[buildd-tools-devel] Bug#608414: Bug#608414: missing umask thing in sbuild-createchroot?

[Roger Leigh]

tags 608414 + patch
thanks

On Thu, Dec 30, 2010 at 07:19:38PM +0100, Cyril Brulebois wrote:
> Package: sbuild
> Version: 0.60.7-1
> Severity: normal
> 
> Hi,
> 
> as a casual user, with no ~/opt at the beginning:
> | $ sudo sbuild-createchroot sid ~/opt/sid-amd-sbuild http://localhost:9999/debian
> | $ ls -ld opt
> | drwx------ 3 root root 4096 Dec 30 18:57 opt
> 
> I'm not sure permissions should be so restrictive here. Specifically
> when one compares to the following:
> | $ sudo mkdir foo && ls -ld foo
> | drwxr-xr-x 2 root root 4096 Dec 30 19:13 foo

Hmm, looks like it's due to the makedir call:

diff --git a/bin/sbuild-createchroot b/bin/sbuild-createchroot
index 6273f07..8445e16 100755
--- a/bin/sbuild-createchroot
+++ b/bin/sbuild-createchroot
@@ -163,7 +163,7 @@ $conf->set('INCLUDE', add_items($conf->get('INCLUDE'),
 my $suite = $ARGV[0];
 # Create the target directory in advance so abs_path (which is buggy)
 # won't fail.  Remove if abs_path is replaced by something better.
-makedir($ARGV[1], 0700);
+makedir($ARGV[1], 0755);
 my $target = abs_path($ARGV[1]);
 my $mirror = $ARGV[2];
 my $script = undef;

Not sure why this is so restrictive initially.  I think it was probably
to prevent any access to the chroot environment except via
sudo/schroot, but the security is minimal at best and probably entirely
pointless.  I certainly have 0755 perms on all my chroots.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20101230/7378c1f3/attachment.pgp>