Re: [lmi] [lmi-commits] master d9f9099 2/2: Generally force group permissions to match user permissions

[Vadim Zeitlin]

On Wed, 20 Oct 2021 09:51:54 -0400 (EDT) Greg Chicares 
<gchicares@sbcglobal.net> wrote:

GC> branch: master
GC> commit d9f9099b1ea701c5baa5fbeb21745b854ea3d01a
GC> Author: Gregory W. Chicares <gchicares@sbcglobal.net>
GC> Commit: Gregory W. Chicares <gchicares@sbcglobal.net>
GC> 
GC>     Generally force group permissions to match user permissions
GC>     
GC>     In a chroot that is to be shared by multiple developers using the same
GC>     $prefix, files in that $prefix should have the same permissions for the
GC>     developers' common group as for each user individually. Otherwise, some
GC>     files created by one user might not be modifiable by another. Generally
GC>     the permissions are already correct in a chroot created by lmi scripts,
GC>     but autotools-generated files are an exception because they don't heed
GC>     directories' GID bits.
GC>     
GC>     It can of course be argued that each user should use its own prefix.
GC> ---
GC>  gwc/install_posix.sh | 13 +++++++++++--
GC>  install_msw.sh       | 13 +++++++++++--
GC>  2 files changed, 22 insertions(+), 4 deletions(-)
GC> 
GC> diff --git a/gwc/install_posix.sh b/gwc/install_posix.sh
GC> index 21b562b..475a779 100755
GC> --- a/gwc/install_posix.sh
GC> +++ b/gwc/install_posix.sh
GC> @@ -154,8 +154,17 @@ done
GC>  
GC>  # GID should be the same for all files.
GC>  find /opt/lmi/ -not -group "$(id -gn "$(logname)")" -print
GC> -# User and group write permissions should be the same.
GC> -find /opt/lmi -perm -200 -not -perm -020 -print0 | xargs --no-run-if-empty 
-0 ls -ld
GC> +# User and group permissions should be the same throughout $(prefix).
GC> +# For each file that doesn't conform to that rule, list its name (to
GC> +# make any systematic pattern clearer--for example, files generated
GC> +# by autotools seem to ignore their directories' GIDs), and fix the
GC> +# problem:
GC> +find . \
GC> +  -type f \
GC> +  \( -perm -u+r ! -perm -g+r \
GC> +  -o -perm -u+w ! -perm -g+w \
GC> +  -o -perm -u+x ! -perm -g+x \
GC> +  \) -print0 | xargs --null --verbose --no-run-if-empty chmod g=u

 I could be missing something, but the expression above doesn't seem to
catch all the files for which user and group permissions differ as it
doesn't cover group-writable but not user-writable files, for example.
Granted, it should be pretty rare to have _more_ permissions available to
the group than to the user, but I still find it slightly confusing that the
comment says that they should be the same, but the expression just checks
for the group permissions including the user ones, so I think it might be
worth updating the comment.

 How to check that the user and group permissions are actually equal is an
interesting exercise. The most straightforward solution I see is to use "ls
-lR" and filter out the lines matching "^-(...)\1" or maybe use "find .
-type f | xargs stat -c '%c %n' | grep -vE '^(.)\1'", not sure if there is
a better way to do it.

 Regards,
VZ

pgpHjUFZ0pDF2.pgp
Description: PGP signature