Package archive misses permissions

Bug #1243202 reported by Bruno on 2013-10-22
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
dateutil
Undecided
Unassigned

Bug Description

The distribution available on PyPI have all files permissions set to 600 and directories to 700.

Distributions patch this themselves when packaging python-dateutil:

https://projects.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/python-dateutil#n33

Modern installers normalize permissions (pip does) but easy_install or setup.py install doesn't. Meaning tools relying on easy_install or setup.py (such as FPM) may end up with insufficient permissions to run the code as a non-root user.

Would it be possible to have the correct permissions in the tarball directly? Adding a+r and g+r seems reasonable.

Bruno (brutasse) wrote :

This only concerns non-python files:

$ find . ! -perm -a+r
./dateutil/zoneinfo/zoneinfo--latest.tar.gz
./python_dateutil-2.1.egg-info/not-zip-safe
./python_dateutil-2.1.egg-info/PKG-INFO
./python_dateutil-2.1.egg-info/top_level.txt
./python_dateutil-2.1.egg-info/SOURCES.txt
./python_dateutil-2.1.egg-info/dependency_links.txt
./python_dateutil-2.1.egg-info/requires.txt

But some of these are needed at runtime py pkg_resources it seems.

Colm Ragu (colmragu) wrote :
Download full text (3.1 KiB)

I had the same problem. I noticed it when deluge failed to start.

$ deluge
Traceback (most recent call last):
  File "/usr/bin/deluge", line 5, in <module>
    from pkg_resources import load_entry_point
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2823, in <module>
    add_activation_listener(lambda dist: dist.activate())
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 710, in subscribe
    callback(dist)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2823, in <lambda>
    add_activation_listener(lambda dist: dist.activate())
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2255, in activate
    self.insert_on(path)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2362, in insert_on
    self.check_version_conflict()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2401, in check_version_conflict
    for modname in self._get_metadata('top_level.txt'):
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2249, in _get_metadata
    for line in self.get_metadata_lines(name):
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1219, in get_metadata_lines
    return yield_lines(self.get_metadata(name))
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1211, in get_metadata
    return self._get(self._fn(self.egg_info,name))
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1326, in _get
    stream = open(path, 'rb')
IOError: [Errno 13] Permission denied: '/usr/local/lib/python2.7/dist-packages/python_dateutil-2.2-py2.7.egg/EGG-INFO/top_level.txt'

Checked permissions:
$la -lrt /usr/local/lib/python2.7/dist-packages/python_dateutil-2.2-py2.7.egg/*
/usr/local/lib/python2.7/dist-packages/python_dateutil-2.2-py2.7.egg/dateutil:
total 276
-rwxr-xr-x 1 root staff 32988 Nov 22 16:28 tz.py
-rwxr-xr-x 1 root staff 41036 Nov 22 16:28 rrule.py
-rwxr-xr-x 1 root staff 17224 Nov 22 16:28 relativedelta.py
-rwxr-xr-x 1 root staff 2578 Nov 22 16:28 easter.py
drwxr-sr-x 2 root staff 4096 Nov 22 16:28 zoneinfo
-rwxr-xr-x 1 root staff 5737 Nov 22 16:28 tzwin.py
-rwxr-xr-x 1 root staff 34280 Nov 22 16:28 parser.py
-rwxr-xr-x 1 root staff 278 Nov 22 16:28 __init__.py
-rw-r--r-- 1 root staff 27948 Nov 22 16:28 tz.pyc
-rw-r--r-- 1 root staff 14965 Nov 22 16:28 relativedelta.pyc
-rw-r--r-- 1 root staff 2445 Nov 22 16:28 easter.pyc
-rw-r--r-- 1 root staff 31098 Nov 22 16:28 rrule.pyc
-rw-r--r-- 1 root staff 482 Nov 22 16:28 __init__.pyc
-rw-r--r-- 1 root staff 7311 Nov 22 16:28 tzwin.pyc
-rw-r--r-- 1 root staff 24885 Nov 22 16:28 parser.pyc

/usr/local/lib/python2.7/dist-packages/python_dateutil-2.2-py2.7.egg/EGG-INFO:
total 24
-rw------- 1 root staff 9 Nov 22 16:28 top_level.txt
-rw------- 1 root staff 563 Nov 22 16:28 SOURCES.txt
-rw------- 1 root staff 3 Nov 22 16:28 requires.txt
-rw------- 1 root staff 970 Nov 22 16:28 PKG-INFO
-rw------- 1 root staff 1 Nov 22 16:28 not-zip-safe
-rw------- 1 root staff 1 Nov 22 16:28 dependency_links.txt

Solved it by changing the permissions. Now deluge is working fine.
sudo chmod a+r /usr/local/lib/python2.7/dist-packages/python_dateutil-2.2-py2.7.egg/EGG-I...

Read more...

c_t (chefturner) wrote :

I do experience the same problem.

jarondl (jarondl) wrote :

This was fixed in 2.3.

If not, please open a github issue.

Changed in dateutil:
status: New → Fix Released
Bruno (brutasse) wrote :

Great, thank you!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers