Message12924

Author	jeff.allen
Recipients	jeff.allen, kseifried, zyasoft
Date	2020-01-26.13:38:38
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1580045919.13.0.879621903382.issue2044@roundup.psfhosted.org>
In-reply-to

Content
I have a fix for this that will make private (rw to the owner only) compiled classes and the package cache, however permissive the umask. This does not affect files created by Python applications in general. A user (or administrator) setting umask 0 is asking for trouble, and the system is only giving him what he asked for. However, he may have wanted permissive settings on files created by the application in a particular run, and be unaware of retained compiled files and the package cache then affecting later invocations. So I appreciate the argument in favour of restricting those files. Observations on Linux, before the fix: jeff@nahum:~/dev/jython-trunk$ umask 0 jeff@nahum:~/dev/jython-trunk$ ant jeff@nahum:~/dev/jython-trunk$ ls -lG dist/Lib/as.class -rw-rw-rw- 1 jeff 26339 Jan 26 13:15 'dist/Lib/ast$py.class' -rw-rw-rw- 1 jeff 18772 Jan 26 13:15 'dist/Lib/asynchat$py.class' -rw-rw-rw- 1 jeff 37578 Jan 26 13:15 'dist/Lib/asyncore$py.class' jeff@nahum:~/dev/jython-trunk$ dist/bin/jython -c "67" jeff@nahum:~/dev/jython-trunk$ ls -lG dist/cachedir/packages/p* -rw-rw-rw- 1 jeff 7592 Jan 26 13:19 dist/cachedir/packages/packages.idx -rw-rw-rw- 1 jeff 4310 Jan 26 13:19 dist/cachedir/packages/postgresql-42.1.1.jre7.pkc -rw-rw-rw- 1 jeff 1431 Jan 26 13:19 dist/cachedir/packages/profile.pkc The class files are those created by compilation during the build. On the patched version: jeff@nahum:~/jydev/Jython20200126$ umask 0 jeff@nahum:~/jydev/Jython20200126$ ant jeff@nahum:~/jydev/Jython20200126$ ls -lG dist/Lib/as.class -rw------- 1 jeff 26339 Jan 26 13:16 'dist/Lib/ast$py.class' -rw------- 1 jeff 18772 Jan 26 13:16 'dist/Lib/asynchat$py.class' -rw------- 1 jeff 37578 Jan 26 13:16 'dist/Lib/asyncore$py.class' jeff@nahum:~/jydev/Jython20200126$ dist/bin/jython -c "67" jeff@nahum:~/jydev/Jython20200126$ ls -lG dist/cachedir/packages/p* -rw------- 1 jeff 8008 Jan 26 13:24 dist/cachedir/packages/packages.idx -rw------- 1 jeff 4314 Jan 26 13:24 dist/cachedir/packages/postgresql-42.1.1.jre7.pkc -rw------- 1 jeff 1435 Jan 26 13:24 dist/cachedir/packages/profile.pkc I'll give some thought to the location of the package cache as a separate step. Obviously no shared installation location should be writable by general users, so if it is not relocated to user storage, presumably it is ineffective?

I have a fix for this that will make private (rw to the owner only) compiled classes and the package cache, however permissive the umask. This does not affect files created by Python applications in general.

A user (or administrator) setting umask 0 is asking for trouble, and the system is only giving him what he asked for. However, he may have wanted permissive settings on files created by the application in a particular run, and be unaware of retained compiled files and the package cache then affecting later invocations. So I appreciate the argument in favour of restricting those files.

Observations on Linux, before the fix:

jeff@nahum:~/dev/jython-trunk$ umask 0
jeff@nahum:~/dev/jython-trunk$ ant
jeff@nahum:~/dev/jython-trunk$ ls -lG dist/Lib/as*.class
-rw-rw-rw- 1 jeff 26339 Jan 26 13:15 'dist/Lib/ast$py.class'
-rw-rw-rw- 1 jeff 18772 Jan 26 13:15 'dist/Lib/asynchat$py.class'
-rw-rw-rw- 1 jeff 37578 Jan 26 13:15 'dist/Lib/asyncore$py.class'
jeff@nahum:~/dev/jython-trunk$ dist/bin/jython -c "6*7"
jeff@nahum:~/dev/jython-trunk$ ls -lG dist/cachedir/packages/p*
-rw-rw-rw- 1 jeff 7592 Jan 26 13:19 dist/cachedir/packages/packages.idx
-rw-rw-rw- 1 jeff 4310 Jan 26 13:19 dist/cachedir/packages/postgresql-42.1.1.jre7.pkc
-rw-rw-rw- 1 jeff 1431 Jan 26 13:19 dist/cachedir/packages/profile.pkc

The class files are those created by compilation during the build. On the patched version:

jeff@nahum:~/jydev/Jython20200126$ umask 0
jeff@nahum:~/jydev/Jython20200126$ ant
jeff@nahum:~/jydev/Jython20200126$ ls -lG dist/Lib/as*.class
-rw------- 1 jeff 26339 Jan 26 13:16 'dist/Lib/ast$py.class'
-rw------- 1 jeff 18772 Jan 26 13:16 'dist/Lib/asynchat$py.class'
-rw------- 1 jeff 37578 Jan 26 13:16 'dist/Lib/asyncore$py.class'
jeff@nahum:~/jydev/Jython20200126$ dist/bin/jython -c "6*7"
jeff@nahum:~/jydev/Jython20200126$ ls -lG dist/cachedir/packages/p*
-rw------- 1 jeff 8008 Jan 26 13:24 dist/cachedir/packages/packages.idx
-rw------- 1 jeff 4314 Jan 26 13:24 dist/cachedir/packages/postgresql-42.1.1.jre7.pkc
-rw------- 1 jeff 1435 Jan 26 13:24 dist/cachedir/packages/profile.pkc

I'll give some thought to the location of the package cache as a separate step. Obviously no shared installation location should be writable by general users, so if it is not relocated to user storage, presumably it is ineffective?

History
Date	User	Action	Args
2020-01-26 13:38:39	jeff.allen	set	messageid: <1580045919.13.0.879621903382.issue2044@roundup.psfhosted.org>
2020-01-26 13:38:39	jeff.allen	set	recipients: + jeff.allen, zyasoft, kseifried
2020-01-26 13:38:39	jeff.allen	link	issue2044 messages
2020-01-26 13:38:38	jeff.allen	create