From debbugs-submit-bounces@debbugs.gnu.org Sat Oct 30 16:48:25 2021 Received: (at 51442) by debbugs.gnu.org; 30 Oct 2021 20:48:25 +0000 Received: from localhost ([127.0.0.1]:58523 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgvH6-0001nt-QG for submit@debbugs.gnu.org; Sat, 30 Oct 2021 16:48:25 -0400 Received: from jpoiret.xyz ([206.189.101.64]:50834) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mgvH4-0001nj-J5 for 51442@debbugs.gnu.org; Sat, 30 Oct 2021 16:48:23 -0400 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id 5A0AD184BFA; Sat, 30 Oct 2021 20:48:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1635626899; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HhlgQD6mazMrV0Ad64HNjNelAh3Au7mz4Ve1RfB09+s=; b=Q0b+kbVYTv6gahbLLj1KjXALgoN0XdCthvyFzHsYW+k7TKRWS87AyEyT4n8lKT2P6PsaXw S3vxKk/SxVyZt3KGZkR2LESz4BD5yvZAfj39ORd1MWqUPb9+x3aE0/tPnEyFCtlDeaRE3z IJ2uoqV8aXNhrHQo1stNY5DTPgCdM5ZInw428ZfS+LoTMKNMAL6gQf98rRv6CJEwZ11KIx ooFU/3HeL8YE4Tk0jwJqipP8BKIrhMBtyDa+e/Tpray2kVwv0v0i47f7z8WGDXLJFL88Kc 8mL8v4iL/9KZP/mNSHS8Cq2ZkPfEo+f8b9HBfsFNRk+B9INdX9kwLkybenb8ew== From: Josselin Poiret To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#51442: Non-default umask when using guix system leads to wrong file permissions In-Reply-To: <87k0hvy7cz.fsf@gnu.org> References: <87wnlya3tn.fsf@jpoiret.xyz> <87k0hvy7cz.fsf@gnu.org> Date: Sat, 30 Oct 2021 20:48:18 +0000 Message-ID: <87zgqqz1bh.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: / Authentication-Results: jpoiret.xyz; auth=pass smtp.auth=jpoiret@jpoiret.xyz smtp.mailfrom=dev@jpoiret.xyz X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, Ludovic Courtès writes: > Perhaps the best fix would be to set the umask explicitly before > activation snippets run, like so (untested): > [snip] > WDYT? I forgot about those too! I guess they're run in two different contexts: once when `guix reconfigure` happens, and another one in the boot script. This would work here, but not be nearly enough: in in [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD X-Debbugs-Envelope-To: 51442 Cc: 51442@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 2.5 (++) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hi, Ludovic Courtès writes: > Perhaps the best fix would be to set the umask explicitly before > activation snippets run, like so (untested): > [snip] > WDYT? I forgot about those too! I guess they're run in two different contexts: once when `guix reconfigure` happens, and another one in the boot script. This would work here, but not be nearly enough: in in [...] Content analysis details: (2.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 2.0 PDS_OTHER_BAD_TLD Untrustworthy TLDs [URI: jpoiret.xyz (xyz)] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.5 FROM_SUSPICIOUS_NTLD From abused NTLD 1.0 BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD -1.0 MAILING_LIST_MULTI Multiple indicators imply a widely-seen list manager Hi, Ludovic Court=C3=A8s writes: > Perhaps the best fix would be to set the umask explicitly before > activation snippets run, like so (untested): > [snip] > WDYT? I forgot about those too! I guess they're run in two different contexts: once when `guix reconfigure` happens, and another one in the boot script. This would work here, but not be nearly enough: in init, you also have the populate-root-file-system procedure which will create many directories without set permissions, and if they are created with a-r, it will also cause havok (I think the first issue wonko reported was about the directories not being readable). I still think that the whole init/reconfigure commands should have their umask set to #o022 as a sane default, even for future changes to them: whatever they're touching is supposed to be "the system" itself and not user files, so inherited user-set umasks shouldn't matter. It just feels like we're trying to fight back against 'sudo' preserving things when it shouldn't but alas. Best, Josselin Poiret