#11676: sage-pkg does not force world-readable permissions
-------------------------------+--------------------------------------------
Reporter: AlexanderDreyer | Owner: AlexanderDreyer
Type: enhancement | Status: needs_info
Priority: major | Milestone: sage-4.7.2
Component: scripts | Keywords: chmod umask install mode
Work_issues: | Upstream: N/A
Reviewer: | Author: Alexander Dreyer
Merged: | Dependencies:
-------------------------------+--------------------------------------------
Comment(by AlexanderDreyer):
Replying to [comment:27 leif]:
> Well, in principle only files that are to be ''copied'' (with `-p`) into
the Sage installation tree should have 0644 or 0755 permissions (one
should usually use some BSD-like `install` where this isn't an issue at
all), but it's of course nearly impossible to check that when doing an
automatic "sanity" check on an spkg.
The installation tree of that old spkg had always been sane, since
!PolyBoRi enforces the permissions on install.
The permissions in the source tree were considered as buggy. But if you
what specific permissions in the source, you need a tool to either enforce
or check this. (That patch for checking would be trivial. I'll provide it,
if there's a chance for a review.)
> FWIW, doing
[...]
> you can achieve the same.
Right, but others could be trapped in the same way.
> (I personally don't think privacy really matters here, especially since
you can fake arbitrary user/group names or IDs, and your e-mail address
should be contained in the log anyway. Instead, it is IMHO useful to see
who packaged an spkg, modulo that there need not be a relation to a user
you really know. Alternatively, you could also use ''numeric'' UIDs/GIDs
for the tarball in case you feel using your real logname is dangerous from
a security point of view.)
My group id encodes part of my institute's organization and even details
of my contract (if you know how to read it). If you want security you need
to sign spkgs. But that's another quest.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/11676#comment:28>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=en.
