From jhein@gossamer.timing.com  Sun Nov 14 02:42:23 2010
Return-Path: <jhein@gossamer.timing.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E2C21106566B;
	Sun, 14 Nov 2010 02:42:23 +0000 (UTC)
	(envelope-from jhein@gossamer.timing.com)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195])
	by mx1.freebsd.org (Postfix) with ESMTP id B0C6A8FC13;
	Sun, 14 Nov 2010 02:42:23 +0000 (UTC)
Received: from gossamer.timing.com ([206.168.13.144])
	by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis)
	id 0LtZUK-1OYSdw3zCW-010mpQ; Sat, 13 Nov 2010 21:42:20 -0500
Message-Id: <19679.19592.137826.440864@gossamer.timing.com>
Date: Sat, 13 Nov 2010 19:42:16 -0700
From: John Hein <jhein@symmetricom.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc: python@freebsd.org
Subject: [patch] fix installed permissions for lang/python27

>Number:         152224
>Category:       ports
>Synopsis:       [patch] fix installed permissions for lang/python27
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-python
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Nov 14 02:50:08 UTC 2010
>Closed-Date:    Thu Jun 14 06:05:51 UTC 2012
>Last-Modified:  Thu Jun 14 06:10:01 UTC 2012
>Originator:     John Hein
>Release:        
>Organization:
>Environment:


>Description:

The distribution tarball for python 2.7 has permission bits for 'others'
set to 0 for the entire tarball.

During install, lang/python27 copies Tools and Demo (using tar) to the installed
prefix.  Because of the tarball permissions, this renders them readable only by
the installer (usually uid 0) or members of the installer's group (usually gid 0).

Furthermore, the tar during post-install does not use --no-same-owner,
so the installed files are owned by the builder, which often is not
root.  If using INSTALL_AS_USER, this doesn't matter.  But if not
using INSTALL_AS_USER (which is more common), then the common
'make && sudo make install' sequence (or some similar equivalent) will
cause the files to be writable by the building user.

While this probably doesn't matter that much (that just means the
build user will be able to write to files that were installed by root,
and more than likely the build user is trusted), it's more correct to
have them owned by the installer (usually uid 0).

The --no-same-owner fix should also be applied to lang/python2X (where
X < 7) as well.

The distribution tarball fix is not necessary for python26 (I didn't
look further back than that) which has more normal permissions in its
distribution tarball.


>How-To-Repeat:
>Fix:

Fix permissions of extracted tarball for pieces that are copied
during post-inastll.

Use tar --no-same-owner during post-install to ensure copied files
are owned by install user.

--- Makefile.orig	2010-09-05 18:25:04.000000000 -0600
+++ Makefile	2010-11-13 19:39:03.000000000 -0700
@@ -146,6 +146,13 @@
 CONFIGURE_ARGS+=	--with-fpectl
 .endif
 
+post-extract:
+# The distribution tarball for python 2.7 has permission bits for 'others'
+# set to 0.  Later during install, we copy Tools and Demo to the installed
+# prefix, so set them right here.
+	${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type d | ${XARGS} ${CHMOD} a+rx
+	${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type f | ${XARGS} ${CHMOD} a+r
+
 pre-patch:
 	${CP} -r ${PATCH_WRKSRC}/Lib/plat-freebsd8 \
 		${PATCH_WRKSRC}/Lib/plat-freebsd9
@@ -260,12 +267,12 @@
 .if !defined(NOPORTDATA)
 	@${MKDIR} ${DATADIR}
 	@cd ${PYTHON_WRKSRC}; ${TAR} -cf - Tools | \
-		(cd ${DATADIR}; ${TAR} -xf -)
+		(cd ${DATADIR}; ${TAR} --no-same-owner -xf -)
 .endif
 .if !defined(NOPORTEXAMPLES)
 	@${MKDIR} ${EXAMPLESDIR}
 	@cd ${PYTHON_WRKSRC}/Demo; ${TAR} -cf - * | \
-		(cd ${EXAMPLESDIR}; ${TAR} -xf -)
+		(cd ${EXAMPLESDIR}; ${TAR} --no-same-owner -xf -)
 .endif
 
 	@${CAT} ${PKGMESSAGE}

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->freebsd-python 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Sun Nov 14 02:50:15 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152224 

From: Anonymous <swell.k@gmail.com>
To: John Hein <jhein@symmetricom.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/152224: [patch] fix installed permissions for lang/python27
Date: Sun, 14 Nov 2010 07:04:09 +0300

 John Hein <jhein@symmetricom.com> writes:
 
 [...]
 > Fix permissions of extracted tarball for pieces that are copied
 > during post-inastll.
 >
 > Use tar --no-same-owner during post-install to ensure copied files
 > are owned by install user.
 
 I'm not sure `--no-same-owner' is available on 6.x, better use `-o'.
 
 > +post-extract:
 > +# The distribution tarball for python 2.7 has permission bits for 'others'
 > +# set to 0.  Later during install, we copy Tools and Demo to the installed
 > +# prefix, so set them right here.
 > +	${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type d | ${XARGS} ${CHMOD} a+rx
 > +	${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type f | ${XARGS} ${CHMOD} a+r
 > +
 
 This can be reduced to one command
 
   ${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo \
               -type d -exec ${CHMOD} a+rx {} + \
           -or -type f -exec ${CHMOD} a+r  {} +

From: John Hein <jhein@symmetricom.com>
To: Anonymous <swell.k@gmail.com>,
    bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/152224: [patch] fix installed permissions for lang/python27
Date: Sun, 14 Nov 2010 15:19:33 -0700

 --CJa2am+ero
 Content-Type: text/plain; charset=us-ascii
 Content-Description: message body text
 Content-Transfer-Encoding: 7bit
 
 John Hein wrote at 10:49 MST on Nov 14, 2010:
  > Anonymous wrote at 07:04 +0300 on Nov 14, 2010:
  >  > John Hein <jhein@symmetricom.com> writes:
  >  > 
  >  > [...]
  >  > > Fix permissions of extracted tarball for pieces that are copied
  >  > > during post-inastll.
  >  > >
  >  > > Use tar --no-same-owner during post-install to ensure copied files
  >  > > are owned by install user.
  >  > 
  >  > I'm not sure `--no-same-owner' is available on 6.x, better use `-o'.
 
 Yes, I checked tar compatibility.
 --no-same-owner is available... in gnu tar available in
 6.x's base or a port and if someone has installed bsdtar from ports.
 bsd.port.mk uses it, too.
 
 
  >  > > +post-extract:
  >  > > +# The distribution tarball for python 2.7 has permission bits for 'others'
  >  > > +# set to 0.  Later during install, we copy Tools and Demo to the installed
  >  > > +# prefix, so set them right here.
  >  > > +	${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type d | ${XARGS} ${CHMOD} a+rx
  >  > > +	${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type f | ${XARGS} ${CHMOD} a+r
  >  > > +
  >  > 
  >  > This can be reduced to one command
  >  > 
  >  >   ${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo \
  >  >               -type d -exec ${CHMOD} a+rx {} + \
  >  >           -or -type f -exec ${CHMOD} a+r  {} +
 
 Indeed, good idea... updated patch:
 
 
 --CJa2am+ero
 Content-Type: text/plain; name="p"
 Content-Description: fix installed permissions for lang/python27
 Content-Disposition: inline;
 	filename="p"
 Content-Transfer-Encoding: 7bit
 
 Index: Makefile
 ===================================================================
 RCS file: /base/FreeBSD-CVS/ports/lang/python27/Makefile,v
 retrieving revision 1.169
 diff -u -p -r1.169 Makefile
 --- Makefile	6 Sep 2010 00:25:04 -0000	1.169
 +++ Makefile	14 Nov 2010 22:16:27 -0000
 @@ -146,6 +146,14 @@ CONFIGURE_ARGS+=	--disable-ipv6
  CONFIGURE_ARGS+=	--with-fpectl
  .endif
  
 +post-extract:
 +# The distribution tarball for python 2.7 has permission bits for 'others'
 +# set to 0.  Later during install, we copy Tools and Demo to the installed
 +# prefix, so set them right here.
 +	${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo \
 +		-type d -exec ${CHMOD} a+rx {} + \
 +		-or -type f -exec ${CHMOD} a+r  {} +
 +
  pre-patch:
  	${CP} -r ${PATCH_WRKSRC}/Lib/plat-freebsd8 \
  		${PATCH_WRKSRC}/Lib/plat-freebsd9
 @@ -260,12 +268,12 @@ post-install:
  .if !defined(NOPORTDATA)
  	@${MKDIR} ${DATADIR}
  	@cd ${PYTHON_WRKSRC}; ${TAR} -cf - Tools | \
 -		(cd ${DATADIR}; ${TAR} -xf -)
 +		(cd ${DATADIR}; ${TAR} --no-same-owner -xf -)
  .endif
  .if !defined(NOPORTEXAMPLES)
  	@${MKDIR} ${EXAMPLESDIR}
  	@cd ${PYTHON_WRKSRC}/Demo; ${TAR} -cf - * | \
 -		(cd ${EXAMPLESDIR}; ${TAR} -xf -)
 +		(cd ${EXAMPLESDIR}; ${TAR} --no-same-owner -xf -)
  .endif
  
  	@${CAT} ${PKGMESSAGE}
 
 --CJa2am+ero--

From: Oliver Fromme <olli@lurza.secnetix.de>
To: Anonymous <swell.k@gmail.com>, jhein@symmetricom.com,
        bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/152224: [patch] fix installed permissions for ?lang/python27
Date: Mon, 15 Nov 2010 18:35:40 +0100 (CET)

 Anonymous <swell.k@gmail.com> wrote:
  > John Hein <jhein@symmetricom.com> writes:
  > > +post-extract:
  > > +# The distribution tarball for python 2.7 has permission bits for 'others'
  > > +# set to 0.  Later during install, we copy Tools and Demo to the installed
  > > +# prefix, so set them right here.
  > > +    ${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type d | ${XARGS} ${CHMOD} a+rx
  > > +    ${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type f | ${XARGS} ${CHMOD} a+r
  > > +
  >  
  >  This can be reduced to one command
  >  
  >    ${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo \
  >                -type d -exec ${CHMOD} a+rx {} + \
  >            -or -type f -exec ${CHMOD} a+r  {} +
 
 It's unclear to me why you have to use find(1) at all.
 The following simple command should work equally well:
 
     ${CHMOD} -R og=u-w ${WRKSRC}/Tools ${WRKSRC}/Demo
 
 Best regards
    Oliver
 
 -- 
 Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing b. M.
 Handelsregister: Registergericht Muenchen, HRA 74606,  Geschftsfuehrung:
 secnetix Verwaltungsgesellsch. mbH, Handelsregister: Registergericht Mn-
 chen, HRB 125758,  Geschftsfhrer: Maik Bachmann, Olaf Erb, Ralf Gebhart
 
 FreeBSD-Dienstleistungen, -Produkte und mehr:  http://www.secnetix.de/bsd
 
 "We, the unwilling, led by the unknowing,
 are doing the impossible for the ungrateful.
 We have done so much, for so long, with so little,
 we are now qualified to do anything with nothing."
     -- Mother Teresa

From: John Hein <jhein@symmetricom.com>
To: Oliver Fromme <olli@lurza.secnetix.de>
Cc: Anonymous <swell.k@gmail.com>,
    python@FreeBSD.org,
    bug-followup@FreeBSD.org
Subject: Re: ports/152224: [patch] fix installed permissions for ?lang/python27
Date: Mon, 15 Nov 2010 11:21:06 -0700

 --9oaHwTfnCu
 Content-Type: text/plain; charset=us-ascii
 Content-Description: message body text
 Content-Transfer-Encoding: 7bit
 
 Oliver Fromme wrote at 18:35 +0100 on Nov 15, 2010:
  > Anonymous <swell.k@gmail.com> wrote:
  >  > John Hein <jhein@symmetricom.com> writes:
  >  > > +post-extract:
  >  > > +# The distribution tarball for python 2.7 has permission bits for 'others'
  >  > > +# set to 0.  Later during install, we copy Tools and Demo to the installed
  >  > > +# prefix, so set them right here.
  >  > > +    ${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type d | ${XARGS} ${CHMOD} a+rx
  >  > > +    ${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo -type f | ${XARGS} ${CHMOD} a+r
  >  > > +
  >  >  
  >  >  This can be reduced to one command
  >  >  
  >  >    ${FIND} ${WRKSRC}/Tools ${WRKSRC}/Demo \
  >  >                -type d -exec ${CHMOD} a+rx {} + \
  >  >            -or -type f -exec ${CHMOD} a+r  {} +
  > 
  > It's unclear to me why you have to use find(1) at all.
  > The following simple command should work equally well:
  > 
  >     ${CHMOD} -R og=u-w ${WRKSRC}/Tools ${WRKSRC}/Demo
 
 Yes, that's better still and will work fine since the user bits are
 good in the tarball.  Updated patch (with a fix for the path, too)...
 
 
 --9oaHwTfnCu
 Content-Type: text/plain; name="p"
 Content-Description: just use chmod; fix path with PYTHON_WRKSRC
 Content-Disposition: inline;
 	filename="p"
 Content-Transfer-Encoding: 7bit
 
 Index: Makefile
 ===================================================================
 RCS file: /base/FreeBSD-CVS/ports/lang/python27/Makefile,v
 retrieving revision 1.169
 diff -u -p -r1.169 Makefile
 --- Makefile	6 Sep 2010 00:25:04 -0000	1.169
 +++ Makefile	15 Nov 2010 18:16:55 -0000
 @@ -146,6 +146,12 @@ CONFIGURE_ARGS+=	--disable-ipv6
  CONFIGURE_ARGS+=	--with-fpectl
  .endif
  
 +post-extract:
 +# The distribution tarball for python 2.7 has permission bits for 'others'
 +# set to 0.  Later during install, we copy Tools and Demo to the installed
 +# prefix, so set them right here.
 +	${CHMOD} og=u-w ${PYTHON_WRKSRC}/Tools ${PYTHON_WRKSRC}/Demo
 +
  pre-patch:
  	${CP} -r ${PATCH_WRKSRC}/Lib/plat-freebsd8 \
  		${PATCH_WRKSRC}/Lib/plat-freebsd9
 @@ -260,12 +266,12 @@ post-install:
  .if !defined(NOPORTDATA)
  	@${MKDIR} ${DATADIR}
  	@cd ${PYTHON_WRKSRC}; ${TAR} -cf - Tools | \
 -		(cd ${DATADIR}; ${TAR} -xf -)
 +		(cd ${DATADIR}; ${TAR} --no-same-owner -xf -)
  .endif
  .if !defined(NOPORTEXAMPLES)
  	@${MKDIR} ${EXAMPLESDIR}
  	@cd ${PYTHON_WRKSRC}/Demo; ${TAR} -cf - * | \
 -		(cd ${EXAMPLESDIR}; ${TAR} -xf -)
 +		(cd ${EXAMPLESDIR}; ${TAR} --no-same-owner -xf -)
  .endif
  
  	@${CAT} ${PKGMESSAGE}
 
 --9oaHwTfnCu--

From: John Hein <jhein@symmetricom.com>
To: bug-followup@FreeBSD.org
Cc: freebsd-python@FreeBSD.org
Subject: Re: ports/152224: [patch] fix installed permissions for lang/python27
Date: Sun, 28 Nov 2010 17:23:48 -0700

 --8qxSgvgPz6
 Content-Type: text/plain; charset=us-ascii
 Content-Description: message body text
 Content-Transfer-Encoding: 7bit
 
 This patch is still needed for python 2.7.1
 
 The 2.7.1 distribution tarball doesn't have 'other' permissions set,
 so the post-extract is still needed.
 
 The second part that uses --no-same-owner with tar in post-install is
 still needed in general to avoid having the installed files owned by
 the build user.  [As described in the original report, this is needed
 for at least python26 as well].
 
 
 --8qxSgvgPz6
 Content-Type: text/plain; name="p"
 Content-Description: fix permissions for lang/python27
 Content-Disposition: inline;
 	filename="p"
 Content-Transfer-Encoding: 7bit
 
 Index: Makefile
 ===================================================================
 RCS file: /base/FreeBSD-CVS/ports/lang/python27/Makefile,v
 retrieving revision 1.169
 diff -u -p -r1.169 Makefile
 --- Makefile	6 Sep 2010 00:25:04 -0000	1.169
 +++ Makefile	29 Nov 2010 00:15:42 -0000
 @@ -146,6 +146,12 @@ CONFIGURE_ARGS+=	--disable-ipv6
  CONFIGURE_ARGS+=	--with-fpectl
  .endif
  
 +post-extract:
 +# The distribution tarball for python 2.7 has permission bits for 'others'
 +# set to 0.  Later during install, we copy Tools and Demo to the installed
 +# prefix, so set them right here.
 +	${CHMOD} og=u-w ${PYTHON_WRKSRC}/Tools ${PYTHON_WRKSRC}/Demo
 +
  pre-patch:
  	${CP} -r ${PATCH_WRKSRC}/Lib/plat-freebsd8 \
  		${PATCH_WRKSRC}/Lib/plat-freebsd9
 @@ -260,12 +266,12 @@ post-install:
  .if !defined(NOPORTDATA)
  	@${MKDIR} ${DATADIR}
  	@cd ${PYTHON_WRKSRC}; ${TAR} -cf - Tools | \
 -		(cd ${DATADIR}; ${TAR} -xf -)
 +		(cd ${DATADIR}; ${TAR} --no-same-owner -xf -)
  .endif
  .if !defined(NOPORTEXAMPLES)
  	@${MKDIR} ${EXAMPLESDIR}
  	@cd ${PYTHON_WRKSRC}/Demo; ${TAR} -cf - * | \
 -		(cd ${EXAMPLESDIR}; ${TAR} -xf -)
 +		(cd ${EXAMPLESDIR}; ${TAR} --no-same-owner -xf -)
  .endif
  
  	@${CAT} ${PKGMESSAGE}
 
 --8qxSgvgPz6--
State-Changed-From-To: open->closed 
State-Changed-By: demon 
State-Changed-When: Thu Jun 14 06:05:19 UTC 2012 
State-Changed-Why:  
Patch committed, thanks! 
(you missed -R option to chmod in your patch ;) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152224 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/152224: commit references a PR
Date: Thu, 14 Jun 2012 06:03:07 +0000 (UTC)

 demon       2012-06-14 06:02:52 UTC
 
   FreeBSD ports repository
 
   Modified files:
     lang/python27        Makefile 
   Log:
   Fix permissions for Tools and Demo folders.
   
   PR:             152224
   Submitted by:   John Hein <jhein@symmetricom.com>
   Silence from:   python@
   
   Revision  Changes    Path
   1.189     +8 -2      ports/lang/python27/Makefile
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
