Re: build failing with default umask changed from 0022 to 0077

[Uladzimir Bely <ubely@ilbers.de>]

On Thu, 2023-10-26 at 11:49 +0000, 'cedric.hombourger@siemens.com' via
isar-users wrote:
> Hello,
> 
> Some security measures require the default umask to be changed from
> 0022 to 0077
> 
> This causes Isar builds to fail as we often create files with default
> (unspecified) permissions and are switching between privileged (sudo)
> and regular accounts ($USER)
> 
> Would you like us to be fixing such problems?
> Should we instead recommend the user to umask 0022 prior to starting
> his build?
> 
> Thanks
> Cedric
> 

We were able to reproduce the issue. 

```
./kas/kas-container menu
./kas/kas-container shell
bitbake -v cowsay
```

I happens at least in two places:

1. When building any package packages (in sbuild internals):

```
...
W: Download is performed unsandboxed as root as file
'/var/lib/apt/lists/partial/_build_cowsay-DwkTEa_resolver-
fVeyau_apt%5farchive_._InRelease' couldn't be accessed by user '_apt'.
- pkgAcquire::Run (13: Permission denied)
...
dpkg-checkbuilddeps: error: cannot open /var/lib/dpkg/status:
Permission denied
dpkg-buildpackage: warning: (Use -d flag to override.)
...
```

2. When building the target image (do_copy_boot_files):
```
+ do_copy_boot_files
+ realpath -q /build/tmp/work/debian-bookworm-amd64/isar-image-base-
qemuamd64/1.0-r0/rootfs/vmlinu[xz]
WARNING: exit code 1 from a shell command.
```

These probably can be fixed, but I'm wondering if settings "0077" umask
is correct in general. Won't we receive some output image where some
dirs/files (that should be readable for all users) are not readable?