-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(bundler): In .deb packages, set uid=0 for all files #7980
Conversation
92249a7
to
d1fa43f
Compare
Thanks for the PR! Since we didn't merge 1.x back into dev yet (should happen once the 1.5 release calmed down a bit) i think this should target the 1.x branch instead so 1.x users get the fix faster. |
In Debian packages, set `root` the owner of control files and package files (uid=0, gid=0).
d1fa43f
to
f2e9b62
Compare
Thanks @FabianLars, I've rebased the PR to target branch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Thanks for this security relevant improvement 👍 |
Port of tauri-apps/tauri#7980 Co-authored-by: Olivier Lemasle <o.lemasle@gmail.com>
Port of tauri-apps/tauri#7980 Co-authored-by: Olivier Lemasle <o.lemasle@gmail.com>
What kind of change does this PR introduce?
Does this PR introduce a breaking change?
Checklist
fix: remove a typo, closes #___, #___
)Other information
This solves one of the issues reported in #7074:
lintian
(the Debian package linter) reported these errors:The Debian package file contains two archive files (
control.tar.gz
anddata.tar.gz
) which are created with file metadata copied from the build filesystem: mode, time, uid, gid, etc.That caused the package to use the uid of the build user (typically an unprivileged user with
uid
1000) instead of theroot
user as required.With this commit, the metadata are still copied, except for
uid
andgid
, which are overridden and set to0
(=root
).