cmd/go: Downloaded zip file permissions in $GOMODCACHE/cache/download are too restrictive #52765
Labels
FrozenDueToAge
modules
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
os.CreateTemp in downloadZip creates files with 0600 permissions and as a consequence, after the final os.Rename, the downloaded zip files are left readable only by their owner.
Such restrictive permissions create problems in build/CI environments where
go mod download
is a separate step and performed under a distinct "download" user. For example, it makes it impossible to dogo mod verify
during the build stage, if the build stage is executed under a "build" user that is distinct from the "download" user.It's doesn't seem that making cached zip files readable by "group" and "others" (0644) would compromise cache integrity, but it would fix the above issue.
The text was updated successfully, but these errors were encountered: