Bug #7591: [Deployment] httplib2 backport package includes files with 0640 perms on trusty, jessie - Arvados

Bug #7591

Updated by Brett Smith about 9 years ago

On Ubuntu 14.04 and Debian 8, the The .deb that fpm generates for httplib2 includes files that have 0640 permissions.    This is true regardless of umask, and you can reproduce it without using any of our build code: 

 <pre>brinstar % docker run --rm -ti arvados/build:ubuntu1404 /bin/bash 
 root@ed6e37a48ab0:/# . /etc/profile.d/rvm.sh 
 root@ed6e37a48ab0:/# cd tmp 
 root@ed6e37a48ab0:/tmp# fpm -s python -t deb httplib2 
 Debian packaging tools generally labels all files in /etc as config files, as mandated by policy, so fpm defaults to this behavior for deb packages. You can disable this default behavior with --deb-no-default-config-files flag {:level=>:warn} 
 Created package {:path=>"python-httplib2_0.9.2_all.deb"} 
 root@ed6e37a48ab0:/tmp# dpkg-deb -c python-httplib2_0.9.2_all.deb 
 drwx------ 0/0                 0 2015-10-16 14:58 ./ 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/ 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/local/ 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/local/lib/ 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/local/lib/python2.7/ 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/ 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/ 
 -rw-r----- 0/0                 1 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/dependency_links.txt 
 -rw-r----- 0/0                 9 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/top_level.txt 
 -rw-r----- 0/0              2272 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/PKG-INFO 
 -rw-r----- 0/0               790 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2-0.9.2.egg-info/SOURCES.txt 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/ 
 -rw-r----- 0/0            134862 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/cacerts.txt 
 -rw-r--r-- 0/0             17255 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/socks.pyc 
 -rw-r--r-- 0/0             71120 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/__init__.py 
 -rw-r--r-- 0/0             18459 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/socks.py 
 -rw-r--r-- 0/0              3822 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/iri2uri.pyc 
 -rw-r--r-- 0/0             58381 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/__init__.pyc 
 -rw-r--r-- 0/0              3828 2015-10-16 14:58 ./usr/local/lib/python2.7/dist-packages/httplib2/iri2uri.py 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/share/ 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/share/doc/ 
 drwxr-xr-x 0/0                 0 2015-10-16 14:58 ./usr/share/doc/python-httplib2/ 
 -rw-r--r-- 0/0               142 2015-10-16 14:58 ./usr/share/doc/python-httplib2/changelog.Debian.gz 
 root@ed6e37a48ab0:/tmp# umask 
 0022 
 </pre> 

 The fact that cacerts.txt and the .egg-info files aren't world-readable is a problem.    It means that wherever this package is installed, non-root users can't use httplib2 (read: the Python Arvados API client). 

 If you build the package with umask 077, all the other files respect that (they have no permissions for group or world), but cacerts.txt and the .egg-info files are still 0640 exactly.    Their permissions are being set explicitly. 

 These files have correct permissions on Ubuntu 12.04 and Debian 7.

Back

Project

General

Profile

Arvados

Bug #7591