0000 Received: (at 51442) by debbugs.gnu.org; 30 Oct 2021 20:48:25 +0000 Received: from localhost ([127.0.0.1]:58523 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgvH6-0001nt-QG for submit@debbugs.gnu.org; Sat, 30 Oct 2021 16:48:25 -0400 Received: from jpoiret.xyz ([206.189.101.64]:50834) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgvH4-0001nj-J5 for 51442@debbugs.gnu.org; Sat, 30 Oct 2021 16:48:23 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 5A0AD184BFA; Sat, 30 Oct 2021 20:48:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1635626899; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HhlgQD6mazMrV0Ad64HNjNelAh3Au7mz4Ve1RfB09+s=; b=Q0b+kbVYTv6gahbLLj1KjXALgoN0XdCthvyFzHsYW+k7TKRWS87AyEyT4n8lKT2P6PsaXw S3vxKk/SxVyZt3KGZkR2LESz4BD5yvZAfj39ORd1MWqUPb9+x3aE0/tPnEyFCtlDeaRE3z IJ2uoqV8aXNhrHQo1stNY5DTPgCdM5ZInw428ZfS+LoTMKNMAL6gQf98rRv6CJEwZ11KIx ooFU/3HeL8YE4Tk0jwJqipP8BKIrhMBtyDa+e/Tpray2kVwv0v0i47f7z8WGDXLJFL88Kc 8mL8v4iL/9KZP/mNSHS8Cq2ZkPfEo+f8b9HBfsFNRk+B9INdX9kwLkybenb8ew== From: Josselin Poiret In-Reply-To: <87k0hvy7cz.fsf@gnu.org> References: <87wnlya3tn.fsf@jpoiret.xyz> <87k0hvy7cz.fsf@gnu.org> Date: Sat, 30 Oct 2021 20:48:18 +0000 Message-ID: <87zgqqz1bh.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, Ludovic =?UTF-8?Q?Court=C3=A8s?= writes: > Perhaps the best fix would be to set the umask explicitly before > activation snippets run, like so (untested): > [snip] > WDYT? I forgot about those too! I guess they're run in two different contexts: once when `guix reconfigure` happens, and another one in the boot script. This would work here, but not be nearly enough: in in [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, Ludovic =?UTF-8?Q?Court=C3=A8s?= writes: > Perhaps the best fix would be to set the umask explicitly before > activation snippets run, like so (untested): > [snip] > WDYT? I forgot about those too! I guess they're run in two different contexts: once when `guix reconfigure` happens, and another one in the boot script. This would work here, but not be nearly enough: in in [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Hi, Ludovic Court=C3=A8s writes: > Perhaps the best fix would be to set the umask explicitly before > activation snippets run, like so (untested): > [snip] > WDYT? I forgot about those too! I guess they're run in two different contexts: once when `guix reconfigure` happens, and another one in the boot script. This would work here, but not be nearly enough: in init, you also have the populate-root-file-system procedure which will create many directories without set permissions, and if they are created with a-r, it will also cause havok (I think the first issue wonko reported was about the directories not being readable). I still think that the whole init/reconfigure commands should have their umask set to #o022 as a sane default, even for future changes to them: whatever they're touching is supposed to be "the system" itself and not user files, so inherited user-set umasks shouldn't matter. It just feels like we're trying to fight back against 'sudo' preserving things when it shouldn't but alas. Best, Josselin Poiret