Warren Togami wrote:
Hi Spot,
During FUDCON2 one of the TODO's I promised you was to send details
about package umask issues. This is only an issue for sysadmins when
they insist on using a system umask of 077 supposedly for some hardening
reason. Two kinds of packages then have problems:
1) Packages with unowned files or directories. This of course has an
obvious solution, simply own it. This is already covered in our
packaging guidelines. MUST right?
2) Packages which create unpackaged files in scriptlets like %post
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136030
This is one example where this caused a problem. The quick and ugly
workaround is to explicitly set umask at the beginning of the scriptlet.
But the correct fix would be to make it so the software does not create
files in %post. The latter solution is not always trivial.
Should we make #2 a SHOULD or MUST in guidelines?
Fonts intended to be useable systemwide by all users, must get
installed on the system with read mode set for user, group, and
other, at a minimum. In order for these fonts to then be useable
by the X11 core fonts subsystem (legacy font support, mostly
used by Xt/Xaw apps and other old stuff), the font metadata files
(fonts.dir, fonts.scale, fonts.alias) must also be world readable
(generally mode 0644 is preferred).
Any font package that installs fonts and prepares them for use
by the core fonts system, by calling chkfontpath,
ttmkfdir/mkfontscale, mkfontdir, must be invoked in an environment
which has umask set to 0133 to ensure the metadata files are
created with the proper permissions to be seen by all users. Of
course this assumes that the intention of a given rpm is to make
the fonts useable systemwide, and not limited to a specific user
or group, etc.
Previously we used to patch mkfontdir to force fonts.dir and
encodings.dir metadata files to be mode 0644, however XFree86.org
rejected the patch, so I dropped it in the next OS release and
changed the initscript for xfs to force "umask 0133" instead,
however that only works if all font packages correctly set the
umask upon installation as well.
It's been ages since I've seen any bug reports of the nature
of fonts missing which could be traced to improper font installation
permissions however, so this may not be a huge problem nowadays
simply out of coincidence or luck.
Nonetheless, I thought I'd mention it in the thread upon request
of Warren.
TTYL