gap icon indicating copy to clipboard operation
gap copied to clipboard
verified publisher icon gap-system

User, group and permissions in release tarballs

Open zickgraf opened this issue 3 years ago • 2 comments

Currently, the release tarballs (e.g. https://github.com/gap-system/gap/releases/download/v4.12.0/gap-4.12.0.tar.gz) contain user and group information:

drwx------ horn/110          0 2022-08-18 16:57 gap-4.12.0/pkg/

If one blindly extracts the tarball, this is unexpected on a single user system and a security risks on a multi user system, I think. Additionally, the pkg directory has permissions 700, which makes the installation unusable when starting GAP as a different user.

Suggestion: change user and group to numeric ID 0, and change the permissions of the pkg directory to 755.

zickgraf avatar Aug 19 '22 14:08 zickgraf

This is an unfortunate side effect of the workaround for https://github.com/gap-system/gap/issues/5011 . Now that the .exe was built we could just restore the correct .tar.gz.

However I disagree that this is a security issue. Blindly extracting tarballs is the real security issue.

fingolfin avatar Aug 19 '22 16:08 fingolfin

This is an unfortunate side effect of the workaround for #5011 . Now that the .exe was built we could just restore the correct .tar.gz.

Ah, I see. From my side we can close this issue if you don't think this has additional value over the existing issue.

Blindly extracting tarballs is the real security issue.

I definitely agree :D

zickgraf avatar Aug 19 '22 16:08 zickgraf

Another related bug: the permissions for the pkg dir in the tarball are 0700. We should of course ensure they are 0755.

fingolfin avatar Oct 11 '22 21:10 fingolfin