* build failing with default umask changed from 0022 to 0077
@ 2023-10-26 11:49 cedric.hombourger
2023-10-27 8:45 ` Uladzimir Bely
0 siblings, 1 reply; 2+ messages in thread
From: cedric.hombourger @ 2023-10-26 11:49 UTC (permalink / raw)
To: isar-users
Hello,
Some security measures require the default umask to be changed from 0022 to 0077
This causes Isar builds to fail as we often create files with default (unspecified) permissions and are switching between privileged (sudo) and regular accounts ($USER)
Would you like us to be fixing such problems?
Should we instead recommend the user to umask 0022 prior to starting his build?
Thanks
Cedric
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: build failing with default umask changed from 0022 to 0077
2023-10-26 11:49 build failing with default umask changed from 0022 to 0077 cedric.hombourger
@ 2023-10-27 8:45 ` Uladzimir Bely
0 siblings, 0 replies; 2+ messages in thread
From: Uladzimir Bely @ 2023-10-27 8:45 UTC (permalink / raw)
To: cedric.hombourger, isar-users
On Thu, 2023-10-26 at 11:49 +0000, 'cedric.hombourger@siemens.com' via
isar-users wrote:
> Hello,
>
> Some security measures require the default umask to be changed from
> 0022 to 0077
>
> This causes Isar builds to fail as we often create files with default
> (unspecified) permissions and are switching between privileged (sudo)
> and regular accounts ($USER)
>
> Would you like us to be fixing such problems?
> Should we instead recommend the user to umask 0022 prior to starting
> his build?
>
> Thanks
> Cedric
>
We were able to reproduce the issue.
```
./kas/kas-container menu
./kas/kas-container shell
bitbake -v cowsay
```
I happens at least in two places:
1. When building any package packages (in sbuild internals):
```
...
W: Download is performed unsandboxed as root as file
'/var/lib/apt/lists/partial/_build_cowsay-DwkTEa_resolver-
fVeyau_apt%5farchive_._InRelease' couldn't be accessed by user '_apt'.
- pkgAcquire::Run (13: Permission denied)
...
dpkg-checkbuilddeps: error: cannot open /var/lib/dpkg/status:
Permission denied
dpkg-buildpackage: warning: (Use -d flag to override.)
...
```
2. When building the target image (do_copy_boot_files):
```
+ do_copy_boot_files
+ realpath -q /build/tmp/work/debian-bookworm-amd64/isar-image-base-
qemuamd64/1.0-r0/rootfs/vmlinu[xz]
WARNING: exit code 1 from a shell command.
```
These probably can be fixed, but I'm wondering if settings "0077" umask
is correct in general. Won't we receive some output image where some
dirs/files (that should be readable for all users) are not readable?
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-10-27 8:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-26 11:49 build failing with default umask changed from 0022 to 0077 cedric.hombourger
2023-10-27 8:45 ` Uladzimir Bely
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox