114207 2005-12-01 15:45 0000 sci-misc/qcad-parts-2.0.1.2: some files in /usr/share are world-writable 2006-01-15 08:59:54 0000 1 1 1 Unclassified Gentoo Linux Ebuilds unspecified All Linux RESOLVED FIXED P2 trivial --- 1 andyreif@studcs.uni-sb.de sci@gentoo.org centic@gentoo.org ppc@gentoo.org security@gentoo.org andyreif@studcs.uni-sb.de 2005-12-01 15:45:06 0000 e.g. ls -al /usr/share/qcad-parts-2.0.1.2/mechanical/DIN_7991/M3/ total 292 drwxrwxr-x 2 root root 4096 Nov 22 17:56 . drwxr-xr-x 15 root root 4096 Nov 22 17:56 .. -rw-r--r-- 1 root root 63 Dec 2 02:46 M3_DIN7991_t.dat -rw-rw-rw- 1 root root 8632 Dec 2 02:46 M3_DIN7991_t.dxf -rw-r--r-- 1 root root 63 Dec 2 02:46 M3_DIN7991_w.dat -rw-rw-rw- 1 root root 8059 Dec 2 02:46 M3_DIN7991_w.dxf -rw-r--r-- 1 root root 63 Dec 2 02:46 M3x10_DIN7991_f.dat -rw-rw-rw- 1 root root 10075 Dec 2 02:46 M3x10_DIN7991_f.dxf -rw-r--r-- 1 root root 63 Dec 2 02:46 M3x12_DIN7991_f.dat [...] I don't think this is needed. Reproducible: Always Steps to Reproduce: 1. emerge -pv sci-misc/qcad-parts-2.0.1.2 2. /usr/bin/find /usr/share/qcad-parts-2.0.1.2/ -type f \( -perm -2 \) -exec ls -l {} \; 2>/dev/null > writable.txt Actual Results: The file writable.txt that is created in 2. is not empty. Expected Results: Normally installed files shouldn't be world-writable. markusle@gentoo.org 2005-12-12 21:05:03 0000 Created an attachment (id=74610) fix permissions of files/directories Hi, Could you please test if the attached patch fixes the permission issues on your machine and still allows the qcad files to be used properly. Thanks, Markus andyreif@studcs.uni-sb.de 2005-12-14 04:15:43 0000 Patch seems to work. One can still add parts from the library to an image. markusle@gentoo.org 2006-01-07 11:34:12 0000 Created an attachment (id=76466) updated ebuild Sorry for the delay in responding. I have completely reworked the ebuild and it would be great if you could test it with you qcad install before I commit to portage. Thanks, Markus andyreif@studcs.uni-sb.de 2006-01-09 10:15:24 0000 It works. markusle@gentoo.org 2006-01-09 19:23:03 0000 Hi Andy, Thanks for testing! qcad-parts-2.0.1.2-r1 has been committed to portage and fixes the world writable files issue. x86, ppc, amd64 folks: Since the ebuild only installs some helper files in /usr/share, could we possibly stabilize it soon in order to pull these world writable files out of peoples' systems? Thanks, Markus halcy0n@gentoo.org 2006-01-10 20:57:11 0000 x86 done cryos@gentoo.org 2006-01-14 16:41:28 0000 amd64 done. markusle@gentoo.org 2006-01-15 08:59:54 0000 qcad-parts-2.0.1.2-r1 has been stabilized on all supported arches. Thanks all for your help! 74610 2005-12-12 21:05 0000 fix permissions of files/directories qcad-file-permissions-gentoo.patch text/plain LS0tIHFjYWQtcGFydHMtMi4wLjEuMi5lYnVpbGQtb2xkCTIwMDUtMTItMTMgMDU6MDA6MjkuMDAw MDAwMDAwICswMDAwCisrKyBxY2FkLXBhcnRzLTIuMC4xLjIuZWJ1aWxkCTIwMDUtMTItMTMgMDU6 MDA6NDUuMDAwMDAwMDAwICswMDAwCkBAIC0zMiwxMiArMzIsMTcgQEAKIAl1bnBhY2sgJHtBfQog CW12IHBhcnRsaSovKiAuCiAJcm1kaXIgcGFydGxpYioKKwogCWVpbmZvICJBZGp1c3RpbmcgcGVy bWlzc2lvbnMuLi4iCiAJY2hvd24gLVIgcm9vdDowIC4KLQlmaW5kIC4gLXR5cGUgZCAtbm90IC1w ZXJtIC0wMDUgfCB3aGlsZSByZWFkIGRpcjsgZG8KLQkJZWNobyAiRml4aW5nIGRpcmVjdG9yeSAk ZGlyIjsgY2htb2QgdWdvK3J4ICRkaXI7IGRvbmUKLQlmaW5kIC4gLXR5cGUgZiAtbm90IC1wZXJt IC0wMDQgfCB3aGlsZSByZWFkIGZpbGU7IGRvCi0JCWVjaG8gIkZpeGluZyBmaWxlICRmaWxlIjsg Y2htb2QgdWdvK3IgJGZpbGU7IGRvbmUKKworCWVpbmZvICJGaXhpbmcgZGlyZWN0b3J5IHBlcm1p c3Npb25zIgorCWZpbmQgLiAtdHlwZSBkIC1ub3QgLXBlcm0gNzU1IHwgd2hpbGUgcmVhZCBkaXI7 IGRvCisJCWNobW9kIDc1NSAkZGlyOyBkb25lCisKKwllaW5mbyAiRml4aW5nIGZpbGUgcGVybWlz c2lvbnMiCisJZmluZCAuIC10eXBlIGYgLW5vdCAtcGVybSA2NDQgfCB3aGlsZSByZWFkIGZpbGU7 IGRvCisJCWNobW9kIDY0NCAkZmlsZTsgZG9uZQogfQogCiBwa2dfcG9zdGluc3QoKSB7Cg== 76466 2006-01-07 11:34 0000 updated ebuild qcad-parts-2.0.1.2-r1.ebuild text/plain IyBDb3B5cmlnaHQgMTk5OS0yMDA2IEdlbnRvbyBGb3VuZGF0aW9uCiMgRGlzdHJpYnV0ZWQgdW5k ZXIgdGhlIHRlcm1zIG9mIHRoZSBHTlUgR2VuZXJhbCBQdWJsaWMgTGljZW5zZSB2MgojICRIZWFk ZXI6IC92YXIvY3Zzcm9vdC9nZW50b28teDg2L3NjaS1taXNjL3FjYWQtcGFydHMvcWNhZC1wYXJ0 cy0yLjAuMS4yLmVidWlsZCx2IDEuMiAyMDA1LzA4LzI0IDEyOjAzOjE4IGNyeW9zIEV4cCAkCgpN WV9QTj0icGFydGxpYnJhcnkiCk1ZX1BWPSIke1BWfS0xIgoKREVTQ1JJUFRJT049IkNvbGxlY3Rp b24gb2YgQ0FEIGZpbGVzIHRoYXQgY2FuIGJlIHVzZWQgZnJvbSB0aGUgbGlicmFyeSBicm93c2Vy IG9mIFFDYWQiCkxJQ0VOU0U9IkdQTC0yIgpIT01FUEFHRT0iaHR0cDovL3d3dy5yaWJib25zb2Z0 LmNvbS9xY2FkX2xpYnJhcnkuaHRtbCIKU1JDX1VSST0iaHR0cDovL3d3dy5yaWJib25zb2Z0LmNv bS9hcmNoaXZlcy9wYXJ0bGlicmFyeS9wYXJ0bGlicmFyeS0ke01ZX1BWfS56aXAiCgpTTE9UPSIw IgpLRVlXT1JEUz0ieDg2IHBwYyBhbWQ2NCIKSVVTRT0iIgoKREVQRU5EPSJhcHAtYXJjaC91bnpp cCIKClM9IiR7V09SS0RJUn0vJHtNWV9QTn0tJHtNWV9QVn0iCgpzcmNfaW5zdGFsbCgpIHsKCWNk ICIke1N9IgoJZWluZm8gIkZpeGluZyBwZXJtaXNzaW9ucyAtIHRoaXMgbWlnaHQgdGFrZSBhIHdo aWxlIgoJaW5zaW50byAvdXNyL3NoYXJlLyR7UE59Cglkb2lucyAtciAuLyogfHwgZGllICJGYWls ZWQgaW5zdGFsbGluZyBxY2FkLXBhcnRzIGZpbGVzIgp9Cgpwa2dfcG9zdGluc3QoKSB7CgllaW5m bwoJZWluZm8gIlRoZSBRQ2FkIHBhcnRzIGxpYnJhcnkgd2FzIGluc3RhbGxlZCBpbiIKCWVpbmZv ICIvdXNyL3NoYXJlLyR7UE59IgoJZWluZm8gIlBsZWFzZSBzZXQgdGhpcyBwYXRoIGluIFFDYWQn cyBwcmVmZXJlbmNlcyB0byBhY2Nlc3MgaXQuIgoJZWluZm8gIihFZGl0LT5BcHBsaWNhdGlvbiBQ cmVmZXJlbmNlcy0+UGF0aHMtPlBhcnQgTGlicmFyaWVzKSIKCWVpbmZvCgllaW5mbyAiQWZ0ZXIg cmVzdGFydGluZyBRQ2FkLCB5b3UgY2FuIHVzZSB0aGUgbGlicmFyeSBieSBzZWxlY3RpbmciCgll aW5mbyAiVmlldy0+Vmlld3MtPkxpYnJhcnkgQnJvd3NlciIKCWVpbmZvCn0K