From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7294233148464824320 X-Received: by 2002:ac2:58ea:0:b0:507:b9db:61dc with SMTP id v10-20020ac258ea000000b00507b9db61dcmr1170596lfo.48.1698396400843; Fri, 27 Oct 2023 01:46:40 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a05:6512:3b9d:b0:505:14bb:6259 with SMTP id g29-20020a0565123b9d00b0050514bb6259ls346496lfv.0.-pod-prod-00-eu; Fri, 27 Oct 2023 01:46:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGTXJAfkhdBTp0UauWe2mny8+t7rdUI9UDIRmPip4jP/v424+01HPRgPM6rG+bln230IA8Q X-Received: by 2002:ac2:58dc:0:b0:504:7d7e:78dd with SMTP id u28-20020ac258dc000000b005047d7e78ddmr599216lfo.23.1698396398525; Fri, 27 Oct 2023 01:46:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698396398; cv=none; d=google.com; s=arc-20160816; b=hwEP8SSav4lp+P1xf4MoN2KFLHvof27Jy9w8EAUj+rtemgWZmdEGdx99sTteI7YYE0 NCUiSXbGaIUSS2pDR9oaNAs0J90mCKsdtmDJlKFKAkxeTdZpbXGqIHqtrVv0tvx4SYAv PxmFLiCRPsTbyrj2EQziB+Z7ve8h+UG9lnQiwhQRVoJlc6hMILDLCaGPQtpudrzkvc7H 8w50M4dV8277mIIVX7z1gYt+UgyWt87UVsh9vXiEmiAOcnJxdK6tpiJ1JAzGPx0a/rqD SBX3uwTLVo0PkoONsd+scALOiUmqqHG/XDnli3QA2pNA09WeU695ZO/24Urge3Na37rE zeYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:to:from:subject:message-id; bh=NC5gmzO2K7b5NVWyJ0d8Mk85RK845WnoZEm7+SooAJ8=; fh=ZjPjk0Tv6NIOienZPuWkm6ez+WL6tmkYxcG6aGEkSMA=; b=FEkQFqxmoQtmhmEa0v1xRxEpZeZcuUuwapoMymRrYGleiRtX0Z7um4kbADmu8knuWS VVu837BP6cgmNSG5oRewOg3uTvQFtyBUVx5B0yKCXLKIpi1USGMfY46ZlN/Eb8gdPXLx MhjDrikkLoXxPkpSwwgobicOCrOc9JjIt7624+OWvrTH/M7iDtNuA0zqrUyYzK1dnqXN UpPCDzinqyU2evq3h81/8GVMmw61ARfsC6sVUYv73JVcOXPrEjhRV9KrZmCKDj2Slxci o4XWMyl+mvuX1qpPkNyKwDMa5rNIAs5FTAmYFrqwO/mi/PxWnrao0eomh+RbxNu4igs3 Dedg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de Return-Path: Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id d1-20020a05651233c100b005056618eed7si70551lfg.4.2023.10.27.01.46.38 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 27 Oct 2023 01:46:38 -0700 (PDT) Received-SPF: pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of ubely@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=ubely@ilbers.de Received: from [IPv6:::1] (host-80-81-17-52.static.customer.m-online.net [80.81.17.52]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 39R8kaXW013000 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 27 Oct 2023 10:46:37 +0200 Message-ID: <39eed26c97d9a6d426e6c5263f28ebba968431b5.camel@ilbers.de> Subject: Re: build failing with default umask changed from 0022 to 0077 From: Uladzimir Bely To: "cedric.hombourger@siemens.com" , "isar-users@googlegroups.com" Date: Fri, 27 Oct 2023 11:45:51 +0300 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.48.4 (by Flathub.org) MIME-Version: 1.0 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: 1Es0jhzhMDB0 On Thu, 2023-10-26 at 11:49 +0000, 'cedric.hombourger@siemens.com' via isar-users wrote: > Hello, >=20 > Some security measures require the default umask to be changed from > 0022 to 0077 >=20 > This causes Isar builds to fail as we often create files with default > (unspecified) permissions and are switching between privileged (sudo) > and regular accounts ($USER) >=20 > Would you like us to be fixing such problems? > Should we instead recommend the user to umask 0022 prior to starting > his build? >=20 > Thanks > Cedric >=20 We were able to reproduce the issue.=20 ``` ./kas/kas-container menu ./kas/kas-container shell bitbake -v cowsay ``` I happens at least in two places: 1. When building any package packages (in sbuild internals): ``` ... W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/_build_cowsay-DwkTEa_resolver- fVeyau_apt%5farchive_._InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied) ... dpkg-checkbuilddeps: error: cannot open /var/lib/dpkg/status: Permission denied dpkg-buildpackage: warning: (Use -d flag to override.) ... ``` 2. When building the target image (do_copy_boot_files): ``` + do_copy_boot_files + realpath -q /build/tmp/work/debian-bookworm-amd64/isar-image-base- qemuamd64/1.0-r0/rootfs/vmlinu[xz] WARNING: exit code 1 from a shell command. ``` These probably can be fixed, but I'm wondering if settings "0077" umask is correct in general. Won't we receive some output image where some dirs/files (that should be readable for all users) are not readable?