Report forwarded
to bug-guix@gnu.org: bug#51442; Package guix.
(Wed, 27 Oct 2021 15:25:01 GMT) (full text, mbox, link).
Acknowledgement sent
to Josselin Poiret <dev@jpoiret.xyz>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org.
(Wed, 27 Oct 2021 15:25:02 GMT) (full text, mbox, link).
Subject: Non-default umask when using guix system leads to wrong file
permissions
Date: Wed, 27 Oct 2021 15:24:20 +0000
Hi,
As reported on IRC by wonko
(https://logs.guix.gnu.org/guix/2021-10-27.log#115445), when running
‘guix system’ under a different umask, some files are created with the
wrong permissions. This can happen because ‘sudo’ does by default keeps
the umask it is running on (by ORing it with the default one, often
022).
I'm not sure what would be the best way to go about this, I suggest
checking if umask == #o022, and if not, print a warning and set it to
#o022, and only in ‘guix system’.
What do you think?
Best,
Josselin Poiret
Severity set to 'important' from 'normal'
Request was from Ludovic Courtès <ludo@gnu.org>
to control@debbugs.gnu.org.
(Thu, 28 Oct 2021 22:46:01 GMT) (full text, mbox, link).
Information forwarded
to bug-guix@gnu.org: bug#51442; Package guix.
(Fri, 29 Oct 2021 19:12:01 GMT) (full text, mbox, link).
Hi,
Josselin Poiret <dev@jpoiret.xyz> skribis:
> As reported on IRC by wonko
> (https://logs.guix.gnu.org/guix/2021-10-27.log#115445),
wonko mentions files in /etc (those are created by the activation
snippets).
> when running ‘guix system’ under a different umask, some files are
> created with the wrong permissions. This can happen because ‘sudo’
> does by default keeps the umask it is running on (by ORing it with the
> default one, often 022).
>
> I'm not sure what would be the best way to go about this, I suggest
> checking if umask == #o022, and if not, print a warning and set it to
> #o022, and only in ‘guix system’.
Perhaps the best fix would be to set the umask explicitly before
activation snippets run, like so (untested):
diff --git a/gnu/services.scm b/gnu/services.scm
index 1655218f2d..b79436d3f3 100644
--- a/gnu/services.scm
+++ b/gnu/services.scm
@@ -617,6 +617,10 @@ (define actions
(use-modules (gnu build activation)
(guix build utils))
+ ;; Set the correct umask so files are created with the
+ ;; expected permissions.
+ (umask #o022)
+
;; Make sure the user accounting database exists. If it
;; does not exist, 'setutxent' does not create it and
;; thus there is no accounting at all.
Subject: Re: bug#51442: Non-default umask when using guix system leads to
wrong file permissions
Date: Sat, 30 Oct 2021 20:48:18 +0000
Hi,
Ludovic Courtès <ludo@gnu.org> writes:
> Perhaps the best fix would be to set the umask explicitly before
> activation snippets run, like so (untested):
> [snip]
> WDYT?
I forgot about those too! I guess they're run in two different contexts:
once when `guix reconfigure` happens, and another one in the boot
script. This would work here, but not be nearly enough: in init, you
also have the populate-root-file-system procedure which will create many
directories without set permissions, and if they are created with a-r,
it will also cause havok (I think the first issue wonko reported was
about the directories not being readable).
I still think that the whole init/reconfigure commands should have their
umask set to #o022 as a sane default, even for future changes to them:
whatever they're touching is supposed to be "the system" itself and not
user files, so inherited user-set umasks shouldn't matter. It just feels
like we're trying to fight back against 'sudo' preserving things when it
shouldn't but alas.
Best,
Josselin Poiret
Debbugs is free software and licensed under the terms of the
GNU Public License version 2. The current version can be
obtained from https://bugs.debian.org/debbugs-source/.