Canonical Click Reviewers tools (obsolete)

Restrictive umask and permissions may cause a built snap to be unusable

Bug #1515394 reported by Bruno Nova
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Canonical Click Reviewers tools (obsolete)
Won't Fix
Undecided
Unassigned
Snapcraft
Won't Fix
High
Unassigned
Snappy
Won't Fix
Undecided
Unassigned

Bug Description

I use the umask 007 in my system.

When I built a test package with snapcraft and installed it in a Snappy Core system, most of the files and folders of the package where not accessible by the "other" users, and thus I couldn't run the binaries (no permission).

I think snappy/snapcraft should make some permissions/umask checks.

Maybe snapcraft or "snappy build" should check the permissions of all packaged files and directories (like how the Debian build tools do), and either correct the permissions or warn the user about files that have strange permissions.
Snapcraft could also enforce an umask of 002 or 022.

See original description
Bruno Nova (brunonova)
description: updated
Revision history for this message
Mark Shuttleworth (sabdfl) wrote : Re: [Bug 1515394] [NEW] Restrictive umask and permissions may cause a built snap to be unusable

Yes, it makes sense that snapcraft check the package for usefulness,
good catch, thank you!

Revision history for this message
Sergio Schvezov (sergiusens) wrote :

For 15.04 this is more of a snappy project problem. For 16.04 it is all snapcraft.

Changed in snapcraft:
status: New → Triaged
Sergio Schvezov (sergiusens)
Changed in snapcraft:
importance: Undecided → High
Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: none → next
Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: 2.3 → next
Sergio Schvezov (sergiusens)
Changed in snapcraft:
assignee: nobody → Sergio Schvezov (sergiusens)
Sergio Schvezov (sergiusens)
Changed in snapcraft:
status: Triaged → In Progress
Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: 2.4 → next
Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: next → none
Revision history for this message
Michael Vogt (mvo) wrote :

I agree that this is a very useful thing to check in snapcraft and in the reviewers tools. However it feels like snappy itself should not force a policy for the snap content, there may be legit use-cases for restrictive permissions. I close the task for snappy itself, please reopen with a rational if you feel snappy itself should check this too.

Changed in snappy:
status: New → Won't Fix
Revision history for this message
Kyle Fazzari (kyrofa) wrote :

This may be irrelevant now that we're based on squashfs and using -no-xattrs. This needs to be revisited.

Changed in snapcraft:
status: In Progress → Confirmed
Revision history for this message
Leon (leonbo) wrote :

This issue stil exists:

http://paste.ubuntu.com/21187624/

Working version: http://paste.ubuntu.com/21186621/

Revision history for this message
Leon (leonbo) wrote :

For a discussion about that, see: https://irclogs.ubuntu.com/2016/07/27/%23snappy.txt (around 20:08, <LBo> & <kyrofa>).

Leo Arias (elopio)
Changed in snapcraft:
assignee: Sergio Schvezov (sergiusens) → nobody
status: Confirmed → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I think it would be useful for snapcraft to perform a check for usefulness and perhaps give feedbackc during 'snapcraft build'. While the review tools have some checks for particularly weird permissions, they can't second-guess the developer's intent who may have intentionally set the permissions. I'm going to close the review tools bug as "Won't Fix" for now, but I can re-open it if needed.

Changed in click-reviewers-tools:
status: New → Won't Fix
Revision history for this message
Sergio Schvezov (sergiusens) wrote :

consistent build environments make this a non issue for the general case

Changed in snapcraft:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.