Re: www/serf install permissions fix

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: www/serf install permissions fix
From: "J. Lewis Muir" <jlmuir%imca-cat.org@localhost>
Date: Mon, 3 Apr 2017 15:56:39 -0500

On 03/30, J. Lewis Muir wrote:
> On 03/30, Greg Troxel wrote:
> > "J. Lewis Muir" <jlmuir%imca-cat.org@localhost> writes:
> > > Yet another approach might be to say that the macOS system tar is broken
> > > in that it preserves the permissions on extraction even though the "-p"
> > > option has *not* been given, and use the pkgsrc tar instead.  (I'm
> > > guessing here; maybe the pkgsrc tar behaves in the same way?)
> > 
> > I suspect that will end up being the right think.   You can change
> > definitions in tools/mk and/or manually test.
> 
> Hmm, pkgsrc-current's archivers/bsdtar (3.3.1) has the same problem when
> run as root:

[snip]

> Also, since I haven't stated it already, the macOS Sierra tar is bsdtar
> 2.8.3:
> 
> ===
> # /usr/bin/tar --version
> bsdtar 2.8.3 - libarchive 2.8.3
> ===
> 
> So, using the pkgsrc archivers/bsdtar instead of the macOS system bsdtar
> won't solve the problem.
> 
> I tried the same test on NetBSD 6 stable using the base system tar
> (i.e., /bin/tar), and it worked as expected.  That is, when run as root
> with umask 022, it did *not* create the extracted directories and files
> as group- and world-writable.  It also did not preserve the user and
> group IDs.

[snip]

> What should be done?  Try yet another pkgsrc tar (e.g., archivers/gtar)?
> Fix permissions after extraction (but, as you pointed out, there is the
> security issue with the window of group- and world-writable before the
> fix-up)?

I found that pax works as desired:

===
# ls -alF /pkg_comp/work/pkg/www/serf/work/serf-1.3.9
total 496
drwxr-xr-x  21 root  wheel    714 Aug 29  2016 ./
drwxr-xr-x  20 root  wheel    680 Apr  3 14:32 ../
-rw-r--r--   1 root  wheel  14372 Aug 29  2016 CHANGES
-rw-r--r--   1 root  wheel  11357 Aug 26  2007 LICENSE
-rw-r--r--   1 root  wheel    287 Sep 17  2015 NOTICE
-rw-r--r--   1 root  wheel   2842 Sep 17  2015 README
-rw-r--r--   1 root  wheel  17388 Sep 17  2015 SConstruct
-rw-r--r--   1 root  wheel    520 Oct 17  2015 STATUS
drwxr-xr-x  10 root  wheel    340 Aug 29  2016 auth/
drwxr-xr-x  21 root  wheel    714 Aug 29  2016 buckets/
drwxr-xr-x   5 root  wheel    170 Aug 29  2016 build/
-rw-r--r--   1 root  wheel  11892 Oct 17  2015 context.c
-rw-r--r--   1 root  wheel   5880 Aug 26  2007 design-guide.txt
-rw-r--r--   1 root  wheel   4380 Sep 17  2015 incoming.c
-rw-r--r--   1 root  wheel  58625 Oct 17  2015 outgoing.c
-rw-r--r--   1 root  wheel  39346 Sep 17  2015 serf.h
-rw-r--r--   1 root  wheel  21225 Sep 17  2015 serf_bucket_types.h
-rw-r--r--   1 root  wheel   8787 Sep 17  2015 serf_bucket_util.h
-rw-r--r--   1 root  wheel  15934 Sep 17  2015 serf_private.h
-rw-r--r--   1 root  wheel   7291 Sep 17  2015 ssltunnel.c
drwxr-xr-x  22 root  wheel    748 Aug 29  2016 test/
===

Here's a patch to make EXTRACT_USING default to pax on Darwin:

===
diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index e656f0b..1856dca 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -525,10 +525,14 @@ PATCH_FUZZ_FACTOR?= -F0
 # Possible: any combination of packages
 # Default: not set

+.if ${OPSYS} == "Darwin"
+EXTRACT_USING?= pax
+.else
 EXTRACT_USING?= nbtar
+.endif
 # Use the specified tool to extract tar/ustar archives.
 # Possible: bsdtar, gtar, nbtar, pax
-# Default: nbtar
+# Default: pax on Darwin; nbtar on all other operating systems

 #FAILOVER_FETCH=
 # Perform a checksum at "make fetch" time.  If the checksum doesn't
===

(I didn't make the comment in mk/defaults/mk.conf explain *why* pax was
the default on Darwin.  I don't know what the feeling is on that as far
as whether it should be documented in the version control system or in
the code; my leaning is toward the former.)

If the above patch is accepted, the pkgsrc guide would also need to be
updated at

  https://www.netbsd.org/docs/pkgsrc/build.html

where it says in the extract phase section about the EXTRACT_USING
variable:

  This variable can be set to bsdtar, gtar, nbtar (which is the default
  value), pax, or an absolute pathname pointing to the command with
  which tar archives should be extracted.  It is preferred to choose
  bsdtar over gtar if NetBSD's pax-as-tar is not good enough.

That could instead say:

  This variable can be set to bsdtar, gtar, nbtar, pax, or an absolute
  pathname pointing to the command with which tar archives should be
  extracted.  On Darwin, the default is pax; on all other operating
  systems, the default is nbtar.  It is preferred to choose bsdtar over
  gtar if NetBSD's pax-as-tar is not good enough.

(If pax could be the default on all operating systems, then that would
be a simpler change and a simpler change to document. pax is part of
POSIX.1-2008 [1], whereas tar is not.  But I didn't want to change the
default on all operating systems since I didn't know what the fallout
might be from that.)

Thanks,

Lewis

[1] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html

Follow-Ups:
- Re: www/serf install permissions fix
  - From: Greg Troxel

References:
- www/serf install permissions fix
  - From: J. Lewis Muir
- Re: www/serf install permissions fix
  - From: Greg Troxel
- Re: www/serf install permissions fix
  - From: J. Lewis Muir
- Re: www/serf install permissions fix
  - From: Greg Troxel
- Re: www/serf install permissions fix
  - From: J. Lewis Muir
- Re: www/serf install permissions fix
  - From: Greg Troxel
- Re: www/serf install permissions fix
  - From: J. Lewis Muir

Prev by Date: Re: Where is TOOLS_TAR set?
Next by Date: Re: Where is TOOLS_TAR set?
Previous by Thread: Re: www/serf install permissions fix
Next by Thread: Re: www/serf install permissions fix
Indexes:

Home | Main Index | Thread Index | Old Index