Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 952933 - The "ccache" page on wiki suggests security vulnerability-creating solutions
Summary: The "ccache" page on wiki suggests security vulnerability-creating solutions
Status: RESOLVED INVALID
Alias: None
Product: Documentation
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Linux bug wranglers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-03-30 16:35 UTC by otzma.vindicus
Modified: 2025-03-30 16:38 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description otzma.vindicus 2025-03-30 16:35:53 UTC 
This snippet from wiki's page on "ccache" unnecessarily suggests to excessively open the permissions on /var/cache/ccache to umask=0002:

> FEATURES="ccache"
> 
> # Portage defaults to ${PORTAGE_TMPDIR}/ccache unless CCACHE_DIR is
> # set in make.conf or in /etc/portage/env (or similar).
> #CCACHE_DIR="/var/cache/ccache"
> # If using a directory that Portage doesn't control, e.g. /var/cache/ccache,
> # this may be needed in some cases, but has some security implications.
> # See bug 492910.
> #CCACHE_UMASK="0002"

Even though the bug which it links (492910) has a comment () that suggests a better fix without the umask=0002 vulnerability:

> chown -R portage:portage .
> chmod g+s .

Not to mention that portage's "prepare_build_dirs.py" seem to already handle this by setting the permissions for directories specified in CCACHE_DIR.

I suggest to update the code snippet to:

> FEATURES="ccache"
> 
> # Unless CCACHE_DIR is set explicitly, portage overrides it to portage's tmp
> # directory ${PORTAGE_TMPDIR}/ccache, which is possibly subject to deletion 
> # after reboots (rendering ccache less effective), and causes "ccache" to ignore
> # "cache_dir=..." in /etc/ccache.conf.  Therefore, to set ccache's directory to
> # a non-temporary path, CCACHE_DIR has to be set, e.g.:
> 
> CCACHE_DIR="/var/cache/ccache"
> 
> # If portage doesn't set the permissions of "/var/cache/ccache" correctly
> # (bug 492910), then set their permissions manually, e.g:
> #   chown -R portage:portage /var/cache/ccache
> #   chmod g+s /var/cache/ccache
> # or set the following option in make.conf (warning: creates a vulnerability):
> # CCACHE_UMASK="0002"


Note: I can't add URLs as my account is new. Replace "bug 492910" with the actual bug's URL.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2025-03-30 16:38:49 UTC 
(In reply to otzma.vindicus from comment #0)
> This snippet from wiki's page on "ccache" unnecessarily suggests to
> excessively open the permissions on /var/cache/ccache to umask=0002:
> 

It does not "suggest" to, it mentions that someone may need to and includes a link to the bug for context.

> > FEATURES="ccache"
> > 
> > # Portage defaults to ${PORTAGE_TMPDIR}/ccache unless CCACHE_DIR is
> > # set in make.conf or in /etc/portage/env (or similar).
> > #CCACHE_DIR="/var/cache/ccache"
> > # If using a directory that Portage doesn't control, e.g. /var/cache/ccache,
> > # this may be needed in some cases, but has some security implications.
> > # See bug 492910.
> > #CCACHE_UMASK="0002"
> 
> Even though the bug which it links (492910) has a comment () that suggests a
> better fix without the umask=0002 vulnerability:
> 

That has the same issue anyway if /var/cache/ccache is shared with other users, though.

> I suggest to update the code snippet to:
> 

The wiki is free for anyone to edit. You can edit it yourself on the wiki or suggest changes via the talk page.