Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: Downloaded zip file permissions in $GOMODCACHE/cache/download are too restrictive #52765

Closed
dmgk opened this issue May 7, 2022 · 3 comments
Labels
FrozenDueToAge modules NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone

Comments

@dmgk
Copy link
Member

dmgk commented May 7, 2022

os.CreateTemp in downloadZip creates files with 0600 permissions and as a consequence, after the final os.Rename, the downloaded zip files are left readable only by their owner.

Such restrictive permissions create problems in build/CI environments where go mod download is a separate step and performed under a distinct "download" user. For example, it makes it impossible to do go mod verify during the build stage, if the build stage is executed under a "build" user that is distinct from the "download" user.

It's doesn't seem that making cached zip files readable by "group" and "others" (0644) would compromise cache integrity, but it would fix the above issue.

@seankhliao seankhliao reopened this May 7, 2022
@seankhliao
Copy link
Member

does the -modcacherw flag do what you want?
the cache is readonly by default because of tests: #27161 (comment)

@dmgk
Copy link
Member Author

dmgk commented May 7, 2022

No, -modcacherw sets cache directories permissions. This issue is about zip archives permissions.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/404854 mentions this issue: cmd/go: make module .zip files group/world readable

@dr2chase dr2chase added the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label May 8, 2022
@bcmills bcmills added modules NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels May 9, 2022
@bcmills bcmills added this to the Backlog milestone May 9, 2022
@gopherbot gopherbot removed the NeedsDecision Feedback is required from experts, contributors, and/or the community before a change can be made. label May 9, 2022
jproberts pushed a commit to jproberts/go that referenced this issue Aug 10, 2022
os.CreateTemp in downloadZip leaves downloaded .zip files readable only
by the owner. Make them group/world readable.

Fixes golang#52765

Change-Id: Iace13e4ad813201a533a1a5fc0c6d9b2e5349a42
Reviewed-on: https://go-review.googlesource.com/c/go/+/404854
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Bryan Mills <bcmills@google.com>
@golang golang locked and limited conversation to collaborators Jun 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge modules NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

5 participants