Wrong permissions on built Fedora artifacts #727
Comments
|
Interesting and great that we caught this prior to shipping. |
|
One factor that may contribute to this is the difference in the base images. The Fedora image differs if you build the development environment through Podman instead of Docker. In Podman, the Fedora image is grabbed by Turns out that these two base images do differ from each other, albeit in small ways. Still, using the (seemingly working) Fedora image from |
|
I have some updates here. (1) It affects also Fedora 38 (and the Qubes versions)(2) Shebang WARNING is unrelatedI think the shebang warning line is unrelated. After adding those, the permissions remain wrong. After all it only mentions affecting the executable bit -- not the read permissions. However it does show that there are some differences in the Docker-packaged Fedora version and the one provided by Podman... (3) More files are affected
Actually, I think we have more affected files:
|
deeplow
changed the title
I tried now building on my linux system with podman, but using the |
We ran into this as well (freedomofpress/securedrop-workstation#912) but at the time I couldn't find any practical differences in the two images. |
|
Well, turns out that FUSE is the culprit, when it's used to mount directories to the containers. If we move the |
Bump the Dangerzone release to 0.6.1-2, to fix an issue with the permissions in our RPM packages. Refs freedomofpress/dangerzone#727
|
This issue has bit us again. In order to fix it, I propose doing the following:
|
When building the Dangerzone RPM package, detect if the files bundled in it have any incorrect permissions. We have seen in the past that building RPMs from the Dangerzone source, mounted to a macOS Docker container, can lead to files readable only by the root user (600 / rw-------). Refs #727
Switch build directory for the `rpmbuild` command from `./install/linux/rpm-build` to `~/rpmbuild`. The main reason for this is that we want a build directory that will not be mounted in the container, since we've experienced issues with file permissions. Regarding the choice of directories, we went with `~/rpmbuild` because it's outside the Dangerzone source, and also because it's the default choice in Fedora [1]. [1]: https://github.com/rsrchboy/rpmdevtools/blob/3ae1eeafeeda19e7bcb4546300fe551fd879e0ca/rpmdev-setuptree#L60 Closes #727
When building the Dangerzone RPMs, we were seeing the following shebang
warnings:
+ /usr/lib/rpm/redhat/brp-mangle-shebangs
mangling shebang in /usr/lib/python3.12/site-packages/dangerzone/conversion/doc_to_pixels.py from /usr/bin/env python3 to #!/usr/bin/python3
mangling shebang in /usr/lib/python3.12/site-packages/dangerzone/conversion/common.py from /usr/bin/env python3 to #!/usr/bin/python3
mangling shebang in /usr/lib/python3.12/site-packages/dangerzone/conversion/pixels_to_pdf.py from /usr/bin/env python3 to #!/usr/bin/python3
mangling shebang in /etc/qubes-rpc/dz.ConvertDev from /usr/bin/env python3 to #!/usr/bin/python3
mangling shebang in /etc/qubes-rpc/dz.Convert from /bin/sh to #!/usr/bin/sh
These warnings are benign in nature, but coupled with #727, they could
lead to incorrect file permissions.
Remove shebangs from the following files, since they are not executed
directly, but are imported instead:
dangerzone/conversion/common.py
dangerzone/conversion/doc_to_pixels.py
dangerzone/conversion/pixels_to_pdf.py
Also, accept the suggestions by Fedora (/bin/sh -> /usr/bin/sh,
/usr/bin/env python3 -> /usr/bin/python3) for the following files:
qubes/dz.Convert
qubes/dz.ConvertDev
Refs #727
When building the Dangerzone RPMs, we were seeing the following shebang
warnings:
+ /usr/lib/rpm/redhat/brp-mangle-shebangs
mangling shebang in /usr/lib/python3.12/site-packages/dangerzone/conversion/doc_to_pixels.py from /usr/bin/env python3 to #!/usr/bin/python3
mangling shebang in /usr/lib/python3.12/site-packages/dangerzone/conversion/common.py from /usr/bin/env python3 to #!/usr/bin/python3
mangling shebang in /usr/lib/python3.12/site-packages/dangerzone/conversion/pixels_to_pdf.py from /usr/bin/env python3 to #!/usr/bin/python3
mangling shebang in /etc/qubes-rpc/dz.ConvertDev from /usr/bin/env python3 to #!/usr/bin/python3
mangling shebang in /etc/qubes-rpc/dz.Convert from /bin/sh to #!/usr/bin/sh
These warnings are benign in nature, but coupled with #727, they could
lead to incorrect file permissions.
Remove shebangs from the following files, since they are not executed
directly, but are imported instead:
dangerzone/conversion/common.py
dangerzone/conversion/doc_to_pixels.py
dangerzone/conversion/pixels_to_pdf.py
Also, accept the suggestions by Fedora (/bin/sh -> /usr/bin/sh,
/usr/bin/env python3 -> /usr/bin/python3) for the following files:
qubes/dz.Convert
qubes/dz.ConvertDev
Refs #727
apyrgio
changed the title
While testing the produced RPMs for the 0.6.0 release, we stumbled upon this issue on Fedora 39 (Fedora 38 is also affected):
It seems that the produced RPMs have wrong permissions (current:
rw-------/600, expected:rw-r--r--/644), specifically on the following files:While rebuilding the RPMs, we see the following warnings in the logs:
We can see here that the files with the wrong permissions are the ones whose shebang has been mangled. The Fedora docs further explain this operation: https://docs.fedoraproject.org/en-US/packaging-guidelines/#_shebang_lines
What's interesting though is that this warning is not present in the CI job that builds RPMs, nor is it reproduced locally: https://github.com/freedomofpress/dangerzone/actions/runs/8041707585/job/21961324246#step:5:207.
The text was updated successfully, but these errors were encountered: