Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: Downloaded zip file permissions in $GOMODCACHE/cache/download are too restrictive #52765

Open
dmgk opened this issue May 7, 2022 · 3 comments
Labels
modules NeedsInvestigation
Milestone

Comments

@dmgk
Copy link
Contributor

@dmgk dmgk commented May 7, 2022

os.CreateTemp in downloadZip creates files with 0600 permissions and as a consequence, after the final os.Rename, the downloaded zip files are left readable only by their owner.

Such restrictive permissions create problems in build/CI environments where go mod download is a separate step and performed under a distinct "download" user. For example, it makes it impossible to do go mod verify during the build stage, if the build stage is executed under a "build" user that is distinct from the "download" user.

It's doesn't seem that making cached zip files readable by "group" and "others" (0644) would compromise cache integrity, but it would fix the above issue.

@seankhliao seankhliao closed this May 7, 2022
@seankhliao seankhliao reopened this May 7, 2022
@seankhliao
Copy link
Contributor

@seankhliao seankhliao commented May 7, 2022

does the -modcacherw flag do what you want?
the cache is readonly by default because of tests: #27161 (comment)

@dmgk
Copy link
Contributor Author

@dmgk dmgk commented May 7, 2022

No, -modcacherw sets cache directories permissions. This issue is about zip archives permissions.

@gopherbot
Copy link

@gopherbot gopherbot commented May 7, 2022

Change https://go.dev/cl/404854 mentions this issue: cmd/go: make module .zip files group/world readable

@dr2chase dr2chase added the NeedsDecision label May 8, 2022
@bcmills bcmills added modules NeedsInvestigation labels May 9, 2022
@bcmills bcmills added this to the Backlog milestone May 9, 2022
@gopherbot gopherbot removed the NeedsDecision label May 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
modules NeedsInvestigation
Projects
None yet
Development

No branches or pull requests

5 participants