Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 890823 - quickpkg: use portage's umask as default
Summary: quickpkg: use portage's umask as default
Status: CONFIRMED
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core - External Interaction (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Portage team
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2023-01-14 18:16 UTC by John Helmert III
Modified: 2023-12-09 19:23 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-14 18:16:03 UTC 
I have a PKGDIR which is shared over HTTP as a PORTAGE_BINHOST. By default, Portage creates binary packages with umask 022, which I believe is specified here (https://github.com/gentoo/portage/blob/master/lib/_emerge/main.py#L1251):

    # Portage needs to ensure a sane umask for the files it creates.
    os.umask(0o22)

ie, writeable by the owner, readable by all. This is reasonable for my particular use case since the webserver's user needs to be able to read the files to serve them to binhost consumers. Every once in a while, I need to quickpkg a package for one reason or another. quickpkg uses a umask of 077 (ie, read-write *only* for the owner, https://github.com/gentoo/portage/blob/master/bin/quickpkg#L408):

    parser.add_argument(
        "--umask",
        default="0077",
        help="umask used during package creation (default is 0077)",
    )

And this causes problems whenever the webserver tries to read the package for binpkg consumers to use:

>>> Running pre-merge checks for app-office/libreoffice-7.4.3.2
--2023-01-13 16:20:42--  https://binhost.ajak.xyz/znver1/app-office/libreoffice/libreoffice-7.4.3.2-2.xpak
Resolving binhost.ajak.xyz... 192.168.1.246
Connecting to binhost.ajak.xyz|192.168.1.246|:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2023-01-13 16:20:42 ERROR 403: Forbidden.

>>> Failed to emerge app-office/libreoffice-7.4.3.2

Thus, I propose changing quickpkg's default umask to that of Portage's, 022.
Comment 1 harry broeken 2023-12-09 16:43:27 UTC 
Same problem

 using a BINHOST (hp250g5) on my local network

>>> Running pre-merge checks for www-client/firefox-120.0
--2023-12-09 17:04:59--  ftp://hp250g5/www-client/firefox-120.0.tbz2
           => '/var/cache/binpkgs/www-client/firefox-120.0.tbz2.partial'
Resolving hp250g5... 192.168.178.54
Connecting to hp250g5|192.168.178.54|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD (1) /www-client ... done.
==> SIZE firefox-120.0.tbz2 ... 66130553
==> PASV ... done.    ==> RETR firefox-120.0.tbz2 ... 
No such file 'firefox-120.0.tbz2'

 
Took me some time to find that readable by all had to be set. 

For some reason I had to use quickpkg for firefox-120.0; normally the BINHOST contains packages by use of emerge.

 This behavior is not really documented; leaking of information could be a concern; but using quickpkg with BINHOST should work.

>>greetings<<
  Harry