conda should respect umask when installing package files (world-writable files)

[kenodegard]

What happened?

When packages are downloaded and extracted their permissions are left as is. This has caused select packages to contain world writable files. While this is ultimately a packaging issue of sorts (permissions for files in a package should be set correctly during building) we need to guard against these mistakes during installation.

Furthermore it's reasonable for us to adhere to the user's umask value instead of making assumptions.

Prior discussion: #7227 (comment)
Xref: #7057
Xref: #8200

Conda Details

conda info

active environment : base
    active env location : /Users/kodegard/.conda/arm64/23.3.1/3.10
            shell level : 1
       user config file : /Users/kodegard/.condarc
 populated config files : /Users/kodegard/.condarc
          conda version : 23.5.0
    conda-build version : 3.25.0
         python version : 3.10.8.final.0
       virtual packages : __archspec=1=arm64
                          __osx=13.2.1=0
                          __unix=0=0
       base environment : /Users/kodegard/.conda/arm64/23.3.1/3.10  (writable)
      conda av data dir : /Users/kodegard/.conda/arm64/23.3.1/3.10/etc/conda
  conda av metadata url : None
           channel URLs : https://repo.anaconda.com/pkgs/main/osx-arm64
                          https://repo.anaconda.com/pkgs/main/noarch
                          https://repo.anaconda.com/pkgs/r/osx-arm64
                          https://repo.anaconda.com/pkgs/r/noarch
          package cache : /Users/kodegard/.conda/arm64/23.3.1/3.10/pkgs
                          /Users/kodegard/.conda/pkgs
       envs directories : /Users/kodegard/.conda/arm64/23.3.1/3.10/envs
                          /Users/kodegard/.conda/envs
               platform : osx-arm64
             user-agent : conda/23.5.0 requests/2.28.1 CPython/3.10.8 Darwin/22.3.0 OSX/13.2.1
                UID:GID : 501:20
             netrc file : None
           offline mode : False

conda config

==> /Users/kodegard/.condarc <==
auto_activate_base: False
auto_stack: 0
changeps1: False

conda list

# packages in environment at /Users/kodegard/.conda/arm64/23.3.1/3.10:
#
# Name                    Version                   Build  Channel
beautifulsoup4            4.12.2          py310hca03da5_0    defaults
boltons                   23.0.0          py310hca03da5_0    defaults
brotlipy                  0.7.0           py310h1a28f6b_1002    defaults
bzip2                     1.0.8                h620ffc9_4    defaults
c-ares                    1.19.0               h80987f9_0    defaults
ca-certificates           2023.05.30           hca03da5_0    defaults
cctools                   949.0.1             hc179dcd_25    defaults
cctools_osx-arm64         949.0.1             h332cad3_25    defaults
certifi                   2023.5.7        py310hca03da5_0    defaults
cffi                      1.15.1          py310h80987f9_3    defaults
chardet                   4.0.0           py310hca03da5_1003    defaults
charset-normalizer        2.0.4              pyhd3eb1b0_0    defaults
click                     8.0.4           py310hca03da5_0    defaults
conda                     23.5.0          py310hca03da5_0    defaults
conda-build               3.25.0          py310hca03da5_0    defaults
conda-content-trust       0.1.3           py310hca03da5_0    defaults
conda-index               0.2.3           py310hca03da5_0    defaults
conda-libmamba-solver     23.5.0          py310hca03da5_0    defaults
conda-package-handling    1.9.0           py310h1a28f6b_1    defaults
conda-package-streaming   0.8.0           py310hca03da5_0    defaults
cryptography              38.0.1          py310h834c97f_0    defaults
filelock                  3.9.0           py310hca03da5_0    defaults
fmt                       9.1.0                h48ca7d4_0    defaults
glob2                     0.7                pyhd3eb1b0_0    defaults
icu                       68.1                 hc377ac9_0    defaults
idna                      3.4             py310hca03da5_0    defaults
jinja2                    3.1.2           py310hca03da5_0    defaults
jsonpatch                 1.32               pyhd3eb1b0_0    defaults
jsonpointer               2.1                pyhd3eb1b0_0    defaults
krb5                      1.19.4               h8380606_0    defaults
ld64                      530                 hb29bf3f_25    defaults
ld64_osx-arm64            530                 h001ce53_25    defaults
ldid                      2.1.2                h64d1936_2    defaults
libarchive                3.6.2                h09f0540_1    defaults
libcurl                   7.88.1               h0f1d93c_0    defaults
libcxx                    14.0.6               h848a8c0_0    defaults
libedit                   3.1.20221030         h80987f9_0    defaults
libev                     4.33                 h1a28f6b_1    defaults
libffi                    3.4.2                hca03da5_6    defaults
libiconv                  1.16                 h1a28f6b_2    defaults
liblief                   0.12.3               h313beb8_0    defaults
libllvm14                 14.0.6               h7ec7a93_2    defaults
libmamba                  1.4.1                h48ca7d4_0    defaults
libmambapy                1.4.1           py310h48ca7d4_0    defaults
libnghttp2                1.46.0               h95c9599_0    defaults
libsolv                   0.7.22               h98b2900_0    defaults
libssh2                   1.10.0               hf27765b_0    defaults
libxml2                   2.10.3               h372ba2a_0    defaults
lz4-c                     1.9.4                h313beb8_0    defaults
markupsafe                2.1.1           py310h1a28f6b_0    defaults
more-itertools            8.12.0             pyhd3eb1b0_0    defaults
ncurses                   6.3                  h1a28f6b_3    defaults
openssl                   1.1.1t               h1a28f6b_0    defaults
packaging                 23.0            py310hca03da5_0    defaults
patch                     2.7.6             h1a28f6b_1001    defaults
pcre2                     10.37                h37e8eca_1    defaults
pip                       22.3.1          py310hca03da5_0    defaults
pkginfo                   1.9.6           py310hca03da5_0    defaults
pluggy                    1.0.0           py310hca03da5_1    defaults
psutil                    5.9.0           py310h1a28f6b_0    defaults
py-lief                   0.12.3          py310h313beb8_0    defaults
pybind11-abi              4                    hd3eb1b0_1    defaults
pycosat                   0.6.4           py310h1a28f6b_0    defaults
pycparser                 2.21               pyhd3eb1b0_0    defaults
pyopenssl                 22.0.0             pyhd3eb1b0_0    defaults
pysocks                   1.7.1           py310hca03da5_0    defaults
python                    3.10.8               hc0d8a6c_1    defaults
python-libarchive-c       2.9                pyhd3eb1b0_1    defaults
python.app                3               py310h1a28f6b_0    defaults
pytz                      2022.7          py310hca03da5_0    defaults
pyyaml                    6.0             py310h80987f9_1    defaults
readline                  8.2                  h1a28f6b_0    defaults
reproc                    14.2.4               hc377ac9_1    defaults
reproc-cpp                14.2.4               hc377ac9_1    defaults
requests                  2.28.1          py310hca03da5_0    defaults
ruamel.yaml               0.17.21         py310h1a28f6b_0    defaults
ruamel.yaml.clib          0.2.6           py310h1a28f6b_1    defaults
setuptools                65.5.0          py310hca03da5_0    defaults
six                       1.16.0             pyhd3eb1b0_1    defaults
soupsieve                 2.4             py310hca03da5_0    defaults
sqlite                    3.40.0               h7a7dc30_0    defaults
tapi                      1100.0.11            h8754e6a_1    defaults
tk                        8.6.12               hb8d0fd4_0    defaults
tomli                     2.0.1           py310hca03da5_0    defaults
toolz                     0.12.0          py310hca03da5_0    defaults
tqdm                      4.64.1          py310hca03da5_0    defaults
tzdata                    2022g                h04d1e81_0    defaults
urllib3                   1.26.13         py310hca03da5_0    defaults
wheel                     0.37.1             pyhd3eb1b0_0    defaults
xz                        5.2.10               h80987f9_1    defaults
yaml                      0.2.5                h1a28f6b_0    defaults
yaml-cpp                  0.7.0                hc377ac9_1    defaults
zlib                      1.2.13               h5a0b063_0    defaults
zstandard                 0.19.0          py310h80987f9_0    defaults
zstd                      1.5.5                hd90d995_0    defaults

[katringoogoo]

an input to this since i'm currently looking into it: it would be even greater to be able to specify a certain umask setting in the conda config. the background to this is that bigger installations could then have a central package folder that is updateable by the users by using e.g. a conda group and setguid flags on the necessary executables.

[j3mdamas]

Tagging @dholth as the author of conda/conda-package-streaming#65
Tagging @kenodegard as the OP of this issue and reviewer of the PR

I have recently identified this issue in my conda installations and I think I tracked down the issue properly, but feel free to correct me.

I'm using the miniforge conda installer version 23.3.1 (Miniforge3-23.3.1-0-Linux-x86_64.sh). It installs versions of conda-package-handling and conda-package-streaming that should include the modification from the PR where the umask issue is fixed:

conda-package-handling    2.2.0              pyh38be061_0    conda-forge
conda-package-streaming   0.9.0              pyhd8ed1ab_0    conda-forge

My umask is:

$ umask -S
u=rwx,g=rx,o=rx

Yet, the umask is not respected and the group has write permissions over many files of the installation:

> ls -lgG $(find miniforge/ -perm /022 ! -type l | head)
-rw-rw-r-- 1  322 Aug 20 20:38 miniforge/pkgs/.constructor-build.info
-rw-rw-r-- 2 2594 Jun 24 00:59 miniforge/pkgs/python-3.10.12-hd12c33a_0_cpython/lib/python3.10/encodings/__pycache__/cp1140.cpython-310.pyc
-rw-rw-r-- 2 8759 Jun 24 00:59 miniforge/pkgs/python-3.10.12-hd12c33a_0_cpython/lib/python3.10/encodings/__pycache__/cp850.cpython-310.pyc
-rw-rw-r-- 2 2601 Jun 24 00:59 miniforge/pkgs/python-3.10.12-hd12c33a_0_cpython/lib/python3.10/encodings/__pycache__/cp875.cpython-310.pyc
-rw-rw-r-- 2 2603 Jun 24 00:59 miniforge/pkgs/python-3.10.12-hd12c33a_0_cpython/lib/python3.10/encodings/__pycache__/iso8859_4.cpython-310.pyc
-rw-rw-r-- 2 2644 Jun 24 00:59 miniforge/pkgs/python-3.10.12-hd12c33a_0_cpython/lib/python3.10/encodings/__pycache__/mac_turkish.cpython-310.pyc
-rw-rw-r-- 2 2571 Jun 24 00:59 miniforge/pkgs/python-3.10.12-hd12c33a_0_cpython/lib/python3.10/encodings/__pycache__/quopri_codec.cpython-310.pyc
-rw-rw-r-- 2 1640 Jun 24 00:59 miniforge/pkgs/python-3.10.12-hd12c33a_0_cpython/lib/python3.10/encodings/__pycache__/shift_jisx0213.cpython-310.pyc
-rw-rw-r-- 1 8610 Aug 20 20:38 miniforge/pkgs/urls
-rw-rw-r-- 1 6135 Aug 20 20:38 miniforge/pkgs/urls.txt

Am I missing some configuration to make it respect the umask? Or is there something else I am missing?
Thanks for your time

[dholth]

I noticed the miniforge installer is bootstrapped with micromamba. Let's find out whether the permissions are from files created by conda-package-streaming, or some other software like micromamba or perhaps Python as it generates .pyc's. Try extracting your own Python conda package with cph and let us know whether the permissions are working as expected, or not.

cd ~/miniforge3/pkgs
mkdir cpython
cd cpython
~/miniforge3/bin/cph x --dest . ../python-3.10.12-h01493a6_0_cpython.conda

[j3mdamas]

Following your recipe, the contents of the cpython directory have the correct permissions.
So I guess I should go to miniforge repository and ask there :)
Thanks for the quick answer!