Add zkg_umask to Manager

Add zkg_umask to Manager and apply that mask when unbundling or building.
zeek · Jul 27, 2024 · 1ff7c78 · 1ff7c78
1 parent 843a79f
commit 1ff7c78
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 9 deletions.
diff --git a/testing/baselines/tests.bundle-permissions/unbundle.out b/testing/baselines/tests.bundle-permissions/unbundle.out
@@ -7,7 +7,7 @@ drwxr-xr-x state/clones/package/rot13/.git
 -rw-r--r-- state/clones/package/rot13/Makefile
 -rw-r--r-- state/clones/package/rot13/README
 -rw-r--r-- state/clones/package/rot13/VERSION
-drwxr-x--- state/clones/package/rot13/build
+drwxr-xr-x state/clones/package/rot13/build
 -rwxr-xr-x state/clones/package/rot13/configure
 -rw-r--r-- state/clones/package/rot13/configure.plugin
 drwxr-xr-x state/clones/package/rot13/scripts

diff --git a/zeekpkg/_util.py b/zeekpkg/_util.py
@@ -85,7 +85,7 @@ def zkg_tarfile_create(basedir):
     return tar_name
 
 
-def zkg_tarfile_extractall(tfile, destdir):
+def zkg_tarfile_extractall(tfile, destdir, umask=None):
     """Wrapper to tarfile.extractall() using our filter that calls data_filter.
 
     This adds a lot of sanity checking for the tar file.
@@ -103,10 +103,17 @@ def zkg_tarfile_extractall(tfile, destdir):
     """
 
     with tarfile.open(tfile) as tar:
-        tar.extractall(destdir, filter=zkg_tarfile_extract_filter)
+        tar.extractall(
+            destdir,
+            filter=lambda member, dest_path: zkg_tarfile_extract_filter(
+                member,
+                dest_path,
+                umask=umask,
+            ),
+        )
 
 
-def zkg_update_perms(member, extract):
+def zkg_update_perms(member, extract, umask=None):
     """Returns a dict of attributes that should be modified on member to result in our
     desired permissions set. If extract is set, we set owner/group to None, otherwise
     they are set to root/root.
@@ -116,11 +123,17 @@ def zkg_update_perms(member, extract):
 
         extract (bool): whether or not we are extracting
 
+        umask (integer): optional umask to apply
+
     Returns:
         dict: member attributes to be replaced and their new values
     """
 
     new_attrs = {}
+
+    if umask is None:
+        umask = 0
+
     # we are doing our own thing with `mode` here
     mode = member.mode
     if member.isreg() or member.islnk():
@@ -137,7 +150,9 @@ def zkg_update_perms(member, extract):
     else:
         raise Exception("unexpected special files in tarfile")
 
-    new_attrs["mode"] = mode
+    apply_mask = ~umask & 0o777
+    effective = mode & apply_mask
+    new_attrs["mode"] = effective
 
     if extract:
         new_attrs["uid"] = new_attrs["gid"] = None
@@ -164,11 +179,11 @@ def zkg_tarfile_create_filter(member):
     return member.replace(deep=False, **new_attrs)
 
 
-def zkg_tarfile_extract_filter(member, dest_path):
+def zkg_tarfile_extract_filter(member, dest_path, umask=None):
     # we are uncompressing, so do more sanity checking
     new_member = tarfile.data_filter(member, dest_path)
 
-    new_attrs = zkg_update_perms(member, extract=True)
+    new_attrs = zkg_update_perms(member, extract=True, umask=umask)
 
     return new_member.replace(**new_attrs)
 

diff --git a/zeekpkg/manager.py b/zeekpkg/manager.py
@@ -265,6 +265,8 @@ def __init__(
             IOError: when a package manager state file can't be created
         """
         LOG.debug("init Manager version %s", __version__)
+        # TODO: make this umask user-configurable
+        self.zkg_umask = 0o022
         self.sources = {}
         self.installed_pkgs = {}
         self._builtin_packages = None  # Cached Zeek built-in packages.
@@ -1775,7 +1777,7 @@ def bundle_info(self, bundle_file):
         infos = []
 
         try:
-            zkg_tarfile_extractall(bundle_file, bundle_dir)
+            zkg_tarfile_extractall(bundle_file, bundle_dir, umask=self.zkg_umask)
         except Exception as error:
             return (str(error), infos)
 
@@ -2461,7 +2463,7 @@ def unbundle(self, bundle_file):
         make_dir(bundle_dir)
 
         try:
-            zkg_tarfile_extractall(bundle_file, bundle_dir)
+            zkg_tarfile_extractall(bundle_file, bundle_dir, umask=self.zkg_umask)
         except Exception as error:
             return str(error)
 
@@ -2746,6 +2748,11 @@ def _stage(self, package, version, clone, stage, env=None):
                 build_command,
             )
             bufsize = 4096
+
+            def set_umask():
+                """Set the umask for spawned process"""
+                os.umask(self.zkg_umask)
+
             build = subprocess.Popen(
                 build_command,
                 shell=True,
@@ -2754,6 +2761,7 @@ def _stage(self, package, version, clone, stage, env=None):
                 bufsize=bufsize,
                 stdout=subprocess.PIPE,
                 stderr=subprocess.PIPE,
+                preexec_fn=set_umask,
             )
 
             try: